WMI query through ASA Firewall

Similar Messages

• How can we allow internal users to access internet through ASA firewall?

  Hello,
  I am new to security track, i have been asked to setup lab and allow users from inside firewall to access internet. here is my lab setup
  PC -> switch 1 (layer2) -> (inside) ASA (outside) -> switch 2 (Layer2) -> Router
  does switch 2 port needs internet access through router?
  what configuration required on ASA to allow users behind the firewall to access internet?
  any help on this would be much appreciated.
  thanks,

  Hi,
  Okay , can you clarify on this for me. Are you able to ping the internet from the ASA outside interface ?
  Just try something like this:-
  ping 4.2.2.2 .. Does this work ?
  If this does not work , then i think the ASA even is not able to get to the internet and that would be a problem on the router.
  Also , internet from Switch 2 is not a requirement as that is only a Layer 2 device.
  You can assign the ISP allocated address on the PC , connect it to the Switch 2 port and then try to ping something on the internet or surf internet and i think that should work.
  Thanks and Regards,
  Vibhor Amrodia

• Cisco Call manager 7.2 through ASA firewall

  Hi,
  We have a part of our building that we have sold to another company. We still have to provide them with some resources until they can install their own network. We have a 6500 switch there and we are going to implement a ASA in between and lock down most communication. One of the resources required are  Cisco IP phones. 
  Does anyone know which ports etc are required to be opened to allow communication between these phones and  Call manager and other IP phones on the site?
  Any help would be appreciated             

  Hi Andrew
  The attached document may assist:
  http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/port/7_0/CCM_7.0PortList.pdf
  A lot depends on topology etc, and the handset registration protocol you are using (SIP vs SCCP).
  Hope this helps.
  Barry Hesk
  Intrinsic Network Solutions

• NTP server unreachable through ASA firewall

  Hi all,
  I've configured a DMZ switch to point to an NTP server on on the Inside, but I get a debug message on the switch that says:
  NTP: <NTP server IP address> unreachable
  I'm confident that the NTP server is configured properly, as there are more than a dozen other hosts using it, successfully. The difficulty here is that the NTP packets are having to flow from the DMZ to the Inside. I have a rule set on the firewall that permits the IP address of the switch to connect to the IP address of the NTP server as follows:
  access-list intdmz1_acl extended permit udp host <IP address of switch> host <IP address of NTP server> eq ntp
  I can see the hit counter on this rule incrementing.
  The firewall can ping the NTP server, and the NTP server can ping the switch, so I think routing is OK.
  Output from the DMZ switch:
  switch#show ntp associations
        address         ref clock     st  when  poll reach  delay  offset    disp
  ~192.168.65.254   0.0.0.0          16     -    64    0     0.0    0.00  16000.
  * master (synced), # master (unsynced), + selected, - candidate, ~ configured
  switch#show ntp status
  Clock is unsynchronized, stratum 16, no reference clock
  nominal freq is 119.2092 Hz, actual freq is 119.2092 Hz, precision is 2**17
  reference time is 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)
  clock offset is 0.0000 msec, root delay is 0.00 msec
  root dispersion is 0.00 msec, peer dispersion is 0.00 msec
  PRNLN-DMZ-SW01#sh run | inc ntp
  ntp source Vlan138
  ntp server 192.168.65.254
  ukhvdc00vs01#sh run | inc ntp
  ntp source Vlan65
  ntp master 3
  ntp update-calendar
  ntp server 0.uk.pool.ntp.org
  ntp server 1.uk.pool.ntp.org
  PRNLN-DMZ-SW01#show ntp status
  Clock is unsynchronized, stratum 16, no reference clock
  nominal freq is 119.2092 Hz, actual freq is 119.2092 Hz, precision is 2**17
  reference time is 00000000.00000000 (00:00:00.000 GMT Mon Jan 1 1900)
  clock offset is 0.0000 msec, root delay is 0.00 msec
  root dispersion is 0.00 msec, peer dispersion is 0.00 msec
  Does the firewall rule need to permit more than UDP/123 for this to work perhaps?
  NTPconfig on DMZ switch:
  switch#sh run | inc ntp
  ntp source Vlan138
  ntp server <IP address of NTP server>
  ===================
  NTP config on NTP server:
  NTP_Server#sh run | inc ntp
  ntp source Vlan65
  ntp master 3
  ntp update-calendar
  ntp server 0.uk.pool.ntp.org
  ntp server 1.uk.pool.ntp.org
  Any guidance welcomed.
  Thank you,
  Olly

  Hi Julio,
  Hi Julio,
  For the purposes of this information:
  DMZ switch IP = 5.6.7.8
  NTP server IP = 10.1.1.1
  Here's the output from the show commands:
  ciscoasa# show capture NTPCAPTUREDMZ
  11 packets captured
     1: 16:22:05.271500 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
     2: 16:23:09.276185 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
     3: 16:24:13.274033 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
     4: 16:24:57.272813 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
     5: 16:24:58.279480 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
     6: 16:24:59.277817 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
     7: 16:25:00.275971 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
     8: 16:25:01.275559 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
     9: 16:25:02.272599 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
    10: 16:25:03.279129 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
    11: 16:25:04.277710 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  11 packets shown
  ciscoasa# show capture NTPCAPTUREINSIDE
  0 packet captured
  0 packet shown
  ciscoasa# show capture NTPASP | include 10.1.1.1
  419: 16:24:13.274171 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  1820: 16:24:57.272904 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  1841: 16:24:58.279587 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  1876: 16:24:59.277909 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  1934: 16:25:00.276062 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  2027: 16:25:01.275651 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  2068: 16:25:02.272690 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  2095: 16:25:03.279221 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  2129: 16:25:04.277802 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  2200: 16:25:05.275849 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  2233: 16:25:06.274094 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  2275: 16:25:07.273606 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  2327: 16:25:08.280182 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  2347: 16:25:09.277222 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  2373: 16:25:10.275467 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  2399: 16:25:11.273759 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  2414: 16:25:12.273347 802.1Q vlan#138 P6 5.6.7.8.123 > 10.1.1.1.123:  udp 48
  I'm guessing we should see some packets in the second capture, but we're not...
  Does this help?
  Thanks!
  Olly

• Loop with WMI Query taking too long, need to break out if time exceeds 5 min

  I've written a script that will loop through a list of computers and run a WMI query using the Win32_Product class. I am pinging the host first to ensure its online which eliminates wasting time but the issue I'm facing is that some of the machines
  are online but the WMI Query takes too long and holds up the script. I wanted to add a timeout to the WMI query so if a particular host will not respond to the query or gets stuck the loop will break out an go to the next computer object. I've added my code
  below:
  $Computers = @()
  $computers += "BES10-BH"
  $computers += "AUTSUP-VSUS"
  $computers += "AppClus06-BH"
  $computers += "Aut01-BH"
  $computers += "AutLH-VSUS"
  $computers += "AW-MGMT01-VSUS"
  $computers += "BAMBOOAGT-VSUS"
  ## Loop through all computer objects found in $Computes Array
  $JavaInfo = @()
  FOREACH($Client in $Computers)
  ## Gather WMI installed Software info from each client queried
  Clear-Host
  Write-Host "Querying: $Client" -foregroundcolor "yellow"
  $HostCount++
  $Online = (test-connection -ComputerName ADRAP-VSUS -Count 1 -Quiet)
  IF($Online -eq "True")
  $ColItem = Get-WmiObject -Class Win32_Product -ComputerName $Client -ErrorAction SilentlyContinue | `
  Where {(($_.name -match "Java") -and (!($_.name -match "Auto|Visual")))} | `
  Select-Object Name,Version
  FOREACH($Item in $ColItem)
  ## Write Host Name as variable
  $HostNm = ($Client).ToUpper()
  ## Query Named Version of Java, if Java is not installed fill variable as "No Java Installed
  $JavaVerName = $Item.name
  IF([string]::IsNullOrEmpty($JavaVerName))
  {$JavaVerName = "No Installed"}
  ## Query Version of Java, if Java is not installed fill variable as "No Java Installed
  $JavaVer = $Item.Version
  IF([string]::IsNullOrEmpty($JavaVer))
  {$JavaVer = "Not Installed"}
  ## Create new object to organize Host,JavaName & Version
  $JavaProp = New-Object -TypeName PSObject -Property @{
  "HostName" = $HostNm
  "JavaVerName" = $JavaVerName
  "JavaVer" = $JavaVer
  ## Add new object data "JavaProp" from loop into array "JavaInfo"
  $JavaInfo += $JavaProp
  Else
  {Write-Host "$Client didn't respond, Skipping..." -foregroundcolor "Red"}

  Let me give you a bigger picture of the script. I've included the emailed table the script produces and the actual script. While running the script certain hosts get hung up when running the WMI query which causes the script to never complete. From one of
  the posts I was able to use the Get-WmiCustom function to add a timeout 0f 15 seconds and then the script will continue if it is stuck. The problem is when a host is skipped I am not aware of it because my script is not reporting the server that timed out.
  If you look at ZLBH02-VSUS highlighted in the report you can see that its reporting not installed when it should say something to the effect query hung.
  How can I add a variable in the function that will be available outside the function that I can key off of to differentiate between a host that does not have the software installed and one that failed to query?
  Script Output:
  Script:
  ## Name: JavaReportWMI.ps1 ##
  ## Requires: Power Shell 2.0 ##
  ## Created: January 06, 2015 ##
  <##> $Version = "Script Version: 1.0" <##>
  <##> $LastUpdate = "Updated: January 06, 2015" <##>
  ## Configure Compliant Java Versions Below ##
  <##> $java6 = "6.0.430" <##>
  <##> $javaSEDEVKit6 = "1.6.0.430" <##>
  <##> $java7 = "7.0.710" <##>
  <##> $javaSEDEVKit7 = "1.7.0.710" <##>
  <##> $java8 = "8.0.250" <##>
  <##> $javaSEDDEVKit8 = "1.8.0.250" <##>
  ## Import Active Directory Module
  Import-Module ActiveDirectory
  $Timeout = "False"
  Function Get-WmiCustom([string]$computername,[string]$namespace,[string]$class,[int]$timeout=15)
  $ConnectionOptions = new-object System.Management.ConnectionOptions
  $EnumerationOptions = new-object System.Management.EnumerationOptions
  $timeoutseconds = new-timespan -seconds $timeout
  $EnumerationOptions.set_timeout($timeoutseconds)
  $assembledpath = "\\" + $computername + "\" + $namespace
  #write-host $assembledpath -foregroundcolor yellow
  $Scope = new-object System.Management.ManagementScope $assembledpath, $ConnectionOptions
  $Scope.Connect()
  $querystring = "SELECT * FROM " + $class
  #write-host $querystring
  $query = new-object System.Management.ObjectQuery $querystring
  $searcher = new-object System.Management.ManagementObjectSearcher
  $searcher.set_options($EnumerationOptions)
  $searcher.Query = $querystring
  $searcher.Scope = $Scope
  trap { $_ } $result = $searcher.get()
  return $result
  ## Log time for duration clock
  $Start = Get-Date
  $StartTime = "StartTime: " + $Start.ToShortTimeString()
  ## Environmental Variables
  $QueryMode = $Args #parameter for either "Desktops" / "Servers"
  $CsvPath = "C:\Scripts\JavaReport\JavaReport" + "$QueryMode" + ".csv"
  $Date = Get-Date
  $Domain = $env:UserDomain
  $HostName = ($env:ComputerName).ToLower()
  ## Regional Settings
  ## Used for testing
  IF ($Domain -eq "abc") {$Region = "US"; $SMTPDomain = "abc.com"; `
  $ToAddress = "[email protected]"; `
  $ReplyDomain = "abc.com"; $smtpServer = "relay.abc.com"}
  ## Control Variables
  $FromAddress = "JavaReport@$Hostname.na.$SMTPDomain"
  $EmailSubject = "Java Report - $Region"
  $computers = @()
  $computers += "ZLBH02-VSUS"
  $computers += "AUTSUP-VSUS"
  $computers += "AppClus06-BH"
  $computers += "Aut01-BH"
  $computers += "AutLH-VSUS"
  $computers += "AW-MGMT01-VSUS"
  $computers += "BAMBOOAGT-VSUS"
  #>
  ## Loop through all computer objects found in $Computes Array
  $JavaInfo = @()
  FOREACH($Client in $Computers)
  ## Gather WMI installed Software info from each client queried
  Clear-Host
  Write-Host "Querying: $Client" -foregroundcolor "yellow"
  $HostCount++
  $Online = (test-connection -ComputerName ADRAP-VSUS -Count 1 -Quiet)
  IF($Online -eq "True")
  $ColItem = Get-WmiCustom -Class Win32_Product -Namespace "root\cimv2" -ComputerName $Client -ErrorAction SilentlyContinue | `
  Where {(($_.name -match "Java") -and (!($_.name -match "Auto|Visual")))} | `
  Select-Object Name,Version
  FOREACH($Item in $ColItem)
  ## Write Host Name as variable
  $HostNm = ($Client).ToUpper()
  ## Query Named Version of Java, if Java is not installed fill variable as "No Java Installed
  $JavaVerName = $Item.name
  IF([string]::IsNullOrEmpty($JavaVerName))
  {$JavaVerName = "No Installed"}
  ## Query Version of Java, if Java is not installed fill variable as "No Java Installed
  $JavaVer = $Item.Version
  IF([string]::IsNullOrEmpty($JavaVer))
  {$JavaVer = "Not Installed"}
  ## Create new object to organize Host,JavaName & Version
  $JavaProp = New-Object -TypeName PSObject -Property @{
  "HostName" = $HostNm
  "JavaVerName" = $JavaVerName
  "JavaVer" = $JavaVer
  ## Add new object data "JavaProp" from loop into array "JavaInfo"
  $JavaInfo += $JavaProp
  Else
  {Write-Host "$Client didn't respond, Skipping..." -foregroundcolor "Red"}
  #Write-Host "Host Query Count: $LoopCount" -foregroundcolor "yellow"
  ## Sort Array
  Write-Host "Starting Array" -foregroundcolor "yellow"
  $JavaInfoSorted = $JavaInfo | Sort-object HostName
  Write-Host "Starting Export CSV" -foregroundcolor "yellow"
  ## Export CSV file
  $JavaInfoSorted | export-csv -NoType $CsvPath -Force
  $Att = new-object Net.Mail.Attachment($CsvPath)
  Write-Host "Building Table Header" -foregroundcolor "yellow"
  ## Table Header
  $list = "<table border=1><font size=1.5 face=verdana color=black>"
  $list += "<tr><th><b>Host Name</b></th><th><b>Java Ver Name</b></th><th><b>Ver Number</b></th></tr>"
  Write-Host "Building HTML Table" -foregroundcolor "yellow"
  FOREACH($Item in $JavaInfoSorted)
  Write-Host "$UniqueHost" -foregroundcolor "Yellow"
  ## Alternate Table Shading between Green and White
  IF($LoopCount++ % 2 -eq 0)
  {$BK = "bgcolor='E5F5D7'"}
  ELSE
  {$BK = "bgcolor='FFFFFF'"}
  ## Set Variables
  $JVer = $Item.JavaVer
  $Jname = $Item.JavaVerName
  ## Change Non-Compliant Java Versions to red in table
  IF((($jVer -like "6.0*") -and (!($jVer -match $java6))) -or `
  (($jName -like "*Java(TM) SE Development Kit 6*") -and (!($jName -match $javaSEDEVKit6))) -or `
  (($jVer -like "7.0*") -and (!($jVer -match $java7))) -or `
  (($jName -like "*Java SE Development Kit 7*") -and (!($jName -match $javaSEDEVKit7))))
  $list += "<tr $BK style='color: #ff0000'>"
  ## Compliant Java version are displayed in black
  ELSE
  $list += "<tr $BK style='color: #000000'>"
  ## Populate table with host name variable
  $list += "<td>" + $Item."HostName" + "</td>"
  ## Populate table with Java Version Name variable
  $list += "<td>" + $Item."JavaVerName" + "</td>"
  ## Populate table with Java Versionvariable
  $list += "<td>" + $Item."JavaVer" + "</td>"
  $list += "</tr>"
  $list += "</table></font>"
  $End = Get-Date
  $EndTime = "EndTime: " + $End.ToShortTimeString()
  #$TimeDiff = New-TimeSpan -Start $StartTime -End $EndTime
  $StartTime
  $EndTime
  $TimeDiff
  Write-Host "Total Hosts:$HostCount"
  ## Email Function
  Function SendEmail
  $msg = new-object Net.Mail.MailMessage
  $smtp = new-object Net.Mail.SmtpClient($smtpServer)
  $msg.From = ($FromAddress)
  $msg.ReplyTo =($ToAddress)
  $msg.To.Add($ToAddress)
  #$msg.BCC.Add($BCCAddress)
  $msg.Attachments.Add($Att)
  $msg.Subject = ($EmailSubject)
  $msg.Body = $Body
  $msg.IsBodyHTML = $true
  $smtp.Send($msg)
  $msg.Dispose()
  ## Email Body
  $Body = $Body + @"
  <html><body><font face="verdana" size="2.5" color="black">
  <p><b>Java Report - $Region</b></p>
  <p>$list</p>
  </html></body></font>
  <html><body><font face="verdana" size="1.0" color="red">
  <p><b> Note: Items in red do not have the latest version of Java installed. Please open a ticket to have an engineer address the issue.</b></p>
  </html></body></font>
  <html><body><font face="verdana" size="2.5" color="black">
  <p>
  $StartTime<br>
  $EndTime<br>
  $TimeDiff<br>
  $HostCount<br>
  </p>
  <p>
  Run date: $Date<br>
  $Version<br>
  $LastUpdate<br>
  </p>
  </html></body></font>
  ## Send Email
  SendEmail

• Dmz dns query on asa 5540

  Hi Expert.
  How I can allow dmz zone server to resolve only dns query through nslookup on ASA 5540 ?
  What is the configuration required on ASA 5540 ?
  Thanks

  Hi Samir,
  By IP address will be very simple, depending on the security level that it has (higher than 0 for DMZ and 0 for the outside) it will be allowed by default.
  If there is an access-list alreay applied denying all the http traffic what you need to do is simply allowed that specific host on the ACL and then deny the rest.
  Access-list DMZ permit tcp host host eq 80
  Access-list DMZ deny ip any any
  access-group DMZ in interface DMZ
  Then you can add a host entry on the hostfile for the server on the DMZ to translate the IP address to a hostname and you will be able to access it using the web browser (not really scalable, but it works)
  WARNING: This will only allow traffic from the DMZ server going to specific host on the internet on port 80, any other traffic going to any other interface will be dropped.
  Mike

• Endpoint on DMZ interface (through the firewall)

  Hi
  I have an ASA which connects to a BT Inifinty router. The address on the outside interface is dynamic. BT provide us with 5 static addresses (No NAT 5) which are routed to the outside interface but are a different subnet.
  I would like to terminate the site to site  VPN using one of the static IP addresses rather than the outside dynamic address.
  Can I NAT the public static address to the DMZ interface (or any interface for that matter) and terminate the VPN on that interface i.e. the firewall is terminated through the firewall?
  Thanks
  Stuart
  Update: A few people have looked but no answer. Is there some detail I need to add?

  Matheus.Omega.Mendes wrote:
  Well one solution that they found was implements one hollow interface called InterfaceWeb, just to mark the classes that works on web and desktop, although our system isn't perfectly object oriented, this solution was the worst that I ever seen. At least I think this way and I'd like to know if someone agree, disagree or have some explication for this choose.Hard to say without actually seeing it. Probably not a good idea.
  Presumably the design was driven by time to market and cost rather than just because the developers didn't want to refactor.
  As per the other suggestion, normally besides breaking the layers out you could share common functionality with a layer of its own (or several)

• WMI Query to retrieve only active IPv4 address

  My turn to ask a question. I am running BGInfo for all workstations but at this stage want to only return the Active IPv4 address. I have a custom WMI query set up in BGInfo:
  SELECT IPAddress FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = 'True'
  This will return both IPv4 and v6 addresses. Without disabling IPv6 on my client workstations, is there a way I can get the query to return only the IPv4 address? Or should I instead create a custom vbscript in BGInfo to get the v4 address.
  Cheers
  Jeremy

  You'd need to nose through the results and reject any IPv6 addresses.
  This sample assumes IPv6 addresses always contain a ":" in the
  string...
  strMsg = ""
  strComputer = "."
  Set objWMIService = GetObject("winmgmts:\\" & strComputer &
  "\root\cimv2")
  Set IPConfigSet = objWMIService.ExecQuery _
  ("Select IPAddress from Win32_NetworkAdapterConfiguration WHERE
  IPEnabled = 'True'")
  For Each IPConfig in IPConfigSet
  If Not IsNull(IPConfig.IPAddress) Then
  For i = LBound(IPConfig.IPAddress) to
  UBound(IPConfig.IPAddress)
  If Not Instr(IPConfig.IPAddress(i), ":") > 0 Then
  strMsg = strMsg & IPConfig.IPAddress(i) & vbcrlf
  Next
  End If
  Next
  Wscript.Echo strMsg
  HTH
  Nomadtales wrote:
  >
  >
  >My turn to ask a question. I am running BGInfo for all workstations but at this stage want to only return the Active IPv4 address. I have a custom WMI query set up in BGInfo:
  >
  >
  >SELECT IPAddress FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = 'True'
  >
  >
  >
  >
  >This will return both IPv4 and v6 addresses. Without disabling IPv6 on my client workstations, is there a way I can get the query to return only the IPv4 address? Or should I instead create a custom vbscript in BGInfo to get the v4 address.
  >
  >
  >
  >Cheers
  >
  >
  >
  >Jeremy
  Ha®®y

• WMI Query to find the host of a VM ?

  Is it possible to find through WMI on which virtual host a specific virtual machine runs? I am aware that there is a PowerShell solution. I am specifically interested in a WMI Query.
  TIA
  Alex

  2 one-liners:
  $ComputerName = 'MyVMName'
  # Remote Reqistry
  ([Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine',$ComputerName)).OpenSubKey('SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters').GetValue('PhysicalHostName')
  # WMI
  (([WMIClass]"\\$ComputerName\ROOT\DEFAULT:StdRegProv").GetStringValue(2147483650,'SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters','PhysicalHostName')).sValue

• Cisco 8851 phones registering through Checkpoint firewall

  We have a customer with a secured network, using Checkpoint firewalls and have a VPN site-to-site tunnel between our Cisco ASA and their Checkpoint firewall, with Cisco phones on the far side of the tunnel and CallManager 8.6 behind the ASAs.  We have all the proper network ports referenced, but cannot get either a new Cisco 8851 (SIP) or a Cisco 7942 phone to register.  The 8851 phone, when it tries to register, uses the 6970 port for distributed TFTP via HTTP first (by design), followed by TFTP/69.  The 7900 phone never generates TFTP on port 69 at all.  What is also strange is that the source port 5060 on the 8851 phone seems to be masked with an upper ephemeral network port (51566) when the request traverses the network, regardless of it passing through the firewall or a router.  I know that TFTP uses UDP, but there is nothing in the docs that state it uses these upper port ranges?
  Is this behavior normal for a Cisco SIP-based phone, and with the Skinny phone, is there something with Checkpoint firewalls that causes issues with Cisco VOIP phones.  I have done key-word searches on the Forum for this issue, but have not found anything significant.  I have also looked at the Nokia support forum, and saw some briefs, but it didn't directly describe our issue.  Any help would b e greatly appreciated.
  Thanks,

  Hi Andrew
  The attached document may assist:
  http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/port/7_0/CCM_7.0PortList.pdf
  A lot depends on topology etc, and the handset registration protocol you are using (SIP vs SCCP).
  Hope this helps.
  Barry Hesk
  Intrinsic Network Solutions

• Remote access vpn going through another firewall segment

  Hi,
  Can i know that when use remote access vpn connect to asa firewall inside interface, after that the remote access vpn is it can connect to another firewall segment , the firewall segment is behind the inside interface?

  Hello Sam,
  As long as you include that traffic into the crypto acl and also on the NO_NAT configuration  the answer would be yes. That is possible
  Regards,
  Julio

• IP Phone SSL VPN through ASA

  Im in the middle of configuring Ip Phone SSL VPN through ASA, got stuck on authentication.. When I enter username and password on the phone screen, i get "Username and password failed" message on the screen. However, in ASA logs I see the following line
  Feb 16 2011    15:12:57    725002    85.132.43.67    52684            Device completed SSL handshake with client vpn:85.132.*.*/52684
  Feb 16 2011    15:17:26    725007    85.132.43.67    52745            SSL session with client vpn:85.132.*.*/52745 terminated.
  What does it mean?  How can I turn on debugging to see what is going on?
  Thank you in advance!

  Hi,
  If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password.  If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided).  Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server.  If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure.  The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'.  If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
  Did this answer your question? If so, please mark it Answered!

• SCCM 2012 R2 CU2 Can't Edit WMI Query Code in Report Builder

  I first posted this in the SCCM but the issue is not solved so I thought I'd try here in the SQL Reporting forum. Original thread here: http://social.technet.microsoft.com/Forums/en-US/b0a6ca3d-7471-4b49-8447-7403a65c2ec0/sccm-2012-r2-cu2-cant-edit-wmi-query-code-in-sccm-reports?forum=configmanagergeneral
  I'll repost info here to make this easier.....
  I built a new SCCM 2012 R2 CU2 suite on Server 2012 R2. This also uses SQL 2012 SP1 CU6. This suite has 4 servers: site server, two for WSUS and secondary DPs, and SQL. This problem is true for the built in reports and my custom reports. Our SQL guy has
  been helping me a lot but we've gotten nowhere. I can run a report. I can open one in edit mode after it prompts me for credentials. It loads Report Builder 3.0. But when I go to a dataset/query, enter credentials, and try to open it, I get a popup that
  says "Unable to connect to data source. 'AutoGen_5C6358F2_yayak..." When I click on details it says "The target principal name is incorrect. A connection was succesfully established with the server, but then an error occurred during the login
  process.  (SSL Provider, error: 0 -The target principal name is incorrect.)" In SQL Reporting Services Config Manager the paths for Web Service URL is
  http://ip.ip.ip.ip:80/ReportServer_SC01 and for Report Manager URL:
  http://ip.ip.ip.ip:80/Reports_SC01. A domain account is used to login. This happens when you r-click a dataset and select query to edit the code of a dataset, ie, when query designer tries to open up. It happens
  in both Admin Console and when using the Report Manager URL within SQL SSRS. All other functions of using edit mode of a report work fine.
  Ben JohnsonWY

  When I do that, browse is dimmed out.
  But, if I deselect "create a data set" and click "choose an existing dataset in this report..." there is no data connection at the end.
  But if I don't use report builder and instead use IE to browse to my ConfigMgr_ABC, I do see the connection at the end: {123...}.
  This problem is on a network that is not on the 'net, so it's hard to do screen shots, so I'll reproduce this problem step by step:
  I pick a report to edit, it doesn't matter which one.
  If I try it in Admin Console, I right-click, Edit the report, it asks me for a login, I login, then I get a popup that says "Cannot continue. The application is improperly formatted. Contact the vendor for assistance. I click the Details button and
  get a long set of text but the key part is "Your web browser settings do not allow you to run signed applications." This msg didn't appear before, so something changed, so I will investigate. I think it used to give a SPN error.
  If I use IE within report builder and navigate to whatever report, click open, everything works, except, when I click on Dataset0 (the key one I normally need to edit), click query, it prompts me for a login and no matter which one I use, i get a popup that
  says "unable to connect to data source 'AutoGen_123...'". If I click details I get "the targe principal name is incorrect. A connection was successfully established with the server, but then an error occurred during the login process. (provider:
  SSL Provider 0-The target principal name is incorrect.)
  Ben JohnsonWY

• How Can i Use two Different Public IP Addresses no my DMZ with ASA Firewall.

  How To Using Two Different Public IP Address on My DMZ with ASA 5520
  Postado por jorge decimo decimo em 28/Jan/2013 5:51:28
  Hi everyone out there.
  can any one please help me regarding this situation that im looking for a solution
  My old range of public ip address are finished, i mean (the 41.x.x.0 range)
  So now i still need to have in my DMZ another two servers that will bring some new services.
  Remember that those two server, will need to be accessable both from inside and from outside users (Internet users) as well.
  So as i said, my old range of public ip address is finished and we asked the ISP to gives some additional public
  ip address to address the need of the two new servers on DMZ. and the ISP gave us the range of 197.216.1.24/29
  So my quation is, on reall time world (on the equipment) how can i Use two different public ip address on the same DMZ
  on Cisco ASA 5520 v8??
  How my configuration should look like?
  I was told about implementing static nat with Sub Interfaces on both Router and ASA interface
  Can someone please do give me a help with a practical config sample please. i can as well be reached at [email protected]
  attached is my network diagram for a better understanding
  I thank every body in advance
  Jorge

  Hi,
  So looking at your picture you have the original public IP address range configured on the OUTSIDE and its used for NAT for different servers behind the ASA firewall.
  Now you have gotten a new public IP address range from the ISP and want to get it into use.
  How do you want to use this IP address range? You want to configure the public IP addresses directly on the servers or NAT them at the ASA and have private IP addresses on the actual servers (like it seems to be for the current server)?
  To get the routing working naturally the only thing needed between your Router and Firewall would be to have a static route for the new public network range pointing towards your ASA OUTSIDE IP address. The routing between your Router and the ISP core could either be handled with Static Routing or Dynamic Routing.
  So you dont really need to change the interface configuration between the Router and ASA at all. You just need a Static route pointing the new public IP address towards the ASA outside IP address.
  Now when the routing is handled between the ISP - ISP/Your Router - Your Firewall, you can then consider how to use those IP addresses.
  Do you want to use the public IP addresses DIRECTLY on the HOSTS behind the firewall?This would require you to either configure a new physical interface with the new public IP address range OR create a new subinterface with the new public IP addresses range AND then configure the LAN devices correspondingly to the chosen method on the firewall
  Do you want to use the public IP addresses DIRECLTY on the ASA OUTSIDE as NAT IP addresses?This would require for you to only start configuring Static NAT for the new servers between the inside/dmz and outside interface of the ASA. The format would be no different from the previous NAT configuration other than for the different IP addresses ofcourse
  Of the above ways
  The first way is good because the actual hosts will have the public IP addresses. Therefore you wont run into problems with DNS when the LAN users are trying to access the server.
  The second way is the one requiring the least amount of configurations/changes on the ASA. In this case though you might run into problem with DNS (to which I refer above) as the server actually has a private IP address but the public DNS might reply to the LAN hosts with a public IP address and therefore connections from LAN could fail. This is because LAN users cant connect to the servers OUTSIDE NAT IP address (unless you NAT the server to public IP address towards LAN also)
  Hopefully the above was helpfull. Naturally ask more specific questions and I'll answer them. Hopefully I didnt miss something. But please ask more
  I'm currently at Cisco Live! 2013 London so in the "worst case" I might be able to answer on the weekend at earliest.
  - Jouni

• ASA firewall wont ping remote site

  We have remote office which I can ping while at the main office, but when I am connected to VPN from office or home, I cant ping the remote office.
  VPN gives me an ip 10.21.18.x
  remote site's IP is: 172.29.x.x
  i have the access-list information for the ASA firewall and router below:
  below is the multilayer:
  OFFICE-CORE-01#show ip access-lists
  Extended IP access list verizon-INTERNET-TRAFFIC
      10 deny ip 10.21.0.0 0.0.255.255 10.0.0.0 0.255.255.255
      20 deny ip 10.21.0.0 0.0.255.255 172.16.0.0 0.15.255.255
      30 deny ip 10.21.0.0 0.0.255.255 192.168.0.0 0.0.255.255
      40 permit ip 10.23.20.0 0.0.0.255 any
      50 permit ip 10.23.21.0 0.0.0.255 any
      60 permit ip 10.23.22.0 0.0.0.255 any
      70 permit ip 10.23.23.0 0.0.0.255 any
      80 permit ip 10.23.24.0 0.0.0.255 any
      90 permit ip 10.23.25.0 0.0.0.255 any
      100 permit ip 10.23.26.0 0.0.0.255 any
  Extended IP access list PAETEC-INTERNET-TRAFFIC
      10 deny ip 10.21.0.0 0.0.255.255 10.0.0.0 0.255.255.255
      20 deny ip 10.21.0.0 0.0.255.255 172.16.0.0 0.15.255.255
      30 deny ip 10.21.0.0 0.0.255.255 192.168.0.0 0.0.255.255
      40 permit ip 10.23.20.0 0.0.0.255 any
      50 permit ip 10.23.21.0 0.0.0.255 any
      60 permit ip 10.23.22.0 0.0.0.255 any
      70 permit ip 10.23.23.0 0.0.0.255 any
      80 permit ip 10.23.24.0 0.0.0.255 any
      90 permit ip 10.23.25.0 0.0.0.255 any
      100 permit ip 10.23.26.0 0.0.0.255 any
  Extended IP access list system-cpp-all-routers-on-subnet
      10 permit ip any host 224.0.0.2
  Extended IP access list system-cpp-all-systems-on-subnet
      10 permit ip any host 224.0.0.1
  Extended IP access list system-cpp-dhcp-cs
      10 permit udp any eq bootpc any eq bootps
  Extended IP access list system-cpp-dhcp-sc
      10 permit udp any eq bootps any eq bootpc
  Extended IP access list system-cpp-dhcp-ss
      10 permit udp any eq bootps any eq bootps
  Extended IP access list system-cpp-energywise-disc
      10 permit udp any eq any eq 0
  Extended IP access list system-cpp-hsrpv2
      10 permit udp any host 224.0.0.102
  Extended IP access list system-cpp-igmp
      10 permit igmp any 224.0.0.0 31.255.255.255
  Extended IP access list system-cpp-ip-mcast-linklocal
      10 permit ip any 224.0.0.0 0.0.0.255
  Extended IP access list system-cpp-ospf
      10 permit ospf any 224.0.0.0 0.0.0.255
  Extended IP access list system-cpp-pim
      10 permit pim any 224.0.0.0 0.0.0.255
  Extended IP access list system-cpp-ripv2
      10 permit ip any host 224.0.0.9
  ----------------------------------ASA ACCESS-LIST is below the brief version-------
  access-list CompanyName-vpn-maint_splitTunnelAcl line 10 standard permit 172.29.0.0 255.255.0.0 (hitcnt=0) 0x52bc4d4c
  -----------------------below is the ASA routes-----------------------
  Gateway of last resort is 53.138.58.129 to network 0.0.0.0
  S    192.168.10.0 255.255.255.0 [1/0] via 10.21.0.1, inside
  C    172.17.21.0 255.255.255.0 is directly connected, dmz_tier2
  S    172.16.142.0 255.255.254.0 [1/0] via 53.138.58.129, outside
  C    172.16.21.0 255.255.255.0 is directly connected, dmz_tier1
  C    172.19.21.0 255.255.255.0 is directly connected, dmz_tier4
  S    172.23.181.0 255.255.255.0 [1/0] via 10.21.0.1, outside
  S    172.25.181.0 255.255.255.0 [1/0] via 53.138.58.129, outside
  S    172.25.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
  S    172.24.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
  S    172.26.181.0 255.255.255.0 [1/0] via 53.138.58.129, outside
  S    172.26.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
  S    172.29.181.0 255.255.255.0 [1/0] via 10.21.0.1, outside
  S    172.29.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
  S    172.28.181.0 255.255.255.0 [1/0] via 53.138.58.129, outside
  S    172.28.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
  S    192.168.20.0 255.255.255.0 [1/0] via 10.21.0.1, inside
  S    10.11.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
  S    10.13.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
  S    10.10.21.1 255.255.255.255 [1/0] via 10.21.0.1, inside
  S    10.10.21.2 255.255.255.255 [1/0] via 10.21.0.1, inside
  S    10.22.0.0 255.255.0.0 [1/0] via 53.138.58.129, outside
  S    10.23.3.0 255.255.255.0 [1/0] via 10.21.0.1, inside
  S    10.23.2.0 255.255.255.0 [1/0] via 10.21.0.1, inside
  S    10.21.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
  S    10.10.21.10 255.255.255.255 [1/0] via 10.21.0.1, inside
  C    10.21.0.0 255.255.255.0 is directly connected, inside
  S    10.22.3.0 255.255.255.0 [1/0] via 53.138.58.129, outside
  S    10.10.41.0 255.255.255.0 [1/0] via 53.138.58.129, outside
  C    53.138.58.128 255.255.255.128 is directly connected, outside
  S    192.168.2.0 255.255.255.0 [1/0] via 10.21.0.1, inside
  S*   0.0.0.0 0.0.0.0 [1/0] via 53.138.58.129, outside
  S    0.0.0.0 0.0.0.0 [255/0] via 10.21.0.1, inside tunneled
  ------------------------------------below is the router's routes----------
  Gateway of last resort is 10.21.0.11 to network 0.0.0.0
       205.232.16.0/32 is subnetted, 1 subnets
  S       205.232.16.25 [1/0] via 10.21.0.11
       62.0.0.0/32 is subnetted, 1 subnets
  S       62.100.0.146 [1/0] via 10.21.0.12
       178.78.0.0/32 is subnetted, 1 subnets
  S       178.78.147.193 [1/0] via 10.21.0.12
  C    192.168.10.0/24 is directly connected, Vlan29
       172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks
  S       172.16.141.0/24 [1/0] via 10.21.0.11
  S       172.16.142.0/23 [1/0] via 10.21.0.11
  S       172.16.40.1/32 [1/0] via 10.21.2.12
  S       172.16.40.10/32 [1/0] via 10.21.2.12
  S       172.16.21.0/24 [1/0] via 10.21.0.11
       172.19.0.0/24 is subnetted, 1 subnets
  S       172.19.21.0 [1/0] via 10.21.0.11
       172.18.0.0/24 is subnetted, 1 subnets
  S       172.18.21.0 [1/0] via 10.21.0.12
       172.23.0.0/24 is subnetted, 3 subnets
  S       172.23.186.0 [1/0] via 10.21.0.6
  S       172.23.184.0 [1/0] via 10.21.0.6
  S       172.23.181.0 [1/0] via 10.21.0.6
  S    172.25.0.0/16 [1/0] via 10.21.0.11
       172.24.0.0/24 is subnetted, 3 subnets
  C       172.24.181.0 is directly connected, Vlan31
  C       172.24.186.0 is directly connected, Vlan32
  C       172.24.187.0 is directly connected, Vlan33
  S    172.26.0.0/16 [1/0] via 10.21.0.11
       172.29.0.0/24 is subnetted, 3 subnets
  S       172.29.181.0 [1/0] via 10.21.0.6
  S       172.29.184.0 [1/0] via 10.21.0.6
  S       172.29.190.0 [1/0] via 10.21.0.6
  S    172.28.0.0/16 [1/0] via 10.21.0.11
  C    192.168.20.0/24 is directly connected, Vlan30
       10.0.0.0/8 is variably subnetted, 35 subnets, 4 masks
  S       10.11.0.0/16 [1/0] via 10.21.0.6
  C       10.21.28.0/24 is directly connected, Vlan28
  C       10.21.26.0/24 is directly connected, Vlan26
  C       10.21.25.0/24 is directly connected, Vlan25
  S       10.12.0.0/16 [1/0] via 10.21.0.6
  C       10.21.24.0/24 is directly connected, Vlan24
  S       10.13.0.0/16 [1/0] via 10.21.0.6
  C       10.21.23.0/24 is directly connected, Vlan23
  C       10.21.22.0/24 is directly connected, Vlan22
  C       10.21.21.0/24 is directly connected, Vlan21
  C       10.21.20.0/24 is directly connected, Vlan20
  C       10.21.19.0/24 is directly connected, Vlan19
  S       10.21.18.0/24 [1/0] via 10.21.0.12
  S       10.21.17.0/24 [1/0] via 10.21.0.11
  C       10.21.16.0/24 is directly connected, Vlan16
  C       10.21.15.0/24 is directly connected, Vlan15
  C       10.21.14.0/24 is directly connected, Vlan14
  C       10.21.13.0/24 is directly connected, Vlan13
  C       10.21.12.0/24 is directly connected, Vlan12
  C       10.21.11.0/24 is directly connected, Vlan11
  C       10.10.21.1/32 is directly connected, Loopback0
  S       10.31.0.0/16 [1/0] via 10.21.0.6
  D       10.10.21.2/32 [90/130816] via 10.21.252.10, 7w0d, Vlan999
  C       10.21.5.0/24 is directly connected, Vlan5
  C       10.21.4.0/24 is directly connected, Vlan4
  S       10.22.0.0/16 [1/0] via 10.21.0.11
  C       10.21.3.0/24 is directly connected, Vlan3
  C       10.21.2.0/24 is directly connected, Vlan2
  C       10.23.2.0/24 is directly connected, Vlan900
  S       10.22.3.0/24 [1/0] via 10.21.0.11
  C       10.21.0.0/24 is directly connected, Vlan1000
  S       10.41.0.0/16 [1/0] via 10.21.0.11
  S       10.10.41.0/24 [1/0] via 10.21.0.11
  S       10.51.0.0/16 [1/0] via 10.21.0.6
  C       10.21.252.8/30 is directly connected, Vlan999
       62.0.0.0/32 is subnetted, 1 subnets
  S       62.138.58.129 [1/0] via 10.21.0.11
  S    192.168.2.0/24 [1/0] via 10.21.0.12
  S*   0.0.0.0/0 [1/0] via 10.21.0.11

  We have remote office which I can ping while at the main office, but when I am connected to VPN from office or home, I cant ping the remote office.
  VPN gives me an ip 10.21.18.x
  remote site's IP is: 172.29.x.x
  i have the access-list information for the ASA firewall and router below:
  below is the multilayer:
  OFFICE-CORE-01#show ip access-lists
  Extended IP access list verizon-INTERNET-TRAFFIC
      10 deny ip 10.21.0.0 0.0.255.255 10.0.0.0 0.255.255.255
      20 deny ip 10.21.0.0 0.0.255.255 172.16.0.0 0.15.255.255
      30 deny ip 10.21.0.0 0.0.255.255 192.168.0.0 0.0.255.255
      40 permit ip 10.23.20.0 0.0.0.255 any
      50 permit ip 10.23.21.0 0.0.0.255 any
      60 permit ip 10.23.22.0 0.0.0.255 any
      70 permit ip 10.23.23.0 0.0.0.255 any
      80 permit ip 10.23.24.0 0.0.0.255 any
      90 permit ip 10.23.25.0 0.0.0.255 any
      100 permit ip 10.23.26.0 0.0.0.255 any
  Extended IP access list PAETEC-INTERNET-TRAFFIC
      10 deny ip 10.21.0.0 0.0.255.255 10.0.0.0 0.255.255.255
      20 deny ip 10.21.0.0 0.0.255.255 172.16.0.0 0.15.255.255
      30 deny ip 10.21.0.0 0.0.255.255 192.168.0.0 0.0.255.255
      40 permit ip 10.23.20.0 0.0.0.255 any
      50 permit ip 10.23.21.0 0.0.0.255 any
      60 permit ip 10.23.22.0 0.0.0.255 any
      70 permit ip 10.23.23.0 0.0.0.255 any
      80 permit ip 10.23.24.0 0.0.0.255 any
      90 permit ip 10.23.25.0 0.0.0.255 any
      100 permit ip 10.23.26.0 0.0.0.255 any
  Extended IP access list system-cpp-all-routers-on-subnet
      10 permit ip any host 224.0.0.2
  Extended IP access list system-cpp-all-systems-on-subnet
      10 permit ip any host 224.0.0.1
  Extended IP access list system-cpp-dhcp-cs
      10 permit udp any eq bootpc any eq bootps
  Extended IP access list system-cpp-dhcp-sc
      10 permit udp any eq bootps any eq bootpc
  Extended IP access list system-cpp-dhcp-ss
      10 permit udp any eq bootps any eq bootps
  Extended IP access list system-cpp-energywise-disc
      10 permit udp any eq any eq 0
  Extended IP access list system-cpp-hsrpv2
      10 permit udp any host 224.0.0.102
  Extended IP access list system-cpp-igmp
      10 permit igmp any 224.0.0.0 31.255.255.255
  Extended IP access list system-cpp-ip-mcast-linklocal
      10 permit ip any 224.0.0.0 0.0.0.255
  Extended IP access list system-cpp-ospf
      10 permit ospf any 224.0.0.0 0.0.0.255
  Extended IP access list system-cpp-pim
      10 permit pim any 224.0.0.0 0.0.0.255
  Extended IP access list system-cpp-ripv2
      10 permit ip any host 224.0.0.9
  ----------------------------------ASA ACCESS-LIST is below the brief version-------
  access-list CompanyName-vpn-maint_splitTunnelAcl line 10 standard permit 172.29.0.0 255.255.0.0 (hitcnt=0) 0x52bc4d4c
  -----------------------below is the ASA routes-----------------------
  Gateway of last resort is 53.138.58.129 to network 0.0.0.0
  S    192.168.10.0 255.255.255.0 [1/0] via 10.21.0.1, inside
  C    172.17.21.0 255.255.255.0 is directly connected, dmz_tier2
  S    172.16.142.0 255.255.254.0 [1/0] via 53.138.58.129, outside
  C    172.16.21.0 255.255.255.0 is directly connected, dmz_tier1
  C    172.19.21.0 255.255.255.0 is directly connected, dmz_tier4
  S    172.23.181.0 255.255.255.0 [1/0] via 10.21.0.1, outside
  S    172.25.181.0 255.255.255.0 [1/0] via 53.138.58.129, outside
  S    172.25.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
  S    172.24.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
  S    172.26.181.0 255.255.255.0 [1/0] via 53.138.58.129, outside
  S    172.26.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
  S    172.29.181.0 255.255.255.0 [1/0] via 10.21.0.1, outside
  S    172.29.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
  S    172.28.181.0 255.255.255.0 [1/0] via 53.138.58.129, outside
  S    172.28.184.0 255.255.255.0 [1/0] via 53.138.58.129, outside
  S    192.168.20.0 255.255.255.0 [1/0] via 10.21.0.1, inside
  S    10.11.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
  S    10.13.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
  S    10.10.21.1 255.255.255.255 [1/0] via 10.21.0.1, inside
  S    10.10.21.2 255.255.255.255 [1/0] via 10.21.0.1, inside
  S    10.22.0.0 255.255.0.0 [1/0] via 53.138.58.129, outside
  S    10.23.3.0 255.255.255.0 [1/0] via 10.21.0.1, inside
  S    10.23.2.0 255.255.255.0 [1/0] via 10.21.0.1, inside
  S    10.21.0.0 255.255.0.0 [1/0] via 10.21.0.1, inside
  S    10.10.21.10 255.255.255.255 [1/0] via 10.21.0.1, inside
  C    10.21.0.0 255.255.255.0 is directly connected, inside
  S    10.22.3.0 255.255.255.0 [1/0] via 53.138.58.129, outside
  S    10.10.41.0 255.255.255.0 [1/0] via 53.138.58.129, outside
  C    53.138.58.128 255.255.255.128 is directly connected, outside
  S    192.168.2.0 255.255.255.0 [1/0] via 10.21.0.1, inside
  S*   0.0.0.0 0.0.0.0 [1/0] via 53.138.58.129, outside
  S    0.0.0.0 0.0.0.0 [255/0] via 10.21.0.1, inside tunneled
  ------------------------------------below is the router's routes----------
  Gateway of last resort is 10.21.0.11 to network 0.0.0.0
       205.232.16.0/32 is subnetted, 1 subnets
  S       205.232.16.25 [1/0] via 10.21.0.11
       62.0.0.0/32 is subnetted, 1 subnets
  S       62.100.0.146 [1/0] via 10.21.0.12
       178.78.0.0/32 is subnetted, 1 subnets
  S       178.78.147.193 [1/0] via 10.21.0.12
  C    192.168.10.0/24 is directly connected, Vlan29
       172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks
  S       172.16.141.0/24 [1/0] via 10.21.0.11
  S       172.16.142.0/23 [1/0] via 10.21.0.11
  S       172.16.40.1/32 [1/0] via 10.21.2.12
  S       172.16.40.10/32 [1/0] via 10.21.2.12
  S       172.16.21.0/24 [1/0] via 10.21.0.11
       172.19.0.0/24 is subnetted, 1 subnets
  S       172.19.21.0 [1/0] via 10.21.0.11
       172.18.0.0/24 is subnetted, 1 subnets
  S       172.18.21.0 [1/0] via 10.21.0.12
       172.23.0.0/24 is subnetted, 3 subnets
  S       172.23.186.0 [1/0] via 10.21.0.6
  S       172.23.184.0 [1/0] via 10.21.0.6
  S       172.23.181.0 [1/0] via 10.21.0.6
  S    172.25.0.0/16 [1/0] via 10.21.0.11
       172.24.0.0/24 is subnetted, 3 subnets
  C       172.24.181.0 is directly connected, Vlan31
  C       172.24.186.0 is directly connected, Vlan32
  C       172.24.187.0 is directly connected, Vlan33
  S    172.26.0.0/16 [1/0] via 10.21.0.11
       172.29.0.0/24 is subnetted, 3 subnets
  S       172.29.181.0 [1/0] via 10.21.0.6
  S       172.29.184.0 [1/0] via 10.21.0.6
  S       172.29.190.0 [1/0] via 10.21.0.6
  S    172.28.0.0/16 [1/0] via 10.21.0.11
  C    192.168.20.0/24 is directly connected, Vlan30
       10.0.0.0/8 is variably subnetted, 35 subnets, 4 masks
  S       10.11.0.0/16 [1/0] via 10.21.0.6
  C       10.21.28.0/24 is directly connected, Vlan28
  C       10.21.26.0/24 is directly connected, Vlan26
  C       10.21.25.0/24 is directly connected, Vlan25
  S       10.12.0.0/16 [1/0] via 10.21.0.6
  C       10.21.24.0/24 is directly connected, Vlan24
  S       10.13.0.0/16 [1/0] via 10.21.0.6
  C       10.21.23.0/24 is directly connected, Vlan23
  C       10.21.22.0/24 is directly connected, Vlan22
  C       10.21.21.0/24 is directly connected, Vlan21
  C       10.21.20.0/24 is directly connected, Vlan20
  C       10.21.19.0/24 is directly connected, Vlan19
  S       10.21.18.0/24 [1/0] via 10.21.0.12
  S       10.21.17.0/24 [1/0] via 10.21.0.11
  C       10.21.16.0/24 is directly connected, Vlan16
  C       10.21.15.0/24 is directly connected, Vlan15
  C       10.21.14.0/24 is directly connected, Vlan14
  C       10.21.13.0/24 is directly connected, Vlan13
  C       10.21.12.0/24 is directly connected, Vlan12
  C       10.21.11.0/24 is directly connected, Vlan11
  C       10.10.21.1/32 is directly connected, Loopback0
  S       10.31.0.0/16 [1/0] via 10.21.0.6
  D       10.10.21.2/32 [90/130816] via 10.21.252.10, 7w0d, Vlan999
  C       10.21.5.0/24 is directly connected, Vlan5
  C       10.21.4.0/24 is directly connected, Vlan4
  S       10.22.0.0/16 [1/0] via 10.21.0.11
  C       10.21.3.0/24 is directly connected, Vlan3
  C       10.21.2.0/24 is directly connected, Vlan2
  C       10.23.2.0/24 is directly connected, Vlan900
  S       10.22.3.0/24 [1/0] via 10.21.0.11
  C       10.21.0.0/24 is directly connected, Vlan1000
  S       10.41.0.0/16 [1/0] via 10.21.0.11
  S       10.10.41.0/24 [1/0] via 10.21.0.11
  S       10.51.0.0/16 [1/0] via 10.21.0.6
  C       10.21.252.8/30 is directly connected, Vlan999
       62.0.0.0/32 is subnetted, 1 subnets
  S       62.138.58.129 [1/0] via 10.21.0.11
  S    192.168.2.0/24 [1/0] via 10.21.0.12
  S*   0.0.0.0/0 [1/0] via 10.21.0.11