I am trying to set up SNMP to my routers outside the PIX. However Icannot ping nor reach the outside address of the PIX or the address's of the routers outside the PIX. I am able to reach anything past the routers, i.e the internet. Is there a way to enable communication to my public pool of address's? Thanks.
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Enable traffic from inside int to outside int/public IP's 1
- Thread starter tex52
- Start date
-
1
- #2
It's fairly well documented you can't ping the outside PIX interface from the inside.
If you cannot ping your routers on the outside, have you permitted ICMP back from these or, arguably better, allowed all ICMP echo reply back through the PIX (as below):
access-list outside_access_in permit icmp any any echo-reply
access-group outside_access_in in interface outside
If you cannot ping your routers on the outside, have you permitted ICMP back from these or, arguably better, allowed all ICMP echo reply back through the PIX (as below):
access-list outside_access_in permit icmp any any echo-reply
access-group outside_access_in in interface outside
- Thread starter
- #3
Thanks for the help on the ping. However still no SNMP, AT&T manages these routers, they were supposed to have set them up to send SNMP my server on the LAN. I created a static route from a public ip to the private (172.16.1.2)ip of my SNMP server. Then an access-list to allow port 161 and 162 to that server. The SNMP is timing out. I can though ping that router from my SNMP server.
Things to check/consider:
1. Have you allowed TCP, UDP or both for SNMP and SNMP traps in your outside acl. I think SNMP predominately uses UDP so you definetly need something like the following:
access-list outside_access_in permit udp x.x.x.x y.y.y.y eq snmp
access-list outside_access_in permit udp x.x.x.x y.y.y.y eq snmptrap
where x.x.x.x is the router(s) you are trying to poll and y.y.y.y is your SNMP manager.
2. Both the SNMP manager and the router(s) need to be configured with the same SNMP RO string.
3. For SNMP traps to work properly, the router(s) must be configured to send traps to the IP address of the SNMP manager as it appears to the router(s) on the outside. This means 2 things of course -
(i) That the router(s) have been appropriately configured with the applicable outside IP address.
(ii) That the PIX is configured for NAT to translate the router(s) configured trap address to the SNMP manager's real address.
Hope this helps.
1. Have you allowed TCP, UDP or both for SNMP and SNMP traps in your outside acl. I think SNMP predominately uses UDP so you definetly need something like the following:
access-list outside_access_in permit udp x.x.x.x y.y.y.y eq snmp
access-list outside_access_in permit udp x.x.x.x y.y.y.y eq snmptrap
where x.x.x.x is the router(s) you are trying to poll and y.y.y.y is your SNMP manager.
2. Both the SNMP manager and the router(s) need to be configured with the same SNMP RO string.
3. For SNMP traps to work properly, the router(s) must be configured to send traps to the IP address of the SNMP manager as it appears to the router(s) on the outside. This means 2 things of course -
(i) That the router(s) have been appropriately configured with the applicable outside IP address.
(ii) That the PIX is configured for NAT to translate the router(s) configured trap address to the SNMP manager's real address.
Hope this helps.
- Thread starter
- #5
I have added the following lines to try and get this to work. 172.16.1.2 is the private address of the SNMP server. 12.139.227.131 is the router supposedly sending the SNMP info. I have sent an email to AT&T, who manages the routers, to make sure of the router configs. Any ideas?
static (inside,outside) 12.139.227.165 172.16.1.2 netmask 255.255.255.255 0 0
access-list outside_access_in permit udp host 12.139.227.131 host 12.139.227.165 eq snmptrap
access-list outside_access_in permit udp host 12.139.227.131 host 12.139.227.165 eq snmp
static (inside,outside) 12.139.227.165 172.16.1.2 netmask 255.255.255.255 0 0
access-list outside_access_in permit udp host 12.139.227.131 host 12.139.227.165 eq snmptrap
access-list outside_access_in permit udp host 12.139.227.131 host 12.139.227.165 eq snmp
Your config seems fine to me. I would suggest a further a 2 things:
1. Maybe run a debug on the pix to see if you see SNMP traps being sent via the router in question. At&T may need to generate some kind of event however for you to see a trap. Something like:
deb packet outside src 12.139.227.131 proto udp dport 162
(try TCP also but I'm sure it'll be UDP).
2. Are you able to poll or retrieve stats from the router? If not, this would seem to indciate either the SNMP RO string is not the same between router and manager or the router is configured for the wrong SNMP address.
If it's a Cisco router, you can ask them for a copy of 'show run | inc snmp'. This will show you their entire SNMP config so you can peruse for mistakes. This is what when I do this on my router:
R1#sh run | inc snmp
snmp-server community l4rryth3l4mb RO
snmp-server ifindex persist
snmp-server trap-source Loopback0
snmp-server location Main HQ
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps hsrp
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps envmon
snmp-server enable traps ds0-busyout
snmp-server enable traps ds1-loopback
snmp-server enable traps bgp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps rsvp
snmp-server enable traps frame-relay
snmp-server enable traps rtr
snmp-server enable traps syslog
1. Maybe run a debug on the pix to see if you see SNMP traps being sent via the router in question. At&T may need to generate some kind of event however for you to see a trap. Something like:
deb packet outside src 12.139.227.131 proto udp dport 162
(try TCP also but I'm sure it'll be UDP).
2. Are you able to poll or retrieve stats from the router? If not, this would seem to indciate either the SNMP RO string is not the same between router and manager or the router is configured for the wrong SNMP address.
If it's a Cisco router, you can ask them for a copy of 'show run | inc snmp'. This will show you their entire SNMP config so you can peruse for mistakes. This is what when I do this on my router:
R1#sh run | inc snmp
snmp-server community l4rryth3l4mb RO
snmp-server ifindex persist
snmp-server trap-source Loopback0
snmp-server location Main HQ
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps hsrp
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps envmon
snmp-server enable traps ds0-busyout
snmp-server enable traps ds1-loopback
snmp-server enable traps bgp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps rsvp
snmp-server enable traps frame-relay
snmp-server enable traps rtr
snmp-server enable traps syslog
- Status
Similar threads
- Locked
- Question
- Locked
- Question
- Locked
- Question
- Locked
- Question