topic Re: FDM SNMP setup in Network Security

FDM SNMP setup

SeokGeunChoi73564 — Fri, 09 Dec 2022 01:25:07 GMT

Hi,

I am going through the SNMP settings.
FPR2110/FDM 7.0.1-84 and 6.6.1-91
The current settings were all done by referring to the Cisco manual, and the 6.6.1 version did all the settings through Flexconfig posted on Youtube.

I confirmed that the SNMP Manager is pinging to the main firewall / server firewall Inside interface.

I confirmed that SNMP settings were added on the CLI, but the problem is that there is no response when I test through SNMPWALK.
Even though I tried to do SNMPWALK to myself in the firewall CLI, there is no response.

Is it a problem that Inside Interface is composed of serial sections?
Even so, I guess SNMP Manager can receive MiB from Main/Server firewall's inside interface.
Because SNMP can ping with both interface.

I don't know which one is the problem.
Below is the topology of my network.

Re: FDM SNMP setup

Divya Jain — Tue, 20 Dec 2022 11:39:11 GMT

Hi,
Did you refer to this doc for configuration :
https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/216551-configure-and-troubleshoot-snmp-on-firep.html#anc9

At the end of the doc there are few verification output. Can you check that and is it possible to share those?
A quick packet capture / trace would help to identify where its failing exactly.

-----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------

Regards
Divya Jain

Re: FDM SNMP setup

MHM Cisco World — Tue, 20 Dec 2022 11:55:09 GMT

snmp-server host <interface> .......... <<<- are you select the interface that ASA will use to connect to SNMP server ?
are you sure that the interface ip is reachable?

you can do packet-tracer
packet-tracer input OUT udp <interface IP > 1234 <SNMP server> 161

do this and see if there is NAT or ACL prevent access to server.

Re: FDM SNMP setup

SeokGeunChoi73564 — Tue, 20 Dec 2022 23:44:49 GMT

Hi, This is current running-config on FDM CLI

I'm trying to use inside interface, diagnostic interface is for testing.

And I try to verify using FDM CLI's expert mode, execute snmpwalk to itself but it didn't work.

192.168.255.1 is BB (C9300)

192.168.255.3 is FDM diagnostic interface

10.10.10.1 is inside interface.

thanks

Re: FDM SNMP setup

SeokGeunChoi73564 — Tue, 20 Dec 2022 23:46:06 GMT

Hi, This is current running-config on FDM CLI

I'm trying to use inside interface, diagnostic interface is for testing.

And I try to verify using FDM CLI's expert mode, execute snmpwalk to itself but it didn't work.

192.168.255.1 is BB (C9300)

192.168.255.3 is FDM diagnostic interface

10.10.10.1 is inside interface.

thanks

+ When I finished test using packet-tracer, I'll respond asap

Re: FDM SNMP setup

SeokGeunChoi73564 — Thu, 22 Dec 2022 13:22:05 GMT

> packet-tracer input Inside udp 192.168.230.23 snmp 10.10.222.9 snmp

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 10.10.220.1 using egress ifc outside(vrfid:0)

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435476 ifc inside object 192.168.230.0-24 ifc outside any rule-id 268435476 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435476: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435476: L5 RULE: Policy19
object-group service |acSvcg-268435476
service-object ip
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: inspect-snmp
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect snmp
service-policy global_policy global
Additional Information:

Phase: 7
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1482498183, packet dispatched to next module

Phase: 11
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Config:
Additional Information:
Application: 'SNORT Inspect'

Phase: 12
Type: SNORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Snort Trace:
Packet: UDP
Session: new snort session
AppID: service unknown (0), application unknown (0)
Firewall: allow rule, id 268435476, allow
Snort id 1, NAP id 1, IPS id 0, Verdict PASS
Snort Verdict: (pass-packet) allow this packet

Phase: 13
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 10.10.220.1 using egress ifc outside(vrfid:0)

Phase: 14
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Config:
Additional Information:
Found adjacency entry for Next-hop 10.10.220.1 on interface outside
Adjacency :Active
MAC address ac4a.5654.e657 hits 82388 reference 808

Result:
input-interface: inside(vrfid:0)
input-status: up
input-line-status: up
output-interface: outside(vrfid:0)
output-status: up
output-line-status: up
Action: allow

Re: FDM SNMP setup

MHM Cisco World — Fri, 23 Dec 2022 09:33:25 GMT

IN SERVER FW
we must do packet tracer input to OUT interface of Server FW,
we need to see if the other device can access Server IN.
packet-tracer input OUT udp <interface IP > 1234<SNMP server> 161

Re: FDM SNMP setup

SeokGeunChoi73564 — Mon, 26 Dec 2022 08:30:41 GMT

Hi, here is info.

10.10.222.2 = Svr F/W's Outside interface IP

192.168.223.130 = SNMP Manager, inside of Svr F/W

(Svr F/W inside :10.10.222.9) <> (SvrFarm SW : 10.10.222.11)

> packet-tracer input outside udp 10.10.222.2 snmp 192.168.223.130 snmp

Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 10.10.222.11 using egress ifc inside(vrfid:0)

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: inside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000000aab63c99d4 flow (NA)/NA

++ Outside Any > Inside 192.168.223.130(SNMP Man) Allow all, and also every access-rule is allowed.

Only default rule is deny

+++ below from here were all worked. (10.10.10.1 = Main F/W's Inside interface) (192.168.255.1 = B/B's VLAN IP)

> packet-tracer input outside udp 10.10.10.1 snmp 192.168.223.130 snmp

> packet-tracer input outside udp 192.168.255.1 snmp 192.168.223.130 snmp

Re: FDM SNMP setup

MHM Cisco World — Mon, 26 Dec 2022 09:14:24 GMT

Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 10.10.222.11 using egress ifc inside(vrfid:0) <<- by use 10.10.222.2

ARE you sure that you dont have IP conflict, check subnet mask.

Re: FDM SNMP setup

SeokGeunChoi73564 — Mon, 26 Dec 2022 23:51:44 GMT

every Serial line are assigned 29bit subnet mask.

10.10.222.1/29 -> 222.0~222.7

10.10.222.9/29 -> 222.8~222.15

Re: FDM SNMP setup

Divya Jain — Mon, 09 Jan 2023 13:17:20 GMT

Hi,
As per your output, it shows that packet is dropped because of access list. check if you have any ACL configured for that particular traffic

""

> packet-tracer input outside udp 10.10.222.2 snmp 192.168.223.130 snmp

Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 10.10.222.11 using egress ifc inside(vrfid:0)

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: inside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000000aab63c99d4 flow (NA)/NA

Regards
Divya Jain