Allow SNMP via Management Interface

johnlloyd_13 — Tue, 12 Mar 2019 05:58:48 GMT

hi all,

i've configured a new 5525-X and SSH/TACACS+ is fine.

i can't seem to make SNMP work and can't add the ASA in solarwinds NPM.

i can ping the SNMP polling server and PT result was ok.

can someone please advise? is SNMP allowed on the ASA MGMT interface?

# sh run | i snmp
snmp-server host management 10.111.0.26 community ***** version 2c

# ping management 10.111.0.26
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.111.0.26, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 210/212/220 ms

# packet-tracer input management udp 10.111.0.26 161 172.27.0.124 161

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.27.0.124 255.255.255.255 identity

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: CLUSTER-REDIRECT
Subtype: cluster-redirect
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 190, packet dispatched to next module

Result:
input-interface: management
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: allow

access-list MGMT extended permit icmp any any time-exceeded
access-list MGMT extended permit icmp any any unreachable
access-list MGMT extended permit tcp host <SSH NMS> host 172.27.0.124 eq ssh

access-group MGMT in interface management

route management 10.111.0.0 255.255.255.0 172.27.0.121

hi,in addition to above, it

johnlloyd_13 — Thu, 28 May 2015 05:05:36 GMT

hi,

in addition to above, it seems routing our core IP network via management interface is giving me a hard time. is it possible to use the management interface for normal routing and SNMP?

i was contemplating in using another GE port for our 'inside' network instead of MGMT port and the existing GE for our client (like a DMZ).

i got ACL drop on PT saying 'mgmt-deny-all' even though permit IP any any is already applied on the MGMT interface. i tried the 'out' direction on the access-group command but no joy. is there a global explicit deny that i may overlooked?

# packet-tracer input outside icmp 202.26.16.77 8 0 202.8.6.17 det

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 202.8.6.17 255.255.255.255 management

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE in interface outside
access-list OUTSIDE extended permit icmp any 202.8.6.0 255.255.240.0
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff30d53760, priority=13, domain=permit, deny=false
        hits=18, user_data=0x7fff29133800, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
        dst ip/id=202.78.16.0, mask=255.255.240.0, icmp-code=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2faccba0, priority=0, domain=nat-per-session, deny=true
        hits=649, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff3059cb30, priority=0, domain=inspect-ip-options, deny=true
        hits=315, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff30cf3b90, priority=70, domain=inspect-icmp, deny=false
        hits=19, user_data=0x7fff30cf2f90, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff30cf8900, priority=70, domain=inspect-icmp-error, deny=false
        hits=19, user_data=0x7fff30cf7d00, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 7
Type: ACCESS-LIST
Subtype: mgmt-deny-all
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff3064a0a0, priority=200, domain=mgmt-lockdown, deny=true
        hits=24, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
        input_ifc=any, output_ifc=management

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: management
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ccess-list MGMT extended permit icmp any any time-exceeded
access-list MGMT extended permit icmp any any unreachable
access-list MGMT extended permit tcp host <SSH NMS> host 172.27.0.124 eq ssh
access-list MGMT extended permit ip any any log

access-group OUTSIDE in interface outside
access-group inside in interface inside
access-group MGMT in interface management

nevermind.i transferred from

johnlloyd_13 — Thu, 28 May 2015 07:27:57 GMT

nevermind.

i transferred from MGMT port to G0/2 and design/routing worked.

topic Allow SNMP via Management Interface in Network Security

Allow SNMP via Management Interface

hi,in addition to above, it

nevermind.i transferred from