topic Re: PIX 515E & SNMP problems! in Network Security

PIX 515E & SNMP problems!

kvlassisgr — Fri, 21 Feb 2020 07:47:16 GMT

Hello everyone,

We have a PIX 515E protecting our servers in a data center and I would like to configure it so it will allow me to do SNMP polls to the servers and to the firewall itself.

I use the PDM 3.0(1) with PIX Version 6.3(3) so I'll describe you what I do...

On the outside interface I have configured the group of computers (OfficeGroup) that I want to have access to the the servers.

On the access rules of the PIX I have added a rule that will allow the OfficeGroup to access all the servers which are on the group inside using protocol IP.

The translation rules for all the servers on the inside is static and I can access all the machines without any problems from any computer in the OfficeGroup!

I have added another rule so the OfficeGroup will have UDP access as well (service any to service any).

I apply and save and try to use the utility GetIf to see if I can 'poll' the servers but I get a "No SNMP response from a.b.x.d"!

When I run GetIf from a server on the inside of the firewall I can poll all the servers and the firewall so the SNMP setup on the servers is ok but it seems the traffic is 'stopped' at the PIX!

Any ideas?

Thank you!

Kostas

Re: PIX 515E & SNMP problems!

Patrick Iseli — Sun, 05 Dec 2004 01:55:46 GMT

You need an access-list that permit that group to use UDP 161 and a static for NAT. To poll the PIX you need to add the < snmp-server> commands an poll on the interface your hosts are connected.

example:

snmp-server host outside x.y.z.d

snmp-server host inside a.b.c.d

snmp-server location Denver

snmp-server contact Admin

snmp-server community xxx

snmp-server enable traps

It is not really a good security practice, even for a trust group of hosts, to add any any access-lists !!!

See - Using SNMP with the Cisco Secure PIX Firewall:

http://www.cisco.com/warp/public/110/pixsnmp.html

sincerely

Patrick

Re: PIX 515E & SNMP problems!

kvlassisgr — Sun, 05 Dec 2004 10:18:55 GMT

Hello Patrick,

I have read the Cisco HOWTO but since I'm mostly using PDM to change the configuration settings on the PIX things can get a bit confusing...

Anyway, my problem is that the IP that I'm using to poll the servers via SNMP is in the "allow" list.

I have 'full' access to all the servers form that IP using "Protocol and service" = IP and "IP protocol" = ip.

But still I can't connect with GetIf to any of the server IPs! I've even trying adding another rule only for UDP on this IP to all the servers and still I can't get SNMP to work!

On the other hand once I go in to the servers via Terminal Services and use GetIf I can poll all the servers without problems, even servers who are on another location...

So SNMP passes from the outside to the inside of the PIX but not from the inside to the outside which is annoying since I can't figure out why!

Thanks for your help!

Kostas