https://community.cisco.com/t5/network-security/asa-5510-preventing-external-snmp-response/m-p/1474966#M690336 <HTML><HEAD></HEAD><BODY><P>I also have a similar problem. I have gone through the Cisco Documentation, It says that ASA Firewall by default have NAT and PAT Limitations for SNMP traffic. That means the the NAT traffic for routers SNMP can not be passed through ASA by default. Please check table 40-1 on <A class="active_link" href="http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_overview.html">http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_overview.html</A> </P><P>I am also looking for the solution by which the defaullt can be twiked and the SNMP traffic is allowed</P></BODY></HTML> Sun, 25 Nov 2012 09:30:31 GMT Mandar Deorukhkar 2012-11-25T09:30:31Z https://community.cisco.com/t5/network-security/asa-5510-preventing-external-snmp-response/m-p/1474962#M690296 <P>I have the following setup:</P><P></P><P>R--H1</P><P>|</P><P>F</P><P>|</P><P>H2</P><P></P><P>R: 3840</P><P>F: ASA 5510</P><P>H: Hosts 1 and 2</P><P></P><P>I am trying to get SNMP info from the router to H2 but snmpwalk errors with no response from router. I can get info from H1 and neither interface on router is preventing SNMP traffic from coming or going.</P><P><BR />Is there something that needs to be configured to allow SNMP traffic (orginating from INSIDE) to reply? (Also note that there is no Inspect Maps blocking and SNMP versions).</P><P></P><P>Thanks</P> Mon, 11 Mar 2019 17:45:47 GMT https://community.cisco.com/t5/network-security/asa-5510-preventing-external-snmp-response/m-p/1474962#M690296 Steve Gunter 2019-03-11T17:45:47Z https://community.cisco.com/t5/network-security/asa-5510-preventing-external-snmp-response/m-p/1474963#M690304 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>On the ASA you would need a STATIC NAT (if nat-control is enabled) and an ACL permitting the traffic. --&gt; This is if the connection originates from the outside</P><P></P><P>If the connection originates from the inside, then you need NAT (if nat-control is enabled) and if there's an ACLapplied to the inside interface, you need to make sure the traffic is permitted.</P><P></P><P>Federico.</P></BODY></HTML> Fri, 14 May 2010 19:34:49 GMT https://community.cisco.com/t5/network-security/asa-5510-preventing-external-snmp-response/m-p/1474963#M690304 Federico Coto Fajardo 2010-05-14T19:34:49Z https://community.cisco.com/t5/network-security/asa-5510-preventing-external-snmp-response/m-p/1474964#M690312 <HTML><HEAD></HEAD><BODY><P>Yes, there is NAT where H2 is on the INSIDE, and the router is on the OUTSIDE.</P><P></P><P>I have allowed all IP inbound on the INSIDE interface and I do not have this issue with other UDP protocols (such as ntp).</P></BODY></HTML> Fri, 14 May 2010 19:48:23 GMT https://community.cisco.com/t5/network-security/asa-5510-preventing-external-snmp-response/m-p/1474964#M690312 Steve Gunter 2010-05-14T19:48:23Z https://community.cisco.com/t5/network-security/asa-5510-preventing-external-snmp-response/m-p/1474965#M690321 <HTML><HEAD></HEAD><BODY><P>Ok,</P><P><BR />So you mentioned that the SNMP traffic will be originated from the inside (from H2)?<BR />If there's NAT and ACL permission, then it should work. <BR />You can do a Packet Tracer test from ASDM or from CLI to see if the traffic is passing through fine.</P><P></P><P>Federico.</P></BODY></HTML> Fri, 14 May 2010 19:52:55 GMT https://community.cisco.com/t5/network-security/asa-5510-preventing-external-snmp-response/m-p/1474965#M690321 Federico Coto Fajardo 2010-05-14T19:52:55Z https://community.cisco.com/t5/network-security/asa-5510-preventing-external-snmp-response/m-p/1474966#M690336 <HTML><HEAD></HEAD><BODY><P>I also have a similar problem. I have gone through the Cisco Documentation, It says that ASA Firewall by default have NAT and PAT Limitations for SNMP traffic. That means the the NAT traffic for routers SNMP can not be passed through ASA by default. Please check table 40-1 on <A class="active_link" href="http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_overview.html">http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_overview.html</A> </P><P>I am also looking for the solution by which the defaullt can be twiked and the SNMP traffic is allowed</P></BODY></HTML> Sun, 25 Nov 2012 09:30:31 GMT https://community.cisco.com/t5/network-security/asa-5510-preventing-external-snmp-response/m-p/1474966#M690336 Mandar Deorukhkar 2012-11-25T09:30:31Z