Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2936
Views
0
Helpful
6
Replies

ASA 5505 snmp monitoring from outside interface

Go to solution
Martin-H
Level 1
Level 1

‎07-10-2020 11:38 AM

Hello,

im new and i hope im in the right forum with my problem, if not i apollogize. 

i got my hands on an ASA 5505 and still im learning and since this is a privat network and not a production environment security is not that mandatory.
What i want to do is monitoring the ASA with Zabbix.
What i got so far is

fritzbox (192.168.178.1) <-> eth0/0 (192.168.178.254) ASA 5505 eth0/1 (10.0.0.1) <-> Server (10.0.0.2) / PC (10.0.0.3)
where 192.168.178.0/24 is ouside security level 0 and 10.0.0.0/24 inside security level 100
Everything works fine and i can do an snmpwalk from my homeserver without any problems

since my homeserver is not running 24/7 i tried to monitor the asa from my vServer outside which is in a datacenter with a public ip 
And here my problems start
I have set

snmp-server host outside [zabbix server ip] community [password]

I also added a roule that allowed snmp and snmptrap from outside to inside
but i dont get any responds when i try an snmpwalk from the server in the datacenter.
i dont even see the snmp request in wireshark forwarded to the asa.
If i forward port 161/162 to my pc i dont get a response either but i see the request in wireshark.
So ill guess, even i forward the ports to the asa. So ill guess the asa dont accept the snmp requests and the request is not forwarded at all.

Im teaching myself, experiment and read a lot but after a few days of experimenting without success i guess i need some help so any advice would be appreciated. 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Martin-H

‎07-11-2020 02:21 AM

when i add a forward rule for port 161 and 162 to my PC i can see the snmp pulling request comming in on wireshark.

 

in the above case can you please clarify where is this PC connected?

 

also, post-ASA configuration, 

also, capture the information outside interface, do you see them? (if not you need to re-visit fritzbox and check again, where it routing to) ?

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118097-configure-asa-00.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful

Go to solution
Martin-H
Level 1
Level 1
In response to Martin-H

‎07-11-2020 05:09 AM

ok i got it to work
1. i used the ip of the fritzbox instead of the real server id that make the request
2. i had a typo in the community name
thanks for your help anyway and have a nice weekend

View solution in original post

0 Helpful
6 Replies 6

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎07-10-2020 06:41 PM

you need to look fritz box here and see is there anything dropping there?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Martin-H
Level 1
Level 1
In response to balaji.bandi

‎07-11-2020 12:34 AM

Thanks for the reply
when i add a forward rule for port 161 and 162 to my PC i can see the snmp pulling request comming in on wireshark.

but when i forward the ports to the outside interface ip of the asa i dont see the snmp request. 
It looks like the fritzbox dont notice the asa is connected, what i think is very strange cause i can conect from inside to outside without any problems.Ill guess it might be a firewall problem of the asa?

 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Martin-H

‎07-11-2020 02:21 AM

when i add a forward rule for port 161 and 162 to my PC i can see the snmp pulling request comming in on wireshark.

 

in the above case can you please clarify where is this PC connected?

 

also, post-ASA configuration, 

also, capture the information outside interface, do you see them? (if not you need to re-visit fritzbox and check again, where it routing to) ?

 

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118097-configure-asa-00.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Martin-H
Level 1
Level 1
In response to balaji.bandi

‎07-11-2020 04:36 AM - edited ‎07-11-2020 04:59 AM

"in the above case can you please clarify where is this PC connected?"
PC was directly connected to fritzbox and 161-162 have been forwarded to the IP of PC.
I saw the snmp request in wireshark
I have changed the port forwarding to the ip of the ASA and i cant see the snmp request in wireshark
I let the fritzbox monitior traffic and i see fritzbox is forwarding the snmp request to the asa see below:

source      destination      protocol   length   info
62.141.x.x  192.168.178.254  snmp       69       get-next-request 1.3.6.1.2.1

192.168.178.254 is the ip of vlan 2 "outside" of the asa which it got from fritzbox dhcp server.
I cant see the snmp request when monitoring the outside interface of the asa.
Wireshark on my PC with ip 192.168.178.20 connected to the fritzbox didnt monitor the event

Asa Config

ciscoasa(config)# sh run
: Saved
:
: Serial Number: ************
: Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz
:
ASA Version 9.2(4)8
!
hostname ciscoasa
enable password ************ encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.0.0.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address dhcp setroute
!
ftp mode passive
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object icmp
 protocol-object icmp6
access-list outside_access_in remark icmp packets
access-list outside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
pager lines 24
logging enable
logging history debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
!
object network obj_any
 nat (inside,outside) dynamic interface
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.0.0.0 255.255.255.0 inside
snmp-server group admin v3 auth
snmp-server host outside 192.168.178.1 poll community *****
snmp-server location DE
snmp-server contact admin@*********
snmp-server community *****
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps interface-threshold
snmp-server enable traps remote-access session-threshold-exceeded
snmp-server enable traps connection-limit-reached
snmp-server enable traps cpu threshold rising
snmp-server enable traps ikev2 start stop
snmp-server enable traps nat packet-discard
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 10.0.0.2-10.0.0.25 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:************************************
: end
ciscoasa(config)#

Thanks for trying to help me

0 Helpful

Go to solution
Martin-H
Level 1
Level 1
In response to Martin-H

‎07-11-2020 05:09 AM

ok i got it to work
1. i used the ip of the fritzbox instead of the real server id that make the request
2. i had a typo in the community name
thanks for your help anyway and have a nice weekend
0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Martin-H

‎07-11-2020 01:13 PM

Glad all sorted at the end, sometimes we need to look closely when the situation not going as expected and you think everything done, good we re-visit and step by step.

 

Thanks for the feedback.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents