Thank you. I will give it a try. Also I will try to open the snmp via inspect map on ASA as well as include in the ACL as shown in the above configuration.

Thank you Marvin for your insight. I am worried that I am not able to get it working even though the above stated configuration should work as suggested by you. I am not able to get the ping and traceroute to that public router. Since ASA is in the middle this is really creating a headache for me.

My question is icmp ping/traceroute and snmp configs are mutually exclusive right? or they depend upon each other. First i need to get the ping connectivity work and then work on snmp.

I tried doing inspect icmp and icmp permit command on ASA but no results. These are such simple tasks but can't able to figure out. When I ping from ASA to that public IP i am getting packet unspecified type represented by ?????. I am stuck over here.

Help needed.

Thanks in advance.

Yes the ping/traceroute and snmp bits are mutually exclusive.

Are you trying to ping from Orion to the router? If so, please provide the output of the following command from the ASA command line:

packet-tracer input inside icmp <orion server address> 8 0 <router address>

(assuming your inside interface has the nameif "inside")

Thanks Marvin,

Sorry My bad. This is not an ASA. Its an PIX 515e. And I was able to resolve this issue by allowing the icmp permit statement before deny icmp statement and ping and traceroute from Orion server started working.

My next challenge is I am still not able to discover the internet router via snmp.

Orion server -  ------------- E1 inside ASA E0 outside --------------------------------F0/1 Internet router F0/0 -------------Verizon router for Internet

I am using the read-only community string for discovery.

Using SNMPWalk tool it just timesout without any error.

Am i doing anything wrong?

Thanks for all the help.

I couldn't find a specific reference just now, but I've always used both the SNMP RW and RO community strings when doing a discovery.

Can you try adding the RW and re-discovering?

Hi Marvin,

I will give a try by adding the RW string. I have a wireshark running on Orion server and I can see the Orion server making get requests but no responses. Clearly shows that the response is not coming back. Internet node seems to be fine. I am having doubts that should i be appling the access-list on the inside of the ASA.

I just applied the access on the outside of ASA allowing snmp and 2055 port.

I will let you know once I test this.

Do you have an access-list on the inside of the Pix?

You can use packet-tracer on Pix software as long as it's version 7.2(1) or later.

Thank you

I am using version 7.0(1)

 access-list inside_access_in extended permit udp any any eq snmp

 access-list inside_access_in extended permit udp any any eq 2055

I applied this on the inside interface. But no luck.

Without seeing the entire setup of the Pix it's hard to say if and where it might be blocking the traffic.

Is there a reason why you're using a firewall that hasn't been sold in over 6 years with software that's at least as old?

I am new to this company barely 1 month. I know it has loads  of configuration on it. We are planning to replace it with a pair of 5525s for HA. I am able to make it work for ICMP and traceroute. But SNMP is really giving me a tough time.

access-list outside_access_in extended permit udp any host a.b.c.d eq 2055
access-list outside_access_in extended permit udp any host a.b.c.d eq snmp

static (inside,outside) a.b.c.d e.f.g.h netmask 255.255.255.255

e.f.g.h = IP address of Orion server

a.b.c.d = public IP of mapped to orion server

I am using the public IP that spare but I am not sure how can i test that this public IP is functional. since it belongs to us and we have /24 mask meaning 254 public ip and i am using one of those.

The lines you shared from your outside_access_in ACL are correct.

Both access-list and NAT entries can be affected by other entries preceding them in the configuration, that's why I mentioned the larger configuration being relevant.

Aside from the SNMP, if you have Netflow configured on the router with those ACL entries, you should at least see the udp/2055 traffic hitting your Orion server. Have you looked for that? (e.g. using Wireshark) You may need to make the export source address the interface that connects to the ASA (fa0/1? you had mentioned a Gi0/1 earlier).

You could also debug snmp on the router to see if you are receiving the requests when you initiate an snmpwalk from Orion.

Hi Marvin,

Thanks for your help. I am not sure to paste 650 lines of config which may seem very time consuming to me even sanitizing the config. Is there any sort of channel you can remote into my laptop? I am occupied with some other stuff.

It is ok to  attempt to debug the snmp command on Internet router with terminal monitor?

Thanks in advance..

I have one question. we have a.b.c.d/24 public ips. The ips in use basically statically natted to our server at datacenter and DMZ. My thinking is that if the IP address which is natted can be tested by pinging it and it works. But what about the IP which is spare and want to test it by pinging and the result is request timeout since that IP is not being used. Now I nat it our our Orion server and should be able to ping that public ip from internet router.  I can't ping that public ip. How do we test before and after to make sure that we are achieving the right thing.

Since access-list is correct and that public ip is not being used.

Thanks for all the help