05-21-2015 09:28 PM - edited 03-11-2019 10:58 PM
hi all,
i've configured a new 5525-X and SSH/TACACS+ is fine.
i can't seem to make SNMP work and can't add the ASA in solarwinds NPM.
i can ping the SNMP polling server and PT result was ok.
can someone please advise? is SNMP allowed on the ASA MGMT interface?
# sh run | i snmp
snmp-server host management 10.111.0.26 community ***** version 2c
# ping management 10.111.0.26
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.111.0.26, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 210/212/220 ms
# packet-tracer input management udp 10.111.0.26 161 172.27.0.124 161
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.27.0.124 255.255.255.255 identity
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Phase: 5
Type: CLUSTER-REDIRECT
Subtype: cluster-redirect
Result: ALLOW
Config:
Additional Information:
Phase: 6
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 190, packet dispatched to next module
Result:
input-interface: management
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: allow
access-list MGMT extended permit icmp any any time-exceeded
access-list MGMT extended permit icmp any any unreachable
access-list MGMT extended permit tcp host <SSH NMS> host 172.27.0.124 eq ssh
access-group MGMT in interface management
route management 10.111.0.0 255.255.255.0 172.27.0.121
05-27-2015 10:05 PM
hi,
in addition to above, it seems routing our core IP network via management interface is giving me a hard time. is it possible to use the management interface for normal routing and SNMP?
i was contemplating in using another GE port for our 'inside' network instead of MGMT port and the existing GE for our client (like a DMZ).
i got ACL drop on PT saying 'mgmt-deny-all' even though permit IP any any is already applied on the MGMT interface. i tried the 'out' direction on the access-group command but no joy. is there a global explicit deny that i may overlooked?
# packet-tracer input outside icmp 202.26.16.77 8 0 202.8.6.17 det
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 202.8.6.17 255.255.255.255 management
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE in interface outside
access-list OUTSIDE extended permit icmp any 202.8.6.0 255.255.240.0
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff30d53760, priority=13, domain=permit, deny=false
hits=18, user_data=0x7fff29133800, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=202.78.16.0, mask=255.255.240.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2faccba0, priority=0, domain=nat-per-session, deny=true
hits=649, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff3059cb30, priority=0, domain=inspect-ip-options, deny=true
hits=315, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff30cf3b90, priority=70, domain=inspect-icmp, deny=false
hits=19, user_data=0x7fff30cf2f90, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff30cf8900, priority=70, domain=inspect-icmp-error, deny=false
hits=19, user_data=0x7fff30cf7d00, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 7
Type: ACCESS-LIST
Subtype: mgmt-deny-all
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff3064a0a0, priority=200, domain=mgmt-lockdown, deny=true
hits=24, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=management
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: management
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ccess-list MGMT extended permit icmp any any time-exceeded
access-list MGMT extended permit icmp any any unreachable
access-list MGMT extended permit tcp host <SSH NMS> host 172.27.0.124 eq ssh
access-list MGMT extended permit ip any any log
access-group OUTSIDE in interface outside
access-group inside in interface inside
access-group MGMT in interface management
05-28-2015 12:27 AM
nevermind.
i transferred from MGMT port to G0/2 and design/routing worked.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide