Solved: Re: FDM SNMP setup

SeokGeunChoi73564 · ‎12-08-2022

Hi,

I am going through the SNMP settings.
FPR2110/FDM 7.0.1-84 and 6.6.1-91
The current settings were all done by referring to the Cisco manual, and the 6.6.1 version did all the settings through Flexconfig posted on Youtube.

I confirmed that the SNMP Manager is pinging to the main firewall / server firewall Inside interface.

I confirmed that SNMP settings were added on the CLI, but the problem is that there is no response when I test through SNMPWALK.
Even though I tried to do SNMPWALK to myself in the firewall CLI, there is no response.

Is it a problem that Inside Interface is composed of serial sections?
Even so, I guess SNMP Manager can receive MiB from Main/Server firewall's inside interface.
Because SNMP can ping with both interface.

I don't know which one is the problem.
Below is the topology of my network.

MHM Cisco World · ‎12-23-2022

IN SERVER FW
we must do packet tracer input to OUT interface of Server FW,
we need to see if the other device can access Server IN.
packet-tracer input OUT udp <interface IP > 1234<SNMP server> 161

View solution in original post

Divya Jain · ‎01-09-2023

Hi,
As per your output, it shows that packet is dropped because of access list. check if you have any ACL configured for that particular traffic

""

> packet-tracer input outside udp 10.10.222.2 snmp 192.168.223.130 snmp

Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 10.10.222.11 using egress ifc inside(vrfid:0)

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: inside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000000aab63c99d4 flow (NA)/NA

Regards
Divya Jain

View solution in original post

Divya Jain · ‎12-20-2022

Hi,
Did you refer to this doc for configuration :
https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/216551-configure-and-troubleshoot-snmp-on-firep.html#anc9

At the end of the doc there are few verification output. Can you check that and is it possible to share those?
A quick packet capture / trace would help to identify where its failing exactly.

-----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------

Regards
Divya Jain

SeokGeunChoi73564 · ‎12-20-2022

Hi, This is current running-config on FDM CLI

I'm trying to use inside interface, diagnostic interface is for testing.

And I try to verify using FDM CLI's expert mode, execute snmpwalk to itself but it didn't work.

192.168.255.1 is BB (C9300)

192.168.255.3 is FDM diagnostic interface

10.10.10.1 is inside interface.

thanks

MHM Cisco World · ‎12-20-2022

snmp-server host <interface> .......... <<<- are you select the interface that ASA will use to connect to SNMP server ?
are you sure that the interface ip is reachable?

you can do packet-tracer
packet-tracer input OUT udp <interface IP > 1234 <SNMP server> 161

do this and see if there is NAT or ACL prevent access to server.

SeokGeunChoi73564 · ‎12-20-2022

Hi, This is current running-config on FDM CLI

I'm trying to use inside interface, diagnostic interface is for testing.

And I try to verify using FDM CLI's expert mode, execute snmpwalk to itself but it didn't work.

192.168.255.1 is BB (C9300)

192.168.255.3 is FDM diagnostic interface

10.10.10.1 is inside interface.

thanks

+ When I finished test using packet-tracer, I'll respond asap

SeokGeunChoi73564 · ‎12-22-2022

> packet-tracer input Inside udp 192.168.230.23 snmp 10.10.222.9 snmp

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 10.10.220.1 using egress ifc outside(vrfid:0)

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group NGFW_ONBOX_ACL global
access-list NGFW_ONBOX_ACL advanced permit object-group |acSvcg-268435476 ifc inside object 192.168.230.0-24 ifc outside any rule-id 268435476 event-log both
access-list NGFW_ONBOX_ACL remark rule-id 268435476: ACCESS POLICY: NGFW_Access_Policy
access-list NGFW_ONBOX_ACL remark rule-id 268435476: L5 RULE: Policy19
object-group service |acSvcg-268435476
service-object ip
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: INSPECT
Subtype: inspect-snmp
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect snmp
service-policy global_policy global
Additional Information:

Phase: 7
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1482498183, packet dispatched to next module

Phase: 11
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Config:
Additional Information:
Application: 'SNORT Inspect'

Phase: 12
Type: SNORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Snort Trace:
Packet: UDP
Session: new snort session
AppID: service unknown (0), application unknown (0)
Firewall: allow rule, id 268435476, allow
Snort id 1, NAP id 1, IPS id 0, Verdict PASS
Snort Verdict: (pass-packet) allow this packet

Phase: 13
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 10.10.220.1 using egress ifc outside(vrfid:0)

Phase: 14
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Config:
Additional Information:
Found adjacency entry for Next-hop 10.10.220.1 on interface outside
Adjacency :Active
MAC address ac4a.5654.e657 hits 82388 reference 808

Result:
input-interface: inside(vrfid:0)
input-status: up
input-line-status: up
output-interface: outside(vrfid:0)
output-status: up
output-line-status: up
Action: allow

MHM Cisco World · ‎12-23-2022

IN SERVER FW
we must do packet tracer input to OUT interface of Server FW,
we need to see if the other device can access Server IN.
packet-tracer input OUT udp <interface IP > 1234<SNMP server> 161

SeokGeunChoi73564 · ‎12-26-2022

Hi, here is info.

10.10.222.2 = Svr F/W's Outside interface IP

192.168.223.130 = SNMP Manager, inside of Svr F/W

(Svr F/W inside :10.10.222.9) <> (SvrFarm SW : 10.10.222.11)

> packet-tracer input outside udp 10.10.222.2 snmp 192.168.223.130 snmp

Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 10.10.222.11 using egress ifc inside(vrfid:0)

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: inside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000000aab63c99d4 flow (NA)/NA

++ Outside Any > Inside 192.168.223.130(SNMP Man) Allow all, and also every access-rule is allowed.

Only default rule is deny

+++ below from here were all worked. (10.10.10.1 = Main F/W's Inside interface) (192.168.255.1 = B/B's VLAN IP)

> packet-tracer input outside udp 10.10.10.1 snmp 192.168.223.130 snmp

> packet-tracer input outside udp 192.168.255.1 snmp 192.168.223.130 snmp

MHM Cisco World · ‎12-26-2022

Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 10.10.222.11 using egress ifc inside(vrfid:0) <<- by use 10.10.222.2

ARE you sure that you dont have IP conflict, check subnet mask.

SeokGeunChoi73564 · ‎12-26-2022

every Serial line are assigned 29bit subnet mask.

10.10.222.1/29 -> 222.0~222.7

10.10.222.9/29 -> 222.8~222.15

Divya Jain · ‎01-09-2023

Hi,
As per your output, it shows that packet is dropped because of access list. check if you have any ACL configured for that particular traffic

""

> packet-tracer input outside udp 10.10.222.2 snmp 192.168.223.130 snmp

Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 10.10.222.11 using egress ifc inside(vrfid:0)

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: inside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000000aab63c99d4 flow (NA)/NA

Regards
Divya Jain