Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1969
Views
0
Helpful
2
Replies

Firepower FPR2110 SNMP Access to LINA Through Data Interface

Go to solution
pncisco216
Level 1
Level 1

‎04-01-2020 06:55 AM

Hello,

 

Using FTD Version 6.5.0.4 on FPR2110, and managed with FMC.

 

I am trying to access SNMP in LINA via the inside data interface, and it is being denied.

The sanitized packet capture below shows an output-interface of "NP Identity Ifc", which I understand to be the device itself.  What I am wondering is how do I assign a zone to this "interface" and hence add access for this to my access control policy?  Is this just not possible, or am I missing something here?  I am currently not using the diagnostics interface, and would have to redesign my management access to do so (since it cannot share a network with the data interfaces).  Is my only option the diagnostics interface, or will this work through a data interface?

 

Thank you,

 

Paul

 

The packet capture is as follows:

 

1: 21:54:19.582077 <IP address of monitoring server>.36579 > <IP address of inside interface>.161: udp 64
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop <IP address of inside interface> using egress ifc identity

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000000aab63792ec flow (NA)/NA

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-01-2020 08:26 AM

You have to configure and use the diagnostic interface to access LINA via SNMP as of 6.5.0.4.

Stay tuned for changes in 6.6 in this regard.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-01-2020 08:26 AM

You have to configure and use the diagnostic interface to access LINA via SNMP as of 6.5.0.4.

Stay tuned for changes in 6.6 in this regard.

0 Helpful

Go to solution
pncisco216
Level 1
Level 1
In response to Marvin Rhoads

‎04-01-2020 08:40 AM

Ok.

I had a feeling that was the answer, but wanted to check before I reconfigure things.

Thank you,

 

Paul

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card