Problem polling external interface for ASA 5510 using SNMP

Sami Abunasser · ‎09-21-2012

Hi,

I'm having an issue polling the external interface of my firewall using SNMP. I can ping it from the poller, and the firewall is configured to allow the access, but it fails.

=====================================================================================================

- Here's an excert of the configuration:

snmp-server host outside y.y.y.y community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start stop

snmp-server enable traps entity config-change fru-insert fru-remove

snmp-server enable traps remote-access session-threshold-exceeded

icmp permit host y.y.y.y outside

--- y.y.y.y is the IP of the poller.

- The following is the ouput of a capture on the external interface monitoring the polling traffic:

1: 08:25:32.946728 y.y.y.y > x.x.x.x: icmp: echo request

2: 08:25:32.947689 x.x.x.x > y.y.y.y: icmp: echo reply

3: 08:25:47.974665 y.y.y.y > x.x.x.x: icmp: echo request

4: 08:25:47.974909 x.x.x.x > y.y.y.y: icmp: echo reply

5: 08:25:55.565781 y.y.y.y.35 > x.x.x.x.137: udp 50

6: 08:25:57.053006 y.y.y.y.35 > x.x.x.x.137: udp 50

7: 08:25:58.553148 y.y.y.y.35 > x.x.x.x.137: udp 50

- The following is the output of the logs:

Sep 21 2012 08:25:57 x-x-x-5510-01 : %ASA-7-710005: UDP request discarded from y.y.y.y/35 to outside: x.x.x.x/137

- The following is the output of the packet tracer on the firewall:

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xac52bc28, priority=12, domain=capture, deny=false

hits=3337268, user_data=0xab4c1c08, cs_id=0x0, l3_type=0x0

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab7d4938, priority=1, domain=permit, deny=false

hits=3756749060, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0100.0000.0000

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in x.x.x.x 255.255.255.255 identity

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0xab7d5158, priority=0, domain=permit, deny=true

hits=98627, user_data=0x9, cs_id=0x0, flags=0x1000, protocol=0

src ip=0.0.0.0, mask=0.0.0.0, port=0

dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

==================================================================================================

This issue is actually occuring on two other firewalls that i'm trying to setup external monitoring of. They are running 8.2(5).

Any assistance would be greatly appreciated.

Thank you,

Sami

nkarthikeyan · ‎09-22-2012

Hi Sami,

You should have the outbound and inbound rules allowed for the snmp ports snmp and snmp trap tpo make this work. Thats y ur packet tracer result gives its blocked by the access-list.

Please do rate if the given information helps.

By

Karthik