09-21-2012 10:53 AM - edited 03-11-2019 04:57 PM
Hi,
I'm having an issue polling the external interface of my firewall using SNMP. I can ping it from the poller, and the firewall is configured to allow the access, but it fails.
=====================================================================================================
- Here's an excert of the configuration:
snmp-server host outside y.y.y.y community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec start stop
snmp-server enable traps entity config-change fru-insert fru-remove
snmp-server enable traps remote-access session-threshold-exceeded
icmp permit host y.y.y.y outside
--- y.y.y.y is the IP of the poller.
- The following is the ouput of a capture on the external interface monitoring the polling traffic:
1: 08:25:32.946728 y.y.y.y > x.x.x.x: icmp: echo request
2: 08:25:32.947689 x.x.x.x > y.y.y.y: icmp: echo reply
3: 08:25:47.974665 y.y.y.y > x.x.x.x: icmp: echo request
4: 08:25:47.974909 x.x.x.x > y.y.y.y: icmp: echo reply
5: 08:25:55.565781 y.y.y.y.35 > x.x.x.x.137: udp 50
6: 08:25:57.053006 y.y.y.y.35 > x.x.x.x.137: udp 50
7: 08:25:58.553148 y.y.y.y.35 > x.x.x.x.137: udp 50
- The following is the output of the logs:
Sep 21 2012 08:25:57 x-x-x-5510-01 : %ASA-7-710005: UDP request discarded from y.y.y.y/35 to outside: x.x.x.x/137
- The following is the output of the packet tracer on the firewall:
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac52bc28, priority=12, domain=capture, deny=false
hits=3337268, user_data=0xab4c1c08, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab7d4938, priority=1, domain=permit, deny=false
hits=3756749060, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in x.x.x.x 255.255.255.255 identity
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xab7d5158, priority=0, domain=permit, deny=true
hits=98627, user_data=0x9, cs_id=0x0, flags=0x1000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
==================================================================================================
This issue is actually occuring on two other firewalls that i'm trying to setup external monitoring of. They are running 8.2(5).
Any assistance would be greatly appreciated.
Thank you,
Sami
09-22-2012 01:38 PM
Hi Sami,
You should have the outbound and inbound rules allowed for the snmp ports snmp and snmp trap tpo make this work. Thats y ur packet tracer result gives its blocked by the access-list.
Please do rate if the given information helps.
By
Karthik
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide