cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2016
Views
0
Helpful
1
Replies

Problem polling external interface for ASA 5510 using SNMP

Sami Abunasser
Level 1
Level 1

Hi,

I'm having an issue polling the external interface of my firewall using SNMP. I can ping it from the poller, and the firewall is configured to allow the access, but it fails.

=====================================================================================================

- Here's an excert of the configuration:

snmp-server host outside y.y.y.y community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

snmp-server enable traps ipsec start stop

snmp-server enable traps entity config-change fru-insert fru-remove

snmp-server enable traps remote-access session-threshold-exceeded

icmp permit host y.y.y.y outside

--- y.y.y.y is the IP of the poller.

- The following is the ouput of a capture on the external interface monitoring the polling traffic:

   1: 08:25:32.946728 y.y.y.y > x.x.x.x: icmp: echo request

   2: 08:25:32.947689 x.x.x.x > y.y.y.y: icmp: echo reply

   3: 08:25:47.974665 y.y.y.y > x.x.x.x: icmp: echo request

   4: 08:25:47.974909 x.x.x.x > y.y.y.y: icmp: echo reply

   5: 08:25:55.565781 y.y.y.y.35 > x.x.x.x.137:  udp 50

   6: 08:25:57.053006 y.y.y.y.35 > x.x.x.x.137:  udp 50

   7: 08:25:58.553148 y.y.y.y.35 > x.x.x.x.137:  udp 50

- The following is the output of the logs:

Sep 21 2012 08:25:57 x-x-x-5510-01 : %ASA-7-710005: UDP request  discarded from y.y.y.y/35 to outside: x.x.x.x/137

- The following is the output of the packet tracer on the firewall:

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xac52bc28, priority=12, domain=capture, deny=false

        hits=3337268, user_data=0xab4c1c08, cs_id=0x0, l3_type=0x0

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0000.0000.0000

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xab7d4938, priority=1, domain=permit, deny=false

        hits=3756749060, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

Phase: 3

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   x.x.x.x    255.255.255.255 identity

Phase: 4

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in  id=0xab7d5158, priority=0, domain=permit, deny=true

        hits=98627, user_data=0x9, cs_id=0x0, flags=0x1000, protocol=0

        src ip=0.0.0.0, mask=0.0.0.0, port=0

        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:

input-interface: outside

input-status: up

input-line-status: up

output-interface: NP Identity Ifc

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

==================================================================================================

This issue is actually occuring on two other firewalls that i'm trying to setup external monitoring of. They are running 8.2(5).

Any assistance would be greatly appreciated.

Thank you,

Sami

1 Reply 1

nkarthikeyan
Level 7
Level 7

Hi Sami,

You should have the outbound and inbound rules allowed for the snmp ports snmp and snmp trap tpo make this work. Thats y ur packet tracer result gives its blocked by the access-list.

Please do rate if the given information helps.

By

Karthik

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: