Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
724
Views
0
Helpful
0
Replies

Problems polling SNMP in a Zone-based policy FW

egua5261
Level 1
Level 1

‎01-12-2010 05:11 PM - edited ‎03-11-2019 09:57 AM

Hi there,

I'm experiencing a problem where a Cisco1841, running an advsecurity IOS (c1841-advsecurityk9-mz.124-15.T9.bin) and configured with Zone-Based policies via SDM is not allowing an external server to collect traffic stats via SNMP. The packets are getting dropped somewhere.

Following are the parts of the router config relating to this issue,

(i have omitted IP addresses and passwords)

class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
match protocol snmp


class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic

policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
  drop log
class type inspect sdm-protocol-http
  inspect
  service-policy http sdm-action-app-http
class type inspect sdm-protocol-imap
  inspect
  service-policy imap sdm-action-imap
class type inspect sdm-protocol-pop3
  inspect
   service-policy pop3 sdm-action-pop3
class type inspect sdm-protocol-im
  inspect
  service-policy im sdm-action-app-im
class type inspect sdm-insp-traffic
  inspect
class type inspect SDM-Voice-permit
  inspect
class class-default
  pass

zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect

interface FastEthernet0/0
description LAN interface

  zone-member security in-zone

interface FastEthernet0/1
description WAN interface

zone-member security out-zone
ip route-cache flow

snmp-server community xxxxxx RO 1
snmp-server community xxxxxx RW 1
snmp-server ifindex persist

access-list 1 permit xxx.xxx.xxx.xxx
access-list 1 permit xxx.xxx.xxx.xxx

If I remove the 'zone-member security out-zone' command from the WAN Interface then things start working and the external server is able to poll the snmp information from the router. So it is something to do with the way the zone-based policies work/inspect.

Appreciate your help,

Regards,

Esteban

1 person had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card