Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
729
Views
0
Helpful
2
Replies

snmp polling across firewalls

Roy Lindo
Level 1
Level 1

‎12-10-2013 07:00 AM - edited ‎03-11-2019 08:15 PM

I have an issue with my firewalls polling my snmp stations.  The issue is that my smnp server is unable to poll a connected interface on the firewall on a different network. We are using two /24 networks across a managed connection for redundancy purposes. At either end of the managed connection there is an asa firewall, the firewalls are configured with /24 networks. There is a snmp server on one of the /24 network on either side of managed connection, the servers default gateway points to the firewall connected interface i.e snmp server 1 has an IP address of 10.10.30.13/24 and a gateway of 10.10.30.1 (firewall 1) and snmp server 2 on the other side of the managed connection has a ip address of 10.10.31.13/24 and a gateway of 10.10.31.1(firewall 2), the .1 addresses are the physical interfaces on the friewalls. There is a transit network configured between the firewalls to allow for the routing of traffic between the 10.10.30/24 and 10.10.31/24 networks. The transit  network has an interface with an IP address 10.10.222.1/31 on the firewall on the left side (firewall 1) of the managed connection and an IP address of 10.10.222.2/31 on the firewall on the right side (firewall 2) of the managed connection. Routes have been set up on the firewalls to the 10.10.30.0/24 and 10.10.31.0/24 via the transit network.

The problem I am having is that the snmp server at 10.10.30.13/24 is not able to poll the firewall interface 10.10.31.1 (firewall 2) and the server at 10.10.31.13 is also not able to poll the firewall interface at 10.10.30.1 (firewall 1)

The routing and snmp configuration is listed below:

Firewall 1

route

10.10.31.0/24 via 10.10.222.1

Snmp config

Listerning port 161

snmp host access list

interface_name 10.10.30.13, community string, snmp version 2c, poll/trap, port 162

A any any access rule is used on the transit interface on either side of the connection

and a access list has been configured on 10.10.30.1 interface which allows snmp traffic from 10.10.31.13

Firewall 2

route

10.10.30.0/24 via 10.10.222.2

Snmp config

Listerning port 161

snmp host access list

interface_name 10.10.31.13, community string, snmp version 2c, poll/trap, port 162

A any any access rule is used on the transit interface on either side of the connection

and a access list has been configured on 10.10.31.1 interface which allows snmp traffic from 10.10.30.13

I have been looking at this problem for sometime without much success, can you kindly help

Labels:
0 Helpful
2 Replies 2

Julio Carvajal
VIP Alumni
VIP Alumni

‎12-10-2013 09:11 AM

Hello Roy,

Do you mean it's not able to get data for that interface???

Or do you mean you are trying to connect to that IP address?? Cause if that is the case it will never happen as you cannot contact a distant interface (If I am on inside I can ping , ssh, telnet inside but If I will never be able to contac the DMZ interface IP address or outside,etc)

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Roy Lindo
Level 1
Level 1
In response to Julio Carvajal

‎12-10-2013 01:54 PM

Hello julio,

I am not getting data. I would have thought it possible for the snmp server to poll the firewall interface. I am not seeing any hits on the rule for the cross site connection i.e the snmp server 1 to firewall 2 or snmp server 2 to firewall 1

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card