Re: snmp v3 reachability issue-ASA firewall-9.8(3)

secureIT · ‎02-18-2021

Hi All,

I am trying to do snmpwalk from 10.60.1.1 towards one of the ASA firewall interface ip 10.1.1.1 but getting timeout.

I can ping and traceroute this ip from the source.

Below is the simple snmp v3 configuration i am using.

snmp-server group <SNMP_GROUP> v3 priv

snmp-server user <SNMP_USER> <SNMP_GROUP> v3 auth sha <SNMP_PASS> priv aes 128 <ENC_PASS>

snmp-server host ABC 10.60.1.1 poll version 3 <SNMP_USER>

Already this interface is working fine for snmpv2 and on top of it we want to monitor snmpv3 for another department.

Because none of the other interfaces are reachable apart from 10.1.1.1

pls assist, attached the diagram.

regards

SecIT

Sheraz.Salim · ‎02-18-2021

is your source ip address is 10.60.1.1 and you are able to ping 10.1.1.1 using ip address 10.60.1.1?

This is not going to work if you use source ip 10.60.1.1 and destin ip 10.1.1.1. you collector has to be in the same subnet in order to work. or you can use dynamic nat to get this work.

please do not forget to rate.

secureIT · ‎02-18-2021

Hi Sheraz,

Thanks for your reply.

We have many other device in 10.2.0.0 segments and those are all reachable via snmp.

only one firewall interface which is in 10.1.1.1 is not reachable via snmp.

ping is working to this ip 10.1.1.1 form 10.60.x.x, traceroute is also working fine, only snmpwalk is getting timeout.

Sheraz.Salim · ‎02-19-2021

what is the security level configured on these interfaces. can you share your firewall config and also show us diagram. you said 10.20.0.0 I cant see this network in your earlier diagram.

please do not forget to rate.