07-21-2004 10:10 AM - edited 03-02-2019 05:13 PM
I have to manage DMZ devices from Campus Mgr located inside the FW.
All ext devices are listed in "unconnected devices view.
How can I manage them and get an accurate map of the connections?
CDP is obviously not passing through the FW's(non-cisco)
a basic map attached shows the devices that need to be managed.
Thanks,
Todd
07-21-2004 11:05 AM
You'll need to enter the devices as seed devices before ANI can discover them, plus you'll need some holes opened in your firewall.
See this link for details and appropriate links:
07-21-2004 11:28 AM
While Steve is right, opening your firewall wide enough to make them appear as connected devices means allowing a Layer 2 protocol (CDP) through. May as well turn off the firewall if you are doing that.
Allowing CiscoWorks' TCP and UDP ports through (in combination with a fine grained ACL on arouter) would be a "best practice" if you really want to see the device on Ciscoworks.
If the firewall is protecting anything you really care about, I'd recommend you manage the DMZ devices through a console connection and not in line via snmp.
07-21-2004 12:27 PM
Excellent point. My answer was pretty simplistic, for your firewall to do it's job correctly, you may want to explore other options for managing the devices outside your firewall.
While I wouldn't open the firewall to allow all traffic between CW2K and the devices, I have opened it enough to allow SSH, TFTP, SNMP & traps, coupled with tightly controlled ACLs and permit lists on the pix/routers/switches. The "unconnected devices" is just something I've learned to live with and ignore. :-)
07-21-2004 07:28 PM
Thanks for the feedback. I am fighting the firewall admins to permit SNMP in from a single source IP. aint know way they will open up CDP. We cant run it in the DMZ at all let alone pass it through the F/W's.
So, does that pretty much kill my ability to map the DMZ?
the console sounds interesting. I may need to investigate that.
07-22-2004 10:45 AM
Todd,
I'm very familiar with your restrictions--hehe--fought that same battle at two different AF bases.
Chances are you won't get the ports opened you need, so the next best thing is to see if you can install your own server in the DMZ which will allow you to monitor your DMZ equipment.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide