cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
523
Views
0
Helpful
5
Replies

How to manage devices outside the Firewall

todd.martin-02
Level 1
Level 1

I have to manage DMZ devices from Campus Mgr located inside the FW.

All ext devices are listed in "unconnected devices view.

How can I manage them and get an accurate map of the connections?

CDP is obviously not passing through the FW's(non-cisco)

a basic map attached shows the devices that need to be managed.

Thanks,

Todd

5 Replies 5

steve.busby
Level 5
Level 5

You'll need to enter the devices as seed devices before ANI can discover them, plus you'll need some holes opened in your firewall.

See this link for details and appropriate links:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dd60ef1

Marvin Rhoads
Hall of Fame
Hall of Fame

While Steve is right, opening your firewall wide enough to make them appear as connected devices means allowing a Layer 2 protocol (CDP) through. May as well turn off the firewall if you are doing that.

Allowing CiscoWorks' TCP and UDP ports through (in combination with a fine grained ACL on arouter) would be a "best practice" if you really want to see the device on Ciscoworks.

If the firewall is protecting anything you really care about, I'd recommend you manage the DMZ devices through a console connection and not in line via snmp.

Excellent point. My answer was pretty simplistic, for your firewall to do it's job correctly, you may want to explore other options for managing the devices outside your firewall.

While I wouldn't open the firewall to allow all traffic between CW2K and the devices, I have opened it enough to allow SSH, TFTP, SNMP & traps, coupled with tightly controlled ACLs and permit lists on the pix/routers/switches. The "unconnected devices" is just something I've learned to live with and ignore. :-)

todd.martin-02
Level 1
Level 1

Thanks for the feedback. I am fighting the firewall admins to permit SNMP in from a single source IP. aint know way they will open up CDP. We cant run it in the DMZ at all let alone pass it through the F/W's.

So, does that pretty much kill my ability to map the DMZ?

the console sounds interesting. I may need to investigate that.

Todd,

I'm very familiar with your restrictions--hehe--fought that same battle at two different AF bases.

Chances are you won't get the ports opened you need, so the next best thing is to see if you can install your own server in the DMZ which will allow you to monitor your DMZ equipment.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco