cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
546
Views
0
Helpful
2
Replies
Highlighted
Enthusiast

How to allow SNMP traffic in site to site VPN

Dear All

We have site to site vpn with one of our client. Our client wants to monitor some of the servers located in our data center. The asked us to open IMCP and SNMP ports. We opened them , IMCP is working fine, where as SNMP is not working, the site to site vpn is also working fine

we have allowed the traffic from our access list

from outside to inside network

access-list Inside_In remark Allow ICMP traffic to AGXX servers

access-list Inside_In extended permit icmp 10.100.x.0 255.255.255.0 134.x.x.0 255.255.255.0 log disable

access-list Inside_In remark Allow SNMP traffic to AGXX servers

access-list Inside_In extended permit udp 10.100.x.0 255.255.255.0 134.x.x.0 255.255.255.0 eq snmp 

from inside to outside network

access-list Outside_Out remark Allow ICMP traffic to AGXX servers

access-list Outside_Out extended permit icmp 10.100.x.0 255.255.255.0 134.x.x.0 255.255.255.0 log disable

access-list Outside_Out remark Allow SNMP traffic to AGXX servers

access-list Outside_Out extended permit udp 10.100.x.0 255.255.255.0 134.x.x.0 255.255.255.0 eq snmp 

Can any one please help me to torubleshoot this problem.

BR

Yasir

Everyone's tags (9)
2 REPLIES 2
Mentor

How to allow SNMP traffic in site to site VPN

Hi,

Could you further provide your ASAs configuration so we can go through that.

Could you also provide more specific source and destination IP address in the cases where SNMP is used?

- Jouni

Hall of Fame Master

How to allow SNMP traffic in site to site VPN

Yasir

Am I correct in assuming that the SNMP servers are in the client network 134.X.X.0 and that they are polling servers in your network 10.100.X.0? In that case I believe that there is a flaw in your access lists. You have coded the access list so that snmp is the destination port. But if your network is responding to snmp pool then I believe that snmp would be the source port. Try changing to access list to look something like this

access-list Inside_In extended permit udp 10.100.x.0 255.255.255.0 eq snmp 134.x.x.0 255.255.255.0

I am slightly puzzled by the second set of access lists in your post. The first set is described as outside to inside and the second set is described as inside to outside. But 10.100.X.0 is the source in both and 1374.X.X.0 is the destination in both. It seems to me that the outside to inside should be the reverse of inside to outside (that 10.100.X.0 should be the source in one and be the destination in the other). So perhaps there is a bigger issue with the access lists that I realized at first. Perhaps you can clarify where each address really is and how each access list is being used.

HTH

Rick