We have site to site vpn with one of our client. Our client wants to monitor some of the servers located in our data center. The asked us to open IMCP and SNMP ports. We opened them , IMCP is working fine, where as SNMP is not working, the site to site vpn is also working fine
we have allowed the traffic from our access list
from outside to inside network
access-list Inside_In remark Allow ICMP traffic to AGXX servers
access-list Inside_In extended permit icmp 10.100.x.0 255.255.255.0 134.x.x.0 255.255.255.0 log disable
access-list Inside_In remark Allow SNMP traffic to AGXX servers
access-list Inside_In extended permit udp 10.100.x.0 255.255.255.0 134.x.x.0 255.255.255.0 eq snmp
from inside to outside network
access-list Outside_Out remark Allow ICMP traffic to AGXX servers
access-list Outside_Out extended permit icmp 10.100.x.0 255.255.255.0 134.x.x.0 255.255.255.0 log disable
access-list Outside_Out remark Allow SNMP traffic to AGXX servers
access-list Outside_Out extended permit udp 10.100.x.0 255.255.255.0 134.x.x.0 255.255.255.0 eq snmp
Can any one please help me to torubleshoot this problem.
Could you further provide your ASAs configuration so we can go through that.
Could you also provide more specific source and destination IP address in the cases where SNMP is used?
Am I correct in assuming that the SNMP servers are in the client network 134.X.X.0 and that they are polling servers in your network 10.100.X.0? In that case I believe that there is a flaw in your access lists. You have coded the access list so that snmp is the destination port. But if your network is responding to snmp pool then I believe that snmp would be the source port. Try changing to access list to look something like this
access-list Inside_In extended permit udp 10.100.x.0 255.255.255.0 eq snmp 134.x.x.0 255.255.255.0
I am slightly puzzled by the second set of access lists in your post. The first set is described as outside to inside and the second set is described as inside to outside. But 10.100.X.0 is the source in both and 1374.X.X.0 is the destination in both. It seems to me that the outside to inside should be the reverse of inside to outside (that 10.100.X.0 should be the source in one and be the destination in the other). So perhaps there is a bigger issue with the access lists that I realized at first. Perhaps you can clarify where each address really is and how each access list is being used.