Trouble with SNMP polling new VPN peer

Unanswered Question
Nov 12th, 2007

Am in a spot of bother with getting my SNMP management station (running Solarwinds) to poll a PIX501 firewall at a remote location connected via VPN.

The remote PIX501 had its peer changed from the PIX535 to a VPN Concentrator that sits side-by-side with the PIX535.

Although i can ping, etc to the devices behind the PIX, i still cant telnet to the remote PIX501 or get SNMP to poll it.

I also changed the default routing to get to the remote network, to not point to the PIX535's inside interface, but to point instead to the VPN Concentrator's inside interface.

Attached is a sketch layout for a better idea.

How can i correct this ?

Mark

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Tue, 11/13/2007 - 14:13

Try the following:

pix(config)#management-access inside

Poll the inside interface and it should work.

HTH and please rate.

marksenteza Wed, 11/14/2007 - 02:07

I was able to identify and fix the problem.

Problem was the SNMP management station was attempting to poll the outside interface of the remote peer (the PIX 501). This firewall had traffic from its outside interface to the network that the SNMP management station resides in specified as interesting traffic in the ACL that the crypto map specified.

On the VPN Concentrator side though, I had only specified the remote peer's local network in the "Configuration | Tunneling and Security | IPSec | LAN-to-LAN" connection section's Remote network.

I changed this to use a Network List i created to include both the remote local network and the remote peer's outside interface.

This sorted the problem straight away, as now the remote peer (PIX 501) was receiving encrypted traffic to its outside interface from the SNMP management station's local network, as it was expecting to, whereas before it was receiving unencrypted traffic, yet it was expecting to receive it encrypted.

Goes to prove that ACLs on each peer must match, else you get into all sorts of a muddle.

I will try out your solution in a test environment, and see if that works too.

Mark

Actions

This Discussion