Cisco PIX snmp not working

Unanswered Question
Dec 19th, 2008
User Badges:

Hi, I'm trying to get info about a PIX with snmp but it's not working, I get a timeout when I try to query it. I'm asking to the inside interface over VPN, It works fine and I see all the computers on that subnet. I think I just need an ACL but I'm not managing to do it right. The config is posted, it's pretty simple. Thanks.



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
John Blakley Fri, 12/19/2008 - 07:18
User Badges:
  • Purple, 4500 points or more

Can you ping 192.168.3.29 from the pix? If you can, then try to allow udp 161 through your acl for just that one host.


HTH,


John

godzilla0 Fri, 12/19/2008 - 07:28
User Badges:

No, I can't ping that host from the PIX. But I can ping from the computers on that subnet to the 192.168.3.0 net. Thanks.

Mo'ath Al Rawashdeh Fri, 12/19/2008 - 07:42
User Badges:
  • Bronze, 100 points or more

Hi,


Can you do the test again, and right after, show us the output of the command below on your firewall:


show logging | inc A.B.C.D


where A.B.C.D is the IP address of the machine you are testing from.



godzilla0 Fri, 12/19/2008 - 07:44
User Badges:

Return is null. Back to the command prompt, empty result.

John Blakley Fri, 12/19/2008 - 09:51
User Badges:
  • Purple, 4500 points or more

Try changing the snmp-server line to outside.


snmp-server host outside 192.168.3.29


See if that works.


HTH,


John

godzilla0 Fri, 12/19/2008 - 10:02
User Badges:

Is not working . . . anyways why would I allow to send to the outside iface ? The connection is encrypted and so I ask the inside iface, right ?

ajagadee Fri, 12/19/2008 - 09:54
User Badges:
  • Cisco Employee,

Xavier,


If I understand the set up correctly, you are trying to do a SNMP Poll through the VPN Tunnel. If so, you need the below command:


management-access inside


http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1137951


Without the above command, you will not able to ping, https, http, snmp, etc to the inside interface of the pix across a VPN Tunnel.


Regards,

Arul


*Pls rate if it helps*

godzilla0 Fri, 12/19/2008 - 10:15
User Badges:

Ok, good ! Now I can ping, but I get a "CRITICAL" on the nagios script when I try to get the info for the iface "ethernet0". Do you have any experience around ? It works on all my other cisco routers, load balancers etc.

godzilla0 Fri, 12/19/2008 - 10:19
User Badges:

When I do a snmpwalk to the router, It does not give me back nothing . . . Maybe I have to do something more to make snmp work =?

ajagadee Fri, 12/19/2008 - 10:37
User Badges:
  • Cisco Employee,

Hi,


Can you change the below configuration:


snmp-server host inside 192.168.3.29


to


snmp-server host outside 192.168.3.29


And let me know if it works.


Regards,

Arul


*Pls rate all helpful posts*


godzilla0 Fri, 12/19/2008 - 10:59
User Badges:

It's done, working. The guy that said management is closed for inside interface by default was correct. I'm monitoring the inside and outside interfaces with graphing via nagios. Thank you all.

ajagadee Fri, 12/19/2008 - 11:08
User Badges:
  • Cisco Employee,

Thanks for the update! Also, please do update the forum that the issue is resolved, so others who run into similar issues can benefit out of the post.


Regards,

Arul

tf2-conky Mon, 01/11/2010 - 18:13
User Badges:

This resolved the same issue I had with nagios monitoring of my ASA firewall over a VPN.

Actions

This Discussion