12-19-2008 07:11 AM - edited 03-11-2019 07:27 AM
Hi, I'm trying to get info about a PIX with snmp but it's not working, I get a timeout when I try to query it. I'm asking to the inside interface over VPN, It works fine and I see all the computers on that subnet. I think I just need an ACL but I'm not managing to do it right. The config is posted, it's pretty simple. Thanks.
12-19-2008 07:18 AM
Can you ping 192.168.3.29 from the pix? If you can, then try to allow udp 161 through your acl for just that one host.
HTH,
John
12-19-2008 07:28 AM
No, I can't ping that host from the PIX. But I can ping from the computers on that subnet to the 192.168.3.0 net. Thanks.
12-19-2008 07:42 AM
Hi,
Can you do the test again, and right after, show us the output of the command below on your firewall:
show logging | inc A.B.C.D
where A.B.C.D is the IP address of the machine you are testing from.
12-19-2008 07:44 AM
Return is null. Back to the command prompt, empty result.
12-19-2008 09:51 AM
Try changing the snmp-server line to outside.
snmp-server host outside 192.168.3.29
See if that works.
HTH,
John
12-19-2008 10:02 AM
Is not working . . . anyways why would I allow to send to the outside iface ? The connection is encrypted and so I ask the inside iface, right ?
12-19-2008 09:54 AM
Xavier,
If I understand the set up correctly, you are trying to do a SNMP Poll through the VPN Tunnel. If so, you need the below command:
management-access inside
http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1137951
Without the above command, you will not able to ping, https, http, snmp, etc to the inside interface of the pix across a VPN Tunnel.
Regards,
Arul
*Pls rate if it helps*
12-19-2008 10:15 AM
Ok, good ! Now I can ping, but I get a "CRITICAL" on the nagios script when I try to get the info for the iface "ethernet0". Do you have any experience around ? It works on all my other cisco routers, load balancers etc.
12-19-2008 10:19 AM
When I do a snmpwalk to the router, It does not give me back nothing . . . Maybe I have to do something more to make snmp work =?
12-19-2008 10:37 AM
Hi,
Can you change the below configuration:
snmp-server host inside 192.168.3.29
to
snmp-server host outside 192.168.3.29
And let me know if it works.
Regards,
Arul
*Pls rate all helpful posts*
12-19-2008 10:59 AM
It's done, working. The guy that said management is closed for inside interface by default was correct. I'm monitoring the inside and outside interfaces with graphing via nagios. Thank you all.
12-19-2008 11:08 AM
Thanks for the update! Also, please do update the forum that the issue is resolved, so others who run into similar issues can benefit out of the post.
Regards,
Arul
01-11-2010 06:13 PM
This resolved the same issue I had with nagios monitoring of my ASA firewall over a VPN.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide