Cisco PIX snmp not working

godzilla0 · ‎12-19-2008

Hi, I'm trying to get info about a PIX with snmp but it's not working, I get a timeout when I try to query it. I'm asking to the inside interface over VPN, It works fine and I see all the computers on that subnet. I think I just need an ACL but I'm not managing to do it right. The config is posted, it's pretty simple. Thanks.

John Blakley · ‎12-19-2008

Can you ping 192.168.3.29 from the pix? If you can, then try to allow udp 161 through your acl for just that one host.

HTH,

John

HTH, John *** Please rate all useful posts ***

godzilla0 · ‎12-19-2008

No, I can't ping that host from the PIX. But I can ping from the computers on that subnet to the 192.168.3.0 net. Thanks.

Mo'ath Al Rawashdeh · ‎12-19-2008

Hi,

Can you do the test again, and right after, show us the output of the command below on your firewall:

show logging | inc A.B.C.D

where A.B.C.D is the IP address of the machine you are testing from.

godzilla0 · ‎12-19-2008

Return is null. Back to the command prompt, empty result.

John Blakley · ‎12-19-2008

Try changing the snmp-server line to outside.

snmp-server host outside 192.168.3.29

See if that works.

HTH,

John

HTH, John *** Please rate all useful posts ***

godzilla0 · ‎12-19-2008

Is not working . . . anyways why would I allow to send to the outside iface ? The connection is encrypted and so I ask the inside iface, right ?

ajagadee · ‎12-19-2008

Xavier,

If I understand the set up correctly, you are trying to do a SNMP Poll through the VPN Tunnel. If so, you need the below command:

management-access inside

http://www.cisco.com/en/US/docs/security/pix/pix63/command/reference/mr.html#wp1137951

Without the above command, you will not able to ping, https, http, snmp, etc to the inside interface of the pix across a VPN Tunnel.

Regards,

Arul

*Pls rate if it helps*

godzilla0 · ‎12-19-2008

Ok, good ! Now I can ping, but I get a "CRITICAL" on the nagios script when I try to get the info for the iface "ethernet0". Do you have any experience around ? It works on all my other cisco routers, load balancers etc.

godzilla0 · ‎12-19-2008

When I do a snmpwalk to the router, It does not give me back nothing . . . Maybe I have to do something more to make snmp work =?

ajagadee · ‎12-19-2008

Hi,

Can you change the below configuration:

snmp-server host inside 192.168.3.29

to

snmp-server host outside 192.168.3.29

And let me know if it works.

Regards,

Arul

*Pls rate all helpful posts*

godzilla0 · ‎12-19-2008

It's done, working. The guy that said management is closed for inside interface by default was correct. I'm monitoring the inside and outside interfaces with graphing via nagios. Thank you all.

ajagadee · ‎12-19-2008

Thanks for the update! Also, please do update the forum that the issue is resolved, so others who run into similar issues can benefit out of the post.

Regards,

Arul

tf2-conky · ‎01-11-2010

This resolved the same issue I had with nagios monitoring of my ASA firewall over a VPN.