Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4160
Views
0
Helpful
4
Replies

Need Help to Open Port

vishalthakur1983
Level 1
Level 1

‎12-23-2009 06:32 AM - edited ‎03-11-2019 09:51 AM

Hi,

I want to Open UDP Port 161 on our Cisco ASA 5510.

Kindly guide me to do the same.

Labels:
0 Helpful
4 Replies 4

Panos Kampanakis
Cisco Employee
Cisco Employee

‎12-23-2009 07:33 AM

You need to open the ACLs.

ACL applied to outside interface destined to that port. If you have an inside interface ACL make sure traffic sourced from port 161 is also allowed.

Make sure there is translation for the inside ip address port 161. You will need a static NAT or PAT.

static (inisde,outside)

static (inisde,outside) 161 161

I hope it helps.

PK

0 Helpful

sachinraja
Level 9
Level 9

‎12-23-2009 07:50 AM

Hi Vishal

Do you want to configure SNMP (UDP 161) on your ASA or do you want to allow SNMP access through your firewall ??

If you want to enable SNMP on ASA please use this guide:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_snmp.html

if it is the second case -> of allowing SNMP access you can configure access-lists... by default ASA allows traffic from inside to outside (unless you have an ACL already).. for access from outside to inside, you need ACLs

access-list inside permit udp x.x.x.x a.a.a.a eq 161

Let me know the exact issue and we will try to solve it..

Raj

0 Helpful

vishalthakur1983
Level 1
Level 1
In response to sachinraja

‎12-23-2009 07:45 PM

Thanks for your response.

We are using What's Up Gold Monitoring tool and to monitor windows services, our support person suggest to open Port (UDP 161) from firewall.

Attached pls find show tech of ASA.

37216-asa 16-12-2009.txt.zip
0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to vishalthakur1983

‎12-23-2009 08:11 PM

Vishal,

I believe this answers Raj's question to some extent.  Meaning I understand it is "THROUGH" the firewall and not "TO" the firewall. Still, I am not sure where the monitoring server is and where the windows servers are.

topology 1:

monitoring server-----(inside)---------ASA-----(dmz or outside)---- windows server

You do not need to configure anything special since you have the following configured already.

access-list inside1 extended permit ip any any

toplogy 2:

windows servers ----(inside) --------ASA------(dmz or outside)---monitoring server.

If it is the above, then we need to create static translation for all the inside servers.

You can do either nat exemption with acl or static identity or static pat for udp port 161

Permission you already have this configured ccess-list outside1 extended permit ip any any

You may want to tighten this ACL.

assuming the monitoring server is on the outside:

static (i,o) i.i.i.i i.i.i.i ----> this is identity static

static (i,o)o.o.o.o i.i.i.i -----> where o.o.o.o is the translated address and i.i.i.i is the internal address

nat (inside) 0 access-list nat0 - --> this is nat exemption with acl

access-list nat0 permit ip i.i.i.0/24 x.x.x.x

Now, knowing what whatsup gold does and how it needs to be configured I would place whatsup gold where all the servers are so, it can monitor them without having to go through the firewall. But, you know your network better than we do so, the above are your options.

-KS

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card