01-12-2010 11:32 AM
Anyone know the commands on a PIX 525 to configure SNMP?
Solved! Go to Solution.
01-12-2010 11:58 AM
Here's a link to get started with:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094a13.shtml
01-12-2010 11:55 AM
Sure, it's all laid out in the Cisco PIX Firewall and VPN Configuration Guide.Take a look at Chapter 9, Accessing and Monitoring...
01-12-2010 11:58 AM
Here's a link to get started with:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094a13.shtml
01-12-2010 01:43 PM
I looked through both those guides and they don't explain the commands really. There is one command, "snmp-server host x.x.x.x" but that does not work. That command has to be snmp-server host inside/outside poll community xxxxx. But that doesn't work either.
This is what is in my running config:
no snmp-server location
no snmp-server contact
snmp-server community xxxxxx
snmp-server enable traps snmp authentication linkup linkdown coldstart
What am I missing?
01-12-2010 02:28 PM
According to my PIX (Version 6.3(1)), the syntax for the key "snmp-server host" command is:
[no] snmp-server host [
As a bracketed parameter,
Here is what I am using:
snmp-server host inside ***.***.***.*** poll
snmp-server location *********
snmp-server contact ********
snmp-server community ************
snmp-server enable traps
(asterisks replacing my specific data)
01-12-2010 02:42 PM
It seems you're running PIX 7.x. If that's the case, it's "snmp-server host inside/outside
"PIX/ASA Software Versions 7.x allow more granularity with regard to
traps and queries.
hostname(config)#snmp-server hosttrap community
!--- The host is to be sent traps and cannot query
!--- with community string specified.
hostname(config)#snmp-server hostpoll community
!--- The host can query but is not to be sent traps
!--- with community string specified.
01-13-2010 10:08 AM
That worked! Thanks so much. Now lies the confusing part.
This firewall replicates to another firewall. So how do I monitor the other one since it is in standby or how do I make sure the other one is monitored if it fails over?
Also I forgot the command to see the active firewall.
01-13-2010 10:34 AM
For stateful failover (I vaguely recall a "special" failover cable in this picture?), "show failover" should indicate the active vs standby units. This is explained here, for example:
Some possible status outputs to keep an eye on are:
"primary - active"
"context: Active"
"secondary - active"
"secondary - Failed"
"failover off"
"no license for failover"
"requires failover license"
Another way of monitoring the failover pair is to set up syslog monitoring for the failover related messages (presumably on redundant syslog servers), starting with ones such as "PIX-1-101002: (Primary) Bad failover cable" (substitute ASA for PIX if applicable, or vice versa) and on down, many of which may not indicate an immediate failover, but could forewarn conditions such as active not synchronizing to the standby:
http://www.cisco.com/en/US/docs/security/asa/asa81/system/message/81logmsg.html#wp4768551http://www.cisco.com/en/US/docs/security/asa/asa81/system/message/81logmsg.html#wpmkr4768574
01-13-2010 10:53 AM
Thanks...I am trying to figure out how failover works I guess. Does the standby assume the IP's and names of the primary unit when it fails over or does it use it's own IP's for the inside/outside interfaces when it fails over.
The secondary host shouldn't say this when on standby right?
Other host: Secondary - Failed
The primary always says "Waiting":
This host: Primary - Active
Active time: 31443135 (sec)
Interface outside (x.x.x.x): Normal (Waiting)
Interface inside (x.x.x.x): Normal (Waiting)
Does that mean waiting to replicate?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: