SNMP connection through pix 515 E

Unanswered Question
Apr 26th, 2010

Hi Dear

I have a internal host "10.96.x.x / 192.38.x.x" that i want to comminucate with an external host "130.100.x.x" through my firewall. how can I alow with Condit command for those hosts to communicate with each other with snmp protocoll?

Tanks in advance

Sfanayei

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
astripat Tue, 04/27/2010 - 12:20

Hi Sfanayei,

I believe you want 10.96.1.1 and 192.168.1.1 to communicate with 130.100.1.1 over snmp. Here is the conduit command required for the same:

conduit permit udp host 130.100.1.1 eq snmp host 10.96.1.1

conduit permit udp host 130.100.1.1 eq snmp host 192.168.1.1

Regards,

Ashu

astripat Wed, 04/28/2010 - 05:10

Hi Sfanayei,

Ok. So I believe you have the static transaltion like this:

static (inside,outside) 192.34.44.1 10.99.1.1

And, you want the external host 130.223.14.1 to coummunicate with your interanl host over snmp, right? Here is the conduit you would need in that case:

conduit permit udp host 192.34.44.1 eq snmp host 130.223.14.1

Regards,

Ashu.

sfanayei Wed, 04/28/2010 - 05:29

Hi

Soory I bother you again.

I get this log from my firewall. I wonther why I don't hit the match on port 161 and 162. I have configured both with port 162 and 162 in conduit command.

Please look at in the log below.


%PIX-2-106006: Deny inbound UDP from 130.225.39.2/3405 to 192.34.44.X/162 on interface outside
%PIX-2-106006: Deny inbound UDP from 130.225.39.2/3388 to 192.34.44.X/162 on interface outside
%PIX-2-106006: Deny inbound UDP from 130.225.39.2/1033 to 192.34.44.X/162 on interface outside
%PIX-6-302013: Built outbound TCP connection 125486189 for outside:130.223.14.X/4319 (130.223.14.X/4319) to inside:10.99.1.X/1185 (192.34.44.X/1185)
%PIX-6-302013: Built outbound TCP connection 125484476 for outside:130.223.14.X/4319 (130.223.14.X/4319) to inside:10.99.1.X/1175     (192.34.44.X/1175)

astripat Wed, 04/28/2010 - 05:52

Hi Sfanayei,

Please add the following codnuit:

conduit permit udp host 192.34.44.1 eq snmptrap host 130.223.14.1
Regards,
Ashu

sfanayei Wed, 04/28/2010 - 06:00

Dear Ashu

I had already configured with snmptrap in the same way you had written. And still the same.:(

Rgards Sfanayei

sfanayei Wed, 04/28/2010 - 06:20

Hi

Here coms:

conduit permit udp host 192.34.44.X eq snmp host 130.223.14.X (hitcnt=0)
conduit permit udp host 192.34.44.X eq snmptrap 130.223.14.X (hitcnt=128)
conduit permit tcp host 192.34.44.X eq 162 host 130.223.14.X (hitcnt=0)
conduit permit tcp host 192.34.44.X eq 161 host 130.223.14.X (hitcnt=0)

Federico Coto F... Wed, 04/28/2010 - 06:24

Hi,

Since it is a PIX you can use the counduit command.

Just out of curiosity, why don't use access-list sice the conduit command has been deprecated?

Federico.

sfanayei Wed, 04/28/2010 - 06:30

Hi

I had to take over the old configuration, and the pix id biult witch conduit and not access-list. But I plan to do so:)

Tanks!

astripat Wed, 04/28/2010 - 06:31

Hi Sfanayei,

Please add the following:


Add this,


conduit permit udp host 192.34.44.X eq 161 host 130.223.14.X

Remember snmp port 161 is udp and not tcp.

Also, let me confirm that your snmp server is on the inside which is statically translated to 192.34.44.1 and we are trying to poll it from the outside host 130.223.14.X.

Also, I am assuming that we do not have any access-lists configured on the firewall.

Let me know how it goes.

Ashu

sfanayei Wed, 04/28/2010 - 05:06

Hi

Tanks a lot for your reply, but the scenario is in this way:

My internal host "10.99.1.x" is translated to external ip adresse "192.34.44.x" in my firewall. And there is a external host with ip adress "130.223.14.x" who I want to communicate with snmp to my host through my firewall..

Tanks again

Sfanayei

Actions

This Discussion