SNMP connection through pix 515 E

Unanswered Question
Apr 26th, 2010
User Badges:

Hi Dear


I have a internal host "10.96.x.x / 192.38.x.x" that i want to comminucate with an external host "130.100.x.x" through my firewall. how can I alow with Condit command for those hosts to communicate with each other with snmp protocoll?


Tanks in advance

Sfanayei

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
astripat Tue, 04/27/2010 - 12:20
User Badges:

Hi Sfanayei,


I believe you want 10.96.1.1 and 192.168.1.1 to communicate with 130.100.1.1 over snmp. Here is the conduit command required for the same:


conduit permit udp host 130.100.1.1 eq snmp host 10.96.1.1

conduit permit udp host 130.100.1.1 eq snmp host 192.168.1.1


Regards,

Ashu

astripat Wed, 04/28/2010 - 05:10
User Badges:

Hi Sfanayei,


Ok. So I believe you have the static transaltion like this:


static (inside,outside) 192.34.44.1 10.99.1.1

And, you want the external host 130.223.14.1 to coummunicate with your interanl host over snmp, right? Here is the conduit you would need in that case:

conduit permit udp host 192.34.44.1 eq snmp host 130.223.14.1

Regards,

Ashu.

sfanayei Wed, 04/28/2010 - 05:29
User Badges:

Hi

Soory I bother you again.



I get this log from my firewall. I wonther why I don't hit the match on port 161 and 162. I have configured both with port 162 and 162 in conduit command.

Please look at in the log below.




%PIX-2-106006: Deny inbound UDP from 130.225.39.2/3405 to 192.34.44.X/162 on interface outside
%PIX-2-106006: Deny inbound UDP from 130.225.39.2/3388 to 192.34.44.X/162 on interface outside
%PIX-2-106006: Deny inbound UDP from 130.225.39.2/1033 to 192.34.44.X/162 on interface outside
%PIX-6-302013: Built outbound TCP connection 125486189 for outside:130.223.14.X/4319 (130.223.14.X/4319) to inside:10.99.1.X/1185 (192.34.44.X/1185)
%PIX-6-302013: Built outbound TCP connection 125484476 for outside:130.223.14.X/4319 (130.223.14.X/4319) to inside:10.99.1.X/1175     (192.34.44.X/1175)

astripat Wed, 04/28/2010 - 05:52
User Badges:

Hi Sfanayei,


Please add the following codnuit:


conduit permit udp host 192.34.44.1 eq snmptrap host 130.223.14.1
Regards,
Ashu

sfanayei Wed, 04/28/2010 - 06:00
User Badges:

Dear Ashu


I had already configured with snmptrap in the same way you had written. And still the same.:(


Rgards Sfanayei

astripat Wed, 04/28/2010 - 06:07
User Badges:

Hi Sfanayei,


Can you paste the config?


Regards,

Ashu

sfanayei Wed, 04/28/2010 - 06:20
User Badges:

Hi

Here coms:


conduit permit udp host 192.34.44.X eq snmp host 130.223.14.X (hitcnt=0)
conduit permit udp host 192.34.44.X eq snmptrap 130.223.14.X (hitcnt=128)
conduit permit tcp host 192.34.44.X eq 162 host 130.223.14.X (hitcnt=0)
conduit permit tcp host 192.34.44.X eq 161 host 130.223.14.X (hitcnt=0)

Federico Coto F... Wed, 04/28/2010 - 06:24
User Badges:
  • Green, 3000 points or more

Hi,


Since it is a PIX you can use the counduit command.

Just out of curiosity, why don't use access-list sice the conduit command has been deprecated?


Federico.

sfanayei Wed, 04/28/2010 - 06:30
User Badges:

Hi


I had to take over the old configuration, and the pix id biult witch conduit and not access-list. But I plan to do so:)


Tanks!

astripat Wed, 04/28/2010 - 06:31
User Badges:

Hi Sfanayei,


Please add the following:



Add this,


conduit permit udp host 192.34.44.X eq 161 host 130.223.14.X


Remember snmp port 161 is udp and not tcp.


Also, let me confirm that your snmp server is on the inside which is statically translated to 192.34.44.1 and we are trying to poll it from the outside host 130.223.14.X.

Also, I am assuming that we do not have any access-lists configured on the firewall.

Let me know how it goes.


Ashu

sfanayei Wed, 04/28/2010 - 05:06
User Badges:

Hi

Tanks a lot for your reply, but the scenario is in this way:

My internal host "10.99.1.x" is translated to external ip adresse "192.34.44.x" in my firewall. And there is a external host with ip adress "130.223.14.x" who I want to communicate with snmp to my host through my firewall..


Tanks again

Sfanayei

Actions

This Discussion