ASA 5510 preventing external SNMP response

Unanswered Question

I have the following setup:


R--H1

|

F

|

H2


R: 3840

F: ASA 5510

H: Hosts 1 and 2


I am trying to get SNMP info from the router to H2 but snmpwalk errors with no response from router. I can get info from H1 and neither interface on router is preventing SNMP traffic from coming or going.


Is there something that needs to be configured to allow SNMP traffic (orginating from INSIDE) to reply? (Also note that there is no Inspect Maps blocking and SNMP versions).


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Fri, 05/14/2010 - 12:34
User Badges:
  • Green, 3000 points or more

Hi,


On the ASA you would need a STATIC NAT (if nat-control is enabled) and an ACL permitting the traffic. --> This is if the connection originates from the outside


If the connection originates from the inside, then you need NAT (if nat-control is enabled) and if there's an ACLapplied to the inside interface, you need to make sure the traffic is permitted.


Federico.

Federico Coto F... Fri, 05/14/2010 - 12:52
User Badges:
  • Green, 3000 points or more

Ok,


So you mentioned that the SNMP traffic will be originated from the inside (from H2)?
If there's NAT and ACL permission, then it should work.
You can do a Packet Tracer test from ASDM or from CLI to see if the traffic is passing through fine.


Federico.

Mandar Deorukhkar Sun, 11/25/2012 - 01:30
User Badges:

I also have a similar problem. I have gone through the Cisco Documentation, It says that ASA Firewall by default have NAT and PAT Limitations for SNMP traffic. That means the the NAT traffic for routers SNMP can not be passed through ASA by default. Please check table 40-1 on http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_overview.html

I am also looking for the solution by which the defaullt can be twiked and the SNMP traffic is allowed

Actions

This Discussion

Related Content