Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1399
Views
0
Helpful
4
Replies

ASA 5510 preventing external SNMP response

Steve Gunter
Level 1
Level 1

‎05-14-2010 12:31 PM - edited ‎03-11-2019 10:45 AM

I have the following setup:

R--H1

|

F

|

H2

R: 3840

F: ASA 5510

H: Hosts 1 and 2

I am trying to get SNMP info from the router to H2 but snmpwalk errors with no response from router. I can get info from H1 and neither interface on router is preventing SNMP traffic from coming or going.


Is there something that needs to be configured to allow SNMP traffic (orginating from INSIDE) to reply? (Also note that there is no Inspect Maps blocking and SNMP versions).

Thanks

Labels:
0 Helpful
4 Replies 4

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎05-14-2010 12:34 PM

Hi,

On the ASA you would need a STATIC NAT (if nat-control is enabled) and an ACL permitting the traffic. --> This is if the connection originates from the outside

If the connection originates from the inside, then you need NAT (if nat-control is enabled) and if there's an ACLapplied to the inside interface, you need to make sure the traffic is permitted.

Federico.

0 Helpful

Steve Gunter
Level 1
Level 1
In response to Federico Coto Fajardo

‎05-14-2010 12:48 PM

Yes, there is NAT where H2 is on the INSIDE, and the router is on the OUTSIDE.

I have allowed all IP inbound on the INSIDE interface and I do not have this issue with other UDP protocols (such as ntp).

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to Steve Gunter

‎05-14-2010 12:52 PM

Ok,


So you mentioned that the SNMP traffic will be originated from the inside (from H2)?
If there's NAT and ACL permission, then it should work.
You can do a Packet Tracer test from ASDM or from CLI to see if the traffic is passing through fine.

Federico.

0 Helpful

Mandar Deorukhkar
Level 1
Level 1
In response to Federico Coto Fajardo

‎11-25-2012 01:30 AM

I also have a similar problem. I have gone through the Cisco Documentation, It says that ASA Firewall by default have NAT and PAT Limitations for SNMP traffic. That means the the NAT traffic for routers SNMP can not be passed through ASA by default. Please check table 40-1 on http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_overview.html

I am also looking for the solution by which the defaullt can be twiked and the SNMP traffic is allowed

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card