Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5510 preventing external SNMP response

I have the following setup:

R--H1

|

F

|

H2

R: 3840

F: ASA 5510

H: Hosts 1 and 2

I am trying to get SNMP info from the router to H2 but snmpwalk errors with no response from router. I can get info from H1 and neither interface on router is preventing SNMP traffic from coming or going.


Is there something that needs to be configured to allow SNMP traffic (orginating from INSIDE) to reply? (Also note that there is no Inspect Maps blocking and SNMP versions).

Thanks

Everyone's tags (2)
4 REPLIES

Re: ASA 5510 preventing external SNMP response

Hi,

On the ASA you would need a STATIC NAT (if nat-control is enabled) and an ACL permitting the traffic. --> This is if the connection originates from the outside

If the connection originates from the inside, then you need NAT (if nat-control is enabled) and if there's an ACLapplied to the inside interface, you need to make sure the traffic is permitted.

Federico.

New Member

Re: ASA 5510 preventing external SNMP response

Yes, there is NAT where H2 is on the INSIDE, and the router is on the OUTSIDE.

I have allowed all IP inbound on the INSIDE interface and I do not have this issue with other UDP protocols (such as ntp).

Re: ASA 5510 preventing external SNMP response

Ok,


So you mentioned that the SNMP traffic will be originated from the inside (from H2)?
If there's NAT and ACL permission, then it should work.
You can do a Packet Tracer test from ASDM or from CLI to see if the traffic is passing through fine.

Federico.

New Member

ASA 5510 preventing external SNMP response

I also have a similar problem. I have gone through the Cisco Documentation, It says that ASA Firewall by default have NAT and PAT Limitations for SNMP traffic. That means the the NAT traffic for routers SNMP can not be passed through ASA by default. Please check table 40-1 on http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/inspect_overview.html

I am also looking for the solution by which the defaullt can be twiked and the SNMP traffic is allowed

1078
Views
0
Helpful
4
Replies