12-23-2009 06:32 AM - edited 03-11-2019 09:51 AM
Hi,
I want to Open UDP Port 161 on our Cisco ASA 5510.
Kindly guide me to do the same.
12-23-2009 07:33 AM
You need to open the ACLs.
ACL applied to outside interface destined to that port. If you have an inside interface ACL make sure traffic sourced from port 161 is also allowed.
Make sure there is translation for the inside ip address port 161. You will need a static NAT or PAT.
static (inisde,outside)
static (inisde,outside)
I hope it helps.
PK
12-23-2009 07:50 AM
Hi Vishal
Do you want to configure SNMP (UDP 161) on your ASA or do you want to allow SNMP access through your firewall ??
If you want to enable SNMP on ASA please use this guide:
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/monitor_snmp.html
if it is the second case -> of allowing SNMP access you can configure access-lists... by default ASA allows traffic from inside to outside (unless you have an ACL already).. for access from outside to inside, you need ACLs
access-list inside permit udp x.x.x.x a.a.a.a eq 161
Let me know the exact issue and we will try to solve it..
Raj
12-23-2009 07:45 PM
12-23-2009 08:11 PM
Vishal,
I believe this answers Raj's question to some extent. Meaning I understand it is "THROUGH" the firewall and not "TO" the firewall. Still, I am not sure where the monitoring server is and where the windows servers are.
topology 1:
monitoring server-----(inside)---------ASA-----(dmz or outside)---- windows server
You do not need to configure anything special since you have the following configured already.
access-list inside1 extended permit ip any any
toplogy 2:
windows servers ----(inside) --------ASA------(dmz or outside)---monitoring server.
If it is the above, then we need to create static translation for all the inside servers.
You can do either nat exemption with acl or static identity or static pat for udp port 161
Permission you already have this configured ccess-list outside1 extended permit ip any any
You may want to tighten this ACL.
assuming the monitoring server is on the outside:
static (i,o) i.i.i.i i.i.i.i ----> this is identity static
static (i,o)o.o.o.o i.i.i.i -----> where o.o.o.o is the translated address and i.i.i.i is the internal address
nat (inside) 0 access-list nat0 - --> this is nat exemption with acl
access-list nat0 permit ip i.i.i.0/24 x.x.x.x
Now, knowing what whatsup gold does and how it needs to be configured I would place whatsup gold where all the servers are so, it can monitor them without having to go through the firewall. But, you know your network better than we do so, the above are your options.
-KS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide