Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco PIX 525 SNMP Management

Anyone know the commands on a PIX 525 to configure SNMP?

  • Network Management
1 ACCEPTED SOLUTION

Accepted Solutions
Blue

Re: Cisco PIX 525 SNMP Management

8 REPLIES
Hall of Fame Super Silver

Re: Cisco PIX 525 SNMP Management

Sure, it's all laid out in the Cisco PIX Firewall and VPN Configuration Guide.Take a look at Chapter 9, Accessing and Monitoring...

Blue

Re: Cisco PIX 525 SNMP Management

New Member

Re: Cisco PIX 525 SNMP Management

I looked through both those guides and they don't explain the commands really. There is one command, "snmp-server host x.x.x.x" but that does not work. That command has to be snmp-server host inside/outside poll community xxxxx. But that doesn't work either.

This is what is in my running config:

no snmp-server location
no snmp-server contact
snmp-server community xxxxxx
snmp-server enable traps snmp authentication linkup linkdown coldstart

What am I missing?

Hall of Fame Super Silver

Re: Cisco PIX 525 SNMP Management

According to my PIX (Version 6.3(1)), the syntax for the key "snmp-server host" command is:

[no] snmp-server host [] [trap|poll]

As a bracketed parameter, is optional. In any case, that command will determine where snmp traps are sent to. Without it, the device does not know where to send snmp traps, thus raising the existential question "If a trap is generated without a receeiver does anyone hear it?"

Here is what I am using:

snmp-server host inside ***.***.***.*** poll
snmp-server location *********
snmp-server contact ********
snmp-server community ************
snmp-server enable traps

(asterisks replacing my specific data)

Blue

Re: Cisco PIX 525 SNMP Management

It seems you're running PIX 7.x. If that's the case, it's "snmp-server host inside/outside poll community xxxxx" (rather than "snmp-server host inside/outside poll community xxxxx"), which does get covered in that doc:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094a13.shtml#snmptothepix

"PIX/ASA Software Versions 7.x allow more granularity with regard to
      traps and queries.

 

hostname(config)#snmp-server host   trap community 

!--- The host is to be sent traps and cannot query
!--- with community string specified.


hostname(config)#snmp-server host poll community

!--- The host can query but is not to be sent traps
!--- with community string specified.





New Member

Re: Cisco PIX 525 SNMP Management

That worked! Thanks so much. Now lies the confusing part.

This firewall replicates to another firewall. So how do I monitor the other one since it is in standby or how do I make sure the other one is monitored if it fails over?

Also I forgot the command to see the active firewall.

Blue

Re: Cisco PIX 525 SNMP Management

For stateful failover (I vaguely recall a "special" failover cable in this picture?), "show failover" should indicate the active vs standby units. This is explained here, for example:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#veri

Some possible status outputs to keep an eye on are:

"primary - active"
"context: Active"
"secondary - active"
"secondary - Failed"
"failover off"
"no license for failover"
"requires failover license"

Another way of monitoring the failover pair is to set up syslog monitoring for the failover related messages (presumably on redundant syslog servers), starting with ones such as "PIX-1-101002: (Primary) Bad failover cable" (substitute ASA for PIX if applicable, or vice versa) and on down, many of which may not indicate an immediate failover, but could forewarn conditions such as active not synchronizing to the standby:

http://www.cisco.com/en/US/docs/security/asa/asa81/system/message/81logmsg.html#wp4768551http://www.cisco.com/en/US/docs/security/asa/asa81/system/message/81logmsg.html#wpmkr4768574

New Member

Re: Cisco PIX 525 SNMP Management

Thanks...I am trying to figure out how failover works I guess. Does the standby assume the IP's and names of the primary unit when it fails over or does it use it's own IP's for the inside/outside interfaces when it fails over.

The secondary host shouldn't say this when on standby right?

Other host: Secondary - Failed

The primary always says "Waiting":

This host: Primary - Active
                Active time: 31443135 (sec)
                Interface outside (x.x.x.x): Normal (Waiting)
                Interface inside (x.x.x.x): Normal (Waiting)

Does that mean waiting to replicate?

1411
Views
20
Helpful
8
Replies
This widget could not be displayed.