Re: snmp thru a pix firewall

bellefontainea · ‎06-24-2003

have recently turned on SNMP on my two host rtrs. ( clients )

I have given the CAUnicentre people the host file's which are nat'd IP's on the routers loopback IP address.

I have checked the CAUnicentre logs and see the "real" Ip address in the logs. Why is this???

The two rtr are consided on the outside of the pix f/wall. CAunicenter is considered to be on the inside.

I cannot ping their real IP's which is why I did an alias in the firewall. I can ping and telnet to their Nat'd IP's

rmushtaq · ‎06-24-2003

http://www.cisco.com/warp/public/110/pixsnmp.html should help with the PIX/SNMP side.

bellefontainea · ‎06-25-2003

I had looked there prior to doing so and thought I had everything.

This is what I have in the firewall.

I have 3 interfaces in this f/wall .

1 is inside

the other two are separate clients and I have named the interface to make life simple.

alias (inside) fake ip, real ip 255.255.255.255

static ( inside,intname) 1.1.1.0 1.1.1.0 netmask 255.255.255.0

( reason is there are various inside stuff the client needs accesss to. )

conduit permit udp host ( caunicenters ip eq snmptrap host nat'd ip )

conduit permit upd host ( cauinicnters ip eq snmp host nat't ip )

which is why I am confused , that I have seeing the host's real name in the SNMP trap.

Can someone shed any light.

Now I dont think this should make a difference but we had a similar problem when we nat'd an HSRP IP address - the CAUnicentre was seeing the true ip, to fix it we nat'd the ip of the ethernet interface instead of the HSRP ip address and then the nat'd came thru. The only common issue is that the loopback is a virtual IP not a true IP address associated to the interface.

HELP !