Enable SNMP on PIX515

chicagotech · ‎01-06-2007

I just installed Netflow to monitor our Internet traffic rate. I have enabled snmp on our Cisco PIX515. The netflow displays ?No devices have sent NetFlow exports to the software yet?. I am not sure the problem is PIX configuration or Netflow settings. How do I test the snmp settings in PIX?

access-list outside_in permit icmp any any unreachable

access-list outside_in permit tcp any host 192.168.11.253 eq 3389

access-list outside_in permit icmp any any echo-reply

access-list outside_in permit icmp any any time-exceeded

access-list outside_in permit tcp any host 192.168.10.10 eq 3389

access-list 192_splitTunnelAcl permit ip LAN 255.255.255.0 any

access-list inside_outbound_nat0_acl permit ip LAN 255.255.255.0 VPN 255.255.255

.240

access-list inside_outbound_nat0_acl permit ip LAN 255.255.255.0 any

access-list outside_cryptomap_dyn_20 permit ip any VPN 255.255.255.240

access-list outside_cryptomap_20 permit ip LAN 255.255.255.0 any

pager lines 24

logging on

logging trap errors

logging history informational

logging device-id hostname

mtu outside 1500

mtu inside 1500

ip address outside 192.168.10.254 255.255.255.0

ip address inside 192.168.11.254 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

ip local pool VPN 192.168.21.1-192.168.21.9

pdm location 192.168.11.253 255.255.255.255 inside

pdm location VPN 255.255.255.0 inside

pdm location LAN 255.255.255.0 outside

pdm location VPN 255.255.255.0 outside

pdm location LAN 255.255.255.255 inside

pdm location RDC 255.255.255.255 inside

pdm location 192.168.11.2 255.255.255.255 inside

pdm location 192.168.10.104 255.255.255.255 outside

pdm location 192.168.11.254 255.255.255.255 outside

pdm history enable

arp timeout 14400

global (outside) 2 192.168.10.250-192.168.10.253

global (outside) 1 interface

nat (inside) 0 access-list inside_outbound_nat0_acl

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 192.168.11.253 192.168.11.253 netmask 255.255.255.255 0

0

static (inside,outside) 192.168.10.10 RDC netmask 255.255.255.255 0 0

access-group outside_in in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.10.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server LOCAL protocol local

http server enable

http 0.0.0.0 0.0.0.0 outside

http LAN 255.255.255.255 inside

http LAN 255.255.255.0 inside

snmp-server host outside 192.168.11.254

snmp-server host inside 192.168.11.254

no snmp-server location

no snmp-server contact

snmp-server community public

snmp-server enable traps

tftp-server outside 192.168.10.115 c:\

floodguard enable

sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 20 ipsec-isakmp

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer 206.81.53.106

crypto map outside_map 20 set transform-set ESP-3DES-MD5

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp key ******** address 206.x.x.106 netmask 255.255.255.255 no-xauth no-co

nfig-mode

isakmp nat-traversal 20

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption 3des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup 192 address-pool VPN

vpngroup 192 dns-server 4.2.2.1

vpngroup 192 split-tunnel 192_splitTunnelAcl

vpngroup 192 idle-time 1800

vpngroup 192 password ********

p-allen · ‎01-06-2007

netflow needs to be configured on a router not on a pix. you can smmp poll the pix for traffic with something like mrtg, solarwinds, etc.

chicagotech · ‎01-08-2007

Thanks. Will them and post back.

chicagotech · ‎01-09-2007

I download the MRTG. Whick port does PIX SNMP use?

ckuriyar74 · ‎01-10-2007

Try downloading Manage Engine Opmanager and you can monitor upto 20 devices and its free version.

OR

Also you can download PRTG and monitor the traffic.

I hope this might help.