SNMP monitoring of LAN devices over WAN

firestormnet · ‎07-23-2013

Hi All.

I've came up with a problem configuring SNMP monitoring of remote site. I need to monitor 5 switches on their LAN using SNMP. There is a firewall doing NATing. I've checked the forum and some people say SNMP cannot be done over NAT, some say if you do Static NAT it should work, that's a bit confusing. Could anybody explain is it possible to do that please?

If I use these methods of nat translation, for example:

1. 10.10.1.1(Source lan ip) port 161 to 88.99.88.88(Destination wan ip) port 10161

10.10.1.2(Source lan ip) port 161 to 88.99.88.88(Destination wan ip) port 10162

2. 10.10.1.1(Source lan ip) port 161 to 88.99.88.88(Destination wan ip) port 161

10.10.1.2(Source lan ip) port 161 to 88.99.88.89(Destination wan ip) port 161

3. Use something else? OID or MIB ?

Highly appretiate your help guys as I need it up and running like yesterday.

Thnks,

Regards.

catalystexpress · ‎07-24-2013

you probably need acl on outside interface to permit udp and also on the hq end you need the necessary acl, you may want to give a more detail topology and your both end configuration to sort this out

cheers..

firestormnet · ‎07-24-2013

Hi.

Thanks for your reply.

Our side is properly configured so there is no issue there, as we can monitor other devices once you put their WAN IP addresses.

Remote side is really straight forward. One core C3750 switch and other 4 switches C2960 and C3750 connected to it. All of them configured with snmp-community and ACL list permitting our WAN ip address (monitoring side). The default gateway is CheckPoint firewall doing NATing. We added a NAT rule like no.2 above, and I think it should automatically add ACL rule to allow SNMP traffic.

Do you think Static NAT is fine and it should work, so SNMP traffic can be translated using static NAT rule? But the problem with ACL?

Regards,

firestormnet · ‎09-10-2013

Hi.

Does anybody have a solution for this?

Is it possible to use PAT in some way?

There is one public ip address and 5 local devices configured with SNMP community and need to be monitored remotely.

Would PAT translation should work to monitor them remotely using SNMP?

I've tried this:

ip nat inside source static udp 10.0.1.103 161 212.xxx.xxx.xxx 161 ext

to all 5 devices and it works, but can't use 161 for all of them at the same time.
I tried this one:

ip nat inside source static udp 10.0.1.103 161 212.xxx.xxx.xxx 30161
ip nat inside source static udp 10.0.1.104 161 212.xxx.xxx.xxx 30162

and it doesn't work.
So what other methods can be used or there is no one.

Regards,

Seb Rupik · ‎09-10-2013

Try adding the 'extendable' keyword to the end of each of your nat statements.

firestormnet · ‎09-10-2013

Hi.

Router automatically adds that, anyway it does make a difference how you enter, still says Not connected.

Thanks

n_schloemer · ‎09-10-2013

Hi FireStomenet

I had a similar issue with multiple CPE devices at a client site. I did attempt to perform the PAT on the edge, however, the SNMP server downstream would just view the same socket of srcip:162 and could never differentiate between the different hosts. Could you stand up some for of routing tunnel (i.e. IPsec, GRE) so you can natively communicate to the source IP addresses of the seperate subnet. Even if there was a subnet conflict for any reason you could alway implement intermediate NATs.

I punted this problem around for awhile and eventually realize the tunnel was just the easiest route.

Hope this helps.