Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Allow SNMP to DMZ

Status
Not open for further replies.
igolo

igolo

IS-IT--Management
Jan 16, 2002
63
US
I need help configuring my PIX to allow SNMP to the DMZ from my management subnet. The management subnet is 192.168.45.0/24(inside firewall), the lan subnet 10.1.40.0/24 (inside) and the DMZ is 172.17.6.0/24
I need to have my management station alert me if my web server goes down. The management station works with all subnets but the DMZ. I've tried several different acl combinations but none seems to work.
Things I've tried:
access-list 100 permit udp 192.168.45.0 255.255.255.0 172.17.6.0 255.255.255.0 eq snmp

static (dmz,inside) udp CCNETMON snmp 172.17.6.0 snmp netmask 255.255.255.255 0 0
static (inside,dmz) udp 172.17.6.0 snmp CCNETMON snmp netmask 255.255.255.255 0 0
 
Sort by date Sort by votes
After you've allowed SNMP can you check the firewalls logs to see what is being denied

Hope that helps
 
Upvote 0 Downvote
There's nothing in the syslogs indicating anything is getting blocked at either one of subnets (192.168.45.0 or 172.17.6.0). I have multiple servers (Web and FTP) in the DMZ that pass different types of traffic (SMTP, SQL)to the inside interface without a problem.
 
Upvote 0 Downvote
Why do you have PAT enabled between the two interfaces, I usually disable NAT so the two segments can communicate using their native IPs
 
Upvote 0 Downvote
Can you post a full scrubbed config and a description of the topology?


Brent
Systems Engineer / Consultant
CCNP, CCSP
 
Upvote 0 Downvote
Sorry for the late response I was out sick

The network is like this:
firewall has 3 interfaces - external, DMZ (172.16.xx.xx), LAN (10.1.xxx.xxx) connected to an internal router with 2 interfaces & WAN - LAN(10.1.xxx.xxx), & management (192.168.xxx.xxx). Using SNMP I can monitor everything on the LAN & WAN from the Mngt Segment. I'd like to be able to monitor the devices on the DMZ segment as well. The management station can ping devices on the DMZ. How do I allow SNMP to pass through the firewall to the DMZ?

Here is firewall conf:
Building configuration...
: Saved
:
PIX Version 6.3(3)
interface ethernet0 auto
interface ethernet1 100full
interface ethernet2 100full
interface ethernet3 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
nameif ethernet3 wan security75
enable password exvlx6yhvLSBVIKL encrypted
passwd lfWEd5sgsseWs1ct encrypted
hostname CCPIX525
domain-name EVERFASTINC
fixup protocol dns maximum-length 4096
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 10.1.10.2 CCSQL01
name 10.1.10.19 CCSQL02
name 10.1.10.12 CCAJBRTS
name 10.1.10.11 CCAJBSLT
name 10.1.10.21 CCSQL03
name 10.1.80.1 CCTRMSVR01
name 10.1.10.46 CCMSG03
name 10.1.10.13 CCRAS01
name 10.1.50.2 RETAILIDEAS
name 10.1.10.3 CCHD01
name 10.1.50.1 PMMI
name 10.1.1.3 CCSPAM01
name 192.168.20.10 CCNETMON
name 10.1.10.55 CCBULKMAIL
name 10.1.100.175 MFORNEY05
name 10.1.6.227 mforney06
name 10.1.100.72 mercury
name 10.1.10.54 CCINTRANET
object-group service MSSQL tcp-udp
description Microsoft SQL Server
port-object range 1433 1433
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list 100 permit tcp any host xxx.xxx.xxx.86 eq www
access-list 100 permit tcp any host xxx.xxx.xxx.84 eq www
access-list 100 permit tcp any host xxx.xxx.xxx.84 eq smtp
access-list 100 permit tcp any host xxx.xxx.xxx.86 eq smtp
access-list 100 permit tcp any host xxx.xxx.xxx.90 eq www
access-list 100 permit tcp any host xxx.xxx.xxx.83 eq smtp
access-list 100 permit tcp any host xxx.xxx.xxx.88 eq ftp
access-list 100 permit tcp any host xxx.xxx.xxx.90 eq https
access-list 100 permit tcp any host xxx.xxx.xxx.87 eq www
access-list 100 permit tcp any host xxx.xxx.xxx.87 eq ftp
access-list 100 permit tcp any host xxx.xxx.xxx.87 eq 1433
access-list 100 permit tcp any host xxx.xxx.xxx.87 eq sqlnet
access-list 100 permit ip any 172.16.0.0 255.255.0.0
access-list 100 permit udp any host xxx.xxx.xxx.84 eq domain
access-list 100 permit tcp any host xxx.xxx.xxx.83 eq 1270
access-list 100 permit tcp any host 172.17.1.2 eq 3389
access-list 100 permit tcp any host xxx.xxx.xxx.93 eq www
access-list 100 permit tcp any host xxx.xxx.xxx.93 eq https
access-list 100 permit tcp any host xxx.xxx.xxx.92 eq www
access-list 100 permit tcp any host xxx.xxx.xxx.89 eq smtp
access-list 100 permit tcp any host xxx.xxx.xxx.89 eq 81
access-list 100 permit tcp any host xxx.xxx.xxx.83 eq pop3
access-list 100 permit tcp any host xxx.xxx.xxx.83 eq 995
access-list 100 permit tcp any host xxx.xxx.xxx.92 eq 81
access-list 100 permit tcp any host xxx.xxx.xxx.90 eq smtp
access-list 100 permit tcp any host xxx.xxx.xxx.92 eq smtp
access-list 100 permit tcp any host xxx.xxx.xxx.92 eq 83
access-list 100 permit tcp any host xxx.xxx.xxx.92 eq 88
access-list 100 permit tcp any host xxx.xxx.xxx.92 eq 90
access-list 100 permit tcp any host xxx.xxx.xxx.89 eq www
access-list 100 permit tcp any host xxx.xxx.xxx.83 eq ssh
access-list 100 permit tcp any host xxx.xxx.xxx.83 eq domain
access-list 100 permit tcp any host xxx.xxx.xxx.83 eq www
access-list 100 permit tcp any host xxx.xxx.xxx.83 eq 123
access-list 100 permit ip any 192.168.20.0 255.255.255.0
access-list 100 permit udp any 192.168.20.0 255.255.255.0
access-list 100 permit tcp any host xxx.xxx.xxx.91 eq www
access-list 100 permit tcp any 192.168.20.0 255.255.255.0
access-list 100 permit tcp any host xxx.xxx.xxx.94 eq www
access-list 100 permit tcp any host xxx.xxx.xxx.88 eq www
access-list 100 permit udp host CCNETMON 172.17.1.0 255.255.255.0 eq snmp
access-list dmz_access_in permit tcp host 172.17.1.5 host CCSQL01
access-list dmz_access_in permit tcp host 172.17.1.5 host CCSQL02
access-list dmz_access_in permit tcp host 172.17.1.2 host CCSQL02
access-list dmz_access_in permit tcp host 172.17.1.2 host CCSQL03
access-list 101 permit ip 172.17.1.0 255.255.255.0 any
access-list 101 permit ip any 10.1.0.0 255.255.0.0
access-list 101 permit udp any eq domain any
access-list 101 permit icmp any 10.1.0.0 255.255.0.0
access-list 101 permit icmp any any
access-list 101 permit ip any any
access-list inside_outbound_nat0_acl permit ip host CCTRMSVR01 192.168.30.0 255.255.255.192
access-list inside_outbound_nat0_acl permit ip host CCAJBSLT 192.168.30.0 255.255.255.192
access-list inside_outbound_nat0_acl permit ip host CCAJBRTS 192.168.30.0 255.255.255.192
access-list inside_outbound_nat0_acl permit ip host PMMI 192.168.30.0 255.255.255.192
access-list inside_outbound_nat0_acl permit ip host RETAILIDEAS 192.168.30.0 255.255.255.192
access-list inside_outbound_nat0_acl permit ip host CCINTRANET 192.168.30.0 255.255.255.192
access-list inside_outbound_nat0_acl permit ip host CCMSG03 192.168.30.0 255.255.255.192
access-list inside_outbound_nat0_acl permit ip any 192.168.2.0 255.255.255.224
access-list inside_outbound_nat0_acl permit ip host CCBULKMAIL 192.168.30.0 255.255.255.192
access-list 103 deny tcp any host xxx.xxx.xxx.83 eq 135
access-list 103 deny udp any host xxx.xxx.xxx.83 eq 135
access-list 103 deny tcp any host xxx.xxx.xxx.83 eq 137
access-list 103 deny udp any host xxx.xxx.xxx.83 eq netbios-ns
access-list 103 deny tcp any host xxx.xxx.xxx.83 eq 138
access-list 103 deny udp any host xxx.xxx.xxx.83 eq netbios-dgm
access-list 103 deny tcp any host xxx.xxx.xxx.83 eq netbios-ssn
access-list 103 deny udp any host xxx.xxx.xxx.83 eq 139
access-list 103 deny tcp any host xxx.xxx.xxx.83 eq 445
access-list 103 deny tcp any host xxx.xxx.xxx.83 eq 593
access-list 103 deny tcp any host xxx.xxx.xxx.83 eq 4444
access-list 103 permit ip any any
access-list 103 permit udp any any
access-list 103 permit tcp host MFORNEY05 any eq 3389
access-list 103 deny udp any host xxx.xxx.xxx.83 eq tftp
access-list dmz_outbound_nat0_acl permit ip host 172.17.1.2 192.168.20.0 255.255.255.248
access-list outside_cryptomap_dyn_40 permit ip any 192.168.1.0 255.255.255.192
access-list outside_cryptomap_dyn_80 permit ip any 192.168.30.0 255.255.255.192
access-list outside_cryptomap_dyn_100 permit ip any 192.168.30.0 255.255.255.192
access-list 0 deny tcp 61.0.0.0 61.255.255.255 any
access-list outside_cryptomap_dyn_120 permit ip any 192.168.2.0 255.255.255.224
access-list outside_cryptomap_dyn_140 permit ip any 192.168.30.0 255.255.255.192
pager lines 24
logging on
logging monitor debugging
logging buffered errors
logging trap warnings
logging host inside CCNETMON
no logging message 106011
logging message 106011 level debugging
icmp permit any outside
icmp permit any inside
icmp permit any dmz
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu wan 1500
ip address outside xxx.xxx.xxx.83 255.255.255.240
ip address inside 10.1.1.2 255.255.0.0
ip address dmz 172.17.1.1 255.255.255.0
no ip address wan
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool vpnusers 192.168.1.2-192.168.1.51
ip local pool Consultants 192.168.30.1-192.168.30.50
ip local pool CorpUsers 192.168.2.5-192.168.2.30
no failover
failover timeout 0:00:00
failover poll 15
no failover ip address outside
no failover ip address inside
no failover ip address dmz
no failover ip address wan
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 1 192.168.20.0 255.255.255.0 0 0
nat (inside) 1 172.16.0.0 255.255.0.0 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 dns 0 0
nat (dmz) 0 access-list dmz_outbound_nat0_acl
static (dmz,outside) tcp xxx.xxx.xxx.88 ftp 172.17.1.3 ftp netmask 255.255.255.255 0 0
static (dmz,outside) tcp xxx.xxx.xxx.87 255.255.255.255 0 0
static (dmz,outside) tcp xxx.xxx.xxx.87 ftp 172.17.1.5 ftp netmask 255.255.255.255 0 0
static (dmz,outside) tcp xxx.xxx.xxx.87 sqlnet 172.17.1.5 sqlnet netmask 255.255.255.255 0 0
static (dmz,outside) tcp xxx.xxx.xxx.84 255.255.255.255 0 0
static (dmz,outside) tcp xxx.xxx.xxx.84 smtp 172.17.1.2 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.xxx.93 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.xxx.93 https CCMSG03 https netmask 255.255.255.255 0 0
static (dmz,outside) tcp xxx.xxx.xxx.90 255.255.255.255 0 0
static (dmz,outside) tcp xxx.xxx.xxx.90 https 172.17.1.10 https netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.xxx.83 pop3 CCMSG03 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.xxx.83 995 CCMSG03 995 netmask 255.255.255.255 0 0
static (dmz,inside) tcp CCMSG03 smtp 172.17.1.10 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.xxx.92 81 CCBULKMAIL 81 netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.xxx.92 smtp CCBULKMAIL smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.xxx.92 88 CCBULKMAIL 88 netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.xxx.92 83 CCBULKMAIL 83 netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.xxx.83 smtp CCSPAM01 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.xxx.83 ssh CCSPAM01 ssh netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.xxx.83 domain CCSPAM01 domain netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.xxx.83 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.xxx.83 123 CCSPAM01 123 netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.xxx.89 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.xxx.91 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.xxx.92 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.xxx.88 255.255.255.255 0 0
static (inside,dmz) tcp 172.17.1.0 3389 MFORNEY05 3389 netmask 255.255.255.255 0 0
static (inside,outside) tcp xxx.xxx.xxx.86 255.255.255.255 0 0
static (dmz,inside) udp CCNETMON snmp 172.17.1.0 snmp netmask 255.255.255.255 0 0
static (inside,dmz) udp 172.17.1.0 snmp CCNETMON snmp netmask 255.255.255.255 0 0
static (inside,dmz) CCSQL01 CCSQL01 netmask 255.255.255.255 0 0
static (inside,outside) CCSQL01 CCSQL01 netmask 255.255.255.255 0 0
static (inside,dmz) CCSQL02 CCSQL02 netmask 255.255.255.255 0 0
static (inside,outside) CCSQL02 CCSQL02 netmask 255.255.255.255 0 0
static (inside,dmz) 10.1.1.0 10.1.1.0 netmask 255.255.255.0 0 0
static (inside,dmz) 10.1.0.0 10.1.0.0 netmask 255.255.255.255 0 0
static (inside,dmz) 10.1.10.1 10.1.10.1 netmask 255.255.255.255 0 0
static (inside,dmz) CCSQL03 CCSQL03 netmask 255.255.255.255 0 0
access-group 100 in interface outside
access-group 103 in interface inside
access-group 101 in interface dmz
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.81 1
route inside 172.16.0.0 255.255.0.0 10.1.1.254 1
route inside 192.168.20.0 255.255.255.0 10.1.1.254 1
timeout xlate 0:45:00
timeout conn 0:15:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
url-server (inside) vendor n2h2 host 10.1.10.45 port 4005 timeout 5 protocol TCP
filter url except 10.1.0.0 255.255.0.0 172.17.0.0 255.255.255.0
filter url except 172.17.1.2 255.255.255.255 0.0.0.0 0.0.0.0
filter url http 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 allow
http server enable
http 10.1.10.45 255.255.255.255 inside
http CCRAS01 255.255.255.255 inside
http 10.1.0.0 255.255.0.0 inside
tftp-server inside 10.1.100.179 /tftp-root
floodguard enable
sysopt connection permit-ipsec
service resetinbound
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 80 match address outside_cryptomap_dyn_80
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 100 match address outside_cryptomap_dyn_100
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 120 match address outside_cryptomap_dyn_120
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-3DES-MD5
crypto dynamic-map outside_dyn_map 140 match address outside_cryptomap_dyn_140
crypto dynamic-map outside_dyn_map 140 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map client authentication LOCAL
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
telnet timeout 5
ssh MFORNEY05 255.255.255.255 inside
ssh 10.1.100.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
url-block block 64
terminal width 80
Cryptochecksum:d5d7151a80d176336c7dd88ce24aa346
: end
[OK]
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
283
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
301
Johnkite
Johnkite
sudhakar346
  • Locked
  • Question
Cisco ASA inside to DMZ issue over public IP
Replies
2
Views
102
kythri
kythri
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
245
nnaarrnn
nnaarrnn
gbayi_omo
  • Locked
  • Question
Cisco ASA 5505 not allowing access to highest security zone
Replies
0
Views
75
gbayi_omo
gbayi_omo

Part and Inventory Search

Sponsor

Back
Top