1. Home
  2. Networking Firewalls
  3. Cisco 151e PIX & MRTG

Cisco 151e PIX & MRTG

Hello and help.

I'm pretty new to this cisco firewall business being a support monkey. We have MRTG and would like to get it running to monitor our PIX (obviously) but I'm stuck at the first hurdle. According to the MRTG guide for Windows I need the SNMP port number, the SNMPOID and the read-only SNMP community string for the device.

I know the latter isn't public as I've tried that and I've managed to telnet into the device but that's about it.

I'm also thinking that I'll need to see if SNMP is configured or indeed turned on?

Can anyone help me out and list the commands I need to gather this info?

Many thanks.

Reply to
charleh
Loading thread data ...

sorry thats a 515e

Reply to
charleh

I've got MRTG working with mine here.

First enable SNMP, and set the host that is going to be allowed to do the SNMP query.

snmp-server host inside a.b.c.d

Then setup the SNMP read string.

snmp-server community

There is a MIB download somewhere on the Cisco site for the OIDs, I vaguely remember using that in conjunction with SNMPWalk to find the OIDs I wanted to use. However, the traffic OIDs are standard and MRTG can use the single number requests to get them. Interface names below might not match yours, if not just switch the numbers as necessary. w.x.y.z should be replaced with your PIX internal address, and snmpstring with your SNMP read string. I have a PIX 515UR with 3 interfaces - inside (interface 1), outside (interface 2), and dmz (interface 3).

Outside interface Target[w.x.y.z_1]: 1: snipped-for-privacy@w.x.y.z

Inside interface: Target[w.x.y.z_2]: 2: snipped-for-privacy@w.x.y.z

DMZ interface: Target[w.x.y.z_3]: 3: snipped-for-privacy@w.x.y.z

To get the connections in use figure, you need the OIDs.

Target[w.x.y.z_con]:1.3.6.1.4.1.9.9.147.1.2.2.2.1.5.40.6&1.3.6.1.4.1.9.9.147.1.2.2.2.1.5.40.6: snipped-for-privacy@w.x.y.z

I only use MRTG to generate 4 charts, so that's all I have in my config.

Dan

Reply to
Spack

Enable SNMP is not a recommended practice in general. You can have your firewall to send SNMP trap to your monitor station.

Target[w.x.y.z_con]:1.3.6.1.4.1.9.9.147.1.2.2.2.1.5.40.6&1.3.6.1.4.1.9.9.147 ..1.2.2.2.1.5.40.6: snipped-for-privacy@w.x.y.z

Reply to
William L. Sun

William wrote on Wed, 9 Mar 2005 23:40:06 -0800:

PIX SNMP traps are only capable of sending what can be sent via syslog, which are sent in response to changes (links going up/down, rules being hit, connections being made, etc). The OP is asking how to get MRTG to request data to generate usage charts - these tend to be current state requests for traffic and connection counts at intervals from the machine running MRTG, and therefore need to request the data via SNMP as this cannot be done using traps AFAIK.

By restricting SNMP requests to a single host on the inside interface the risk is significantly reduced, especially in a known LAN environment. And as I understand it polling hosts can only read data, not write back.

Dan

Reply to
Spack

Wolfgang wrote on Thu, 10 Mar 2005 12:02:14 +0100:

Succinct, and in the case of something complex like a PIX, definitely a good response :P

Dan

Reply to
Spack

RTFM

Wolfgang

Reply to
Wolfgang Kueter

Please excuse me. I did explain in the first post what my situation is/was.

I have RTFM as you so very delicately suggested but my brain doesn't work the way Cisco wants it to so I took a chance and asked here.

Have a nice day.

Reply to
charleh

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.