I added a host as an SNMP management station (it's inside the DMZ interface) for polls only to try to monitor traffic, etc. However, a portscan shows 161 as closed. What else do I need to do?
- posted
17 years ago
I added a host as an SNMP management station (it's inside the DMZ interface) for polls only to try to monitor traffic, etc. However, a portscan shows 161 as closed. What else do I need to do?
It's a firewall -- it isn't going to respond to a portscan ;-)
More to the point: SNMP is designed so that if you do not use the correct community name in the packet, then no response will be generated. You don't get an "incorrect community" response packet, there just isn't any answer. Thus, a trial packet doesn't show anything useful; and the PIX doesn't send back ICMP port-unreachable or network-unreachable messages for anything.
Not true.
Basic config could look like this
access-list inside_access_in permit udp host 192.168.255.110 any eq snmp snmp-server host inside 192.168.255.110 poll snmp-server location My_location snmp-server contact snipped-for-privacy@yahoo.com snmp-server community mycommunitystring
Tho I have my polling station inside (thus the ACL name). I check if it's working by doing snmpwalk -v1 -c mycommunitystring ip.of.my.pix
ML
Try using the PIX capture command to see if the box is actually receiving SNMP packets
If you want to receive SNMP traps, then also config: snmp-server host inside 192.168.255.110 trap
Traffic destined for the PIX itself is not affected by access-groups, at least not before 7.x (and the ACL format you gave is before 7.x). There is thus no point in having that ACL entry unless you want 192.168.255.110 to be able to SNMP other devices outside or in a DMZ.
The location and contact information are optional. There is a default community string (though of course using it would not be secure.) So the only mandatory part of the configuration is the snmp host line.
Turned out that the problem was I hadn't used snmpwalk in a long, looong time, and I didn't know you had to specify the SNMP version or use a -c now :-) All is well.
Thanks, all!
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.