Enable SNMP on PIX 515?

I added a host as an SNMP management station (it's inside the DMZ interface) for polls only to try to monitor traffic, etc. However, a portscan shows 161 as closed. What else do I need to do?

Reply to
John Oliver
Loading thread data ...

It's a firewall -- it isn't going to respond to a portscan ;-)

More to the point: SNMP is designed so that if you do not use the correct community name in the packet, then no response will be generated. You don't get an "incorrect community" response packet, there just isn't any answer. Thus, a trial packet doesn't show anything useful; and the PIX doesn't send back ICMP port-unreachable or network-unreachable messages for anything.

Reply to
Walter Roberson

Not true.

Basic config could look like this

access-list inside_access_in permit udp host 192.168.255.110 any eq snmp snmp-server host inside 192.168.255.110 poll snmp-server location My_location snmp-server contact snipped-for-privacy@yahoo.com snmp-server community mycommunitystring

Tho I have my polling station inside (thus the ACL name). I check if it's working by doing snmpwalk -v1 -c mycommunitystring ip.of.my.pix

ML

Reply to
Martin Latos

Try using the PIX capture command to see if the box is actually receiving SNMP packets

If you want to receive SNMP traps, then also config: snmp-server host inside 192.168.255.110 trap

Reply to
Merv

Traffic destined for the PIX itself is not affected by access-groups, at least not before 7.x (and the ACL format you gave is before 7.x). There is thus no point in having that ACL entry unless you want 192.168.255.110 to be able to SNMP other devices outside or in a DMZ.

The location and contact information are optional. There is a default community string (though of course using it would not be secure.) So the only mandatory part of the configuration is the snmp host line.

Reply to
Walter Roberson

Turned out that the problem was I hadn't used snmpwalk in a long, looong time, and I didn't know you had to specify the SNMP version or use a -c now :-) All is well.

Thanks, all!

Reply to
John Oliver

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.