1. Home
  2. Cisco Systems
  3. PIX 6.3.5, management-access command, snmp & VPN

PIX 6.3.5, management-access command, snmp & VPN

Good day,

My quick scenario is, one central location with an HA PIX 515. Crossing the wide World, 10 other sites. Some of those sites have overlapping inside network addressing.

I am asked to setup VPN from the central location to get snmp info and ping. I can't use the external IP of the remote firewalls to achieve so.

So, looking around, I've found some sort of a procedure that does make sense. I need to know your point of view on that.

Given, the IP address of the snmp workstation, let say 195.238.19.19. All the IP here are fake :)

Ok, here is how I think we should be trying to do it,

Get a free physical interface which is not in use on a remote firewall, like

pix(config)# sh conf | grep nameif nameif ethernet0 external security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 nameif ethernet3 intf3 security15 nameif ethernet4 intf4 security20 nameif ethernet5 intf5 security25

For example, I could take eth5, like

pix(config)#nameif ethernet5 snmp-mgmt security10

Once done, I need to get an ip to that new interface "snmp-mgmt" coming from a given pool, let say, 10.144.144.1 and physically make sure this interface is up.

So,

pix(config)#ip address undp-mgmt 10.144.144.1 255.255.255.255

Host "10.144.144.1" to the nat0 and bound to a crypto-map.

management-access snmp-mgmt ; to allow that new interface to be a manageable interface. Cisco features this thing over a VPN only, that's just what we need. I've been on cisco.com for that one but I am not sure it really does wat I am looking for. Would you give me more clues on that command?

pix(config)#management-access snmp-mgmt

Enabling snmp and ping to that interface from the snmp workstation

For Ping, icmp permit 195.238.19.19 snmp-mgmt

But for snmp, I think

pix(config)#snmp-server host snmp-mgmt 195.238.15.15

Should be enough

Not sure the Read-Only stuffs, if snmp v1 is better than 2 or even 3 in our case. We do not need the snmp mgmt workstation to be able to download the complete policy out of snmp too or push things either.

Would that work? Thanks!

With my best regards!

Raphael

Reply to
Raphael
Loading thread data ...

Good day,

My quick scenario is, one central location with an HA PIX 515. Crossing the wide World, 10 other sites. Some of those sites have overlapping inside network addressing.

I am asked to setup VPN from the central location to get snmp info and ping. I can't use the external IP of the remote firewalls to achieve so.

So, looking around, I've found some sort of a procedure that does make sense. I need to know your point of view on that.

Given, the IP address of the snmp workstation, let say 195.238.19.19. All the IP here are fake :)

Ok, here is how I think we should be trying to do it,

Get a free physical interface which is not in use on a remote firewall, like

pix(config)# sh conf | grep nameif nameif ethernet0 external security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 nameif ethernet3 intf3 security15 nameif ethernet4 intf4 security20 nameif ethernet5 intf5 security25

For example, I could take eth5, like

pix(config)#nameif ethernet5 snmp-mgmt security10

Once done, I need to get an ip to that new interface "snmp-mgmt" coming from a given pool, let say, 10.144.144.1 and physically make sure this interface is up.

So,

pix(config)#ip address snmp-mgmt 10.144.144.1 255.255.255.255

Host "10.144.144.1" to the nat0 and bound to a crypto-map.

management-access snmp-mgmt ; to allow that new interface to be a manageable interface. Cisco features this thing over a VPN only, that's just what we need. I've been on cisco.com for that one but I am not sure it really does wat I am looking for. Would you give me more clues on that command?

pix(config)#management-access snmp-mgmt

Enabling snmp and ping to that interface from the snmp workstation

For Ping, icmp permit 195.238.19.19 snmp-mgmt

But for snmp, I think

pix(config)#snmp-server host snmp-mgmt 195.238.15.15

Should be enough

Not sure the Read-Only stuffs, if snmp v1 is better than 2 or even 3 in our case. We do not need the snmp mgmt workstation to be able to download the complete policy out of snmp too or push things either.

Would that work? Thanks!

With my best regards!

Raphael

Reply to
Raphael

What is the technical reason that you cannot use the external IPs of the remote firewalls?

Reply to
Walter Roberson

I would sugguest you also allow the SNMP server into the crypto maps, Not sure if you implicit told us that you wuold do this...

Aslong as routing, cryptomap etc are ok, yes this works. If you need logging aswell you can use this interface to.

Thanks!

Reply to
Martin Bilgrav
[...]

Because an MSS provider is already doing that on external interface. I know, this is weird but that's it.

Raphael

Reply to
Raphael

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.