Good day,
My quick scenario is, one central location with an HA PIX 515. Crossing the wide World, 10 other sites. Some of those sites have overlapping inside network addressing.
I am asked to setup VPN from the central location to get snmp info and ping. I can't use the external IP of the remote firewalls to achieve so.
So, looking around, I've found some sort of a procedure that does make sense. I need to know your point of view on that.
Given, the IP address of the snmp workstation, let say 195.238.19.19. All the IP here are fake :)
Ok, here is how I think we should be trying to do it,
Get a free physical interface which is not in use on a remote firewall, like
pix(config)# sh conf | grep nameif nameif ethernet0 external security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 nameif ethernet3 intf3 security15 nameif ethernet4 intf4 security20 nameif ethernet5 intf5 security25
For example, I could take eth5, like
pix(config)#nameif ethernet5 snmp-mgmt security10
Once done, I need to get an ip to that new interface "snmp-mgmt" coming from a given pool, let say, 10.144.144.1 and physically make sure this interface is up.
So,
pix(config)#ip address undp-mgmt 10.144.144.1 255.255.255.255
Host "10.144.144.1" to the nat0 and bound to a crypto-map.
management-access snmp-mgmt ; to allow that new interface to be a manageable interface. Cisco features this thing over a VPN only, that's just what we need. I've been on cisco.com for that one but I am not sure it really does wat I am looking for. Would you give me more clues on that command?
pix(config)#management-access snmp-mgmt
Enabling snmp and ping to that interface from the snmp workstation
For Ping, icmp permit 195.238.19.19 snmp-mgmt
But for snmp, I think
pix(config)#snmp-server host snmp-mgmt 195.238.15.15
Should be enough
Not sure the Read-Only stuffs, if snmp v1 is better than 2 or even 3 in our case. We do not need the snmp mgmt workstation to be able to download the complete policy out of snmp too or push things either.
Would that work? Thanks!
With my best regards!
Raphael