Pix Snmp

If you are trying to allow the traps to pass -through- the PIX to something beyond it, then you need to open UDP 162 and possibly TCP 162 as well.

If you are trying to allow the traps to go -to- the PIX itself, then there is no point in doing that on a PIX 506, as there is no PIX OS for the 506 that is able to process SNMP traps.

But perhaps your network management software is generating trap acknowledgements in response to an SNMP trap that the PIX sent. If that is the case, then the PIX is already configured as far as it can be to deal with SNMP traps.

On the off-chance that you are planning ahead for turning on SNMP trap generation on the PIX, the method of doing that is to use the 'snmp-server host' command with either no option or the 'trap' option (no option allows both trap and poll), and also use snmp-server trap enable .

If it is traps with respect to the PIX itself you are dealing with, then there is no need to change any access-list. access-lists applied via the access-group command are only for traffic passing through the PIX onward to somewhere else.

Thanks for your awesome reply Walter. I was trying to allow snmp trap to my inside network from the internet. I took your advice and create an access-list to allow port udp/162 to my management server. I appear to be working fine now. Again, thanks for your help

-- infose

----------------------------------------------------------------------- infosec's Profile: