[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 388
  • Last Modified:

CISCO 2600 allow SNMP TRAFFIC from a specific IP address

Im using an application called PRTG Traffic Grapher to monitor bandwidth traffic on our cisco routers.  This app uses SNMP port 161.  I've allowed my PC to connect to ther router by adding my IP to the access-list.
" access-list 99 permit 192.168.100.110 "
However, I get connection failed.
Do I need to adjust the access-list to allow SNMP traffic?  

For routers that do not use and Access-List, I dont have a problem.
0
9413systems
Asked:
9413systems
  • 8
  • 7
1 Solution
 
Don JohnstonInstructorCommented:
If all you did was add that statement to the end, that's most likely your problem. ACL are processed top-down.

Can you post the full acces-list?
0
 
9413systemsAuthor Commented:

 router1#show access-list
Standard IP access list 70
    deny   any
Standard IP access list 99
    permit 192.168.100.109
    permit 192.168.100.110 (4 matches)
    permit 192.168.140.101
    permit 192.168.100.156 (6 matches)
    deny   any log (108 matches)
router1#

0
 
Don JohnstonInstructorCommented:
As long as the list applied inbound at the entry interface, you should have no problems. Seems like a rather restrictive ACL though. Can you get any traffic through the router?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
9413systemsAuthor Commented:
Yes Internet traffic seems ok through this router.  The only problem is SNMP traffic UDP 161.
I'll double check my Checkpoint Firewall to make sure its not stopping there.
0
 
Don JohnstonInstructorCommented:
With this ACL, only four devices will be able to get through. Is this ACL applied to an interface?
0
 
9413systemsAuthor Commented:
This is the entire ACL.  The 5x ip address is our Checkpoint Firewall:

Standard IP access list 70
    deny   any
Standard IP access list 99
    permit 192.168.100.109
    permit 192.168.100.110 (6 matches)
    permit 192.168.140.101
    permit 192.168.100.156 (6 matches)
    permit 5x.7x.2xx.5x (16 matches)
    deny   any log (108 matches)
 
0
 
Don JohnstonInstructorCommented:
Then if all traffic goes through the firewall, that's where your problem is.
0
 
9413systemsAuthor Commented:
OK I verified this traffic was NOT hitting the firewall.

This CIsco 2600 router has 2 interfaces we are using:
One is a public IP address and the other is a local 192.168.130.2 address.  I am trying to hit the local ip address so it does not hit the firewall.  
I ran several tests to make sure connections from my PC to the router were not hitting the firewall.  They are not hitting the firewall.  I tested this by telnetting and ftping to the cisco device via local IP (192.168.130.2), while setting FULL logging on the firewall.

Does the acl apply to all interfaces?
How can I verify which ACL applies to a particular interface?
Is there security logs on the firewall I can check?
0
 
Don JohnstonInstructorCommented:
Please post the config of the router.
0
 
9413systemsAuthor Commented:
attached is the CONFIG.  Im trying to send SNMP to 192.168.130.2 address.  My address is 192.168.100.110.



!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname router1
!
enable secret 5 $1$5g5k$P4YXAeC7RM5i8q02ozoZw0
!
username usero password 7 0509030834414C084F514347
username user1 password 7 104C0C1E101A100A5F55
username user2 password 7 0204015C1E0B0D201A1A5D4C
ip subnet-zero
no ip source-route
!
!
ip name-server 216.70.2x.1x
ip name-server 216.70.2x.1x
!
no ip bootp server
!
!
!
interface FastEthernet0/0
 ip address 5x.7x.2xx.1  255.255.255.192
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no ip mroute-cache
 duplex auto
 speed auto
 ntp disable
 no cdp enable
!
interface Serial0/0
 ip unnumbered FastEthernet0/0
 no ip mroute-cache
 no cdp enable
!
interface FastEthernet0/1
 ip address 192.168.130.2 255.255.255.0
 no ip proxy-arp
 no ip mroute-cache
 speed auto
 full-duplex
 ntp disable
 no cdp enable
!
interface Serial0/1
 no ip address
 no ip mroute-cache
 shutdown
 no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
ip route 5x.7x.2xx.4x (dmz)  255.255.255.192 5x.7x.2xx.5x (firewall)
ip route 192.168.100.0 255.255.255.0 192.168.130.1
ip route 192.168.140.0 255.255.255.0 192.168.130.1
no ip http server
!
access-list 70 deny   any
access-list 99 permit 192.168.100.109
access-list 99 permit 192.168.100.110
access-list 99 permit 192.168.140.101
access-list 99 permit 192.168.100.156
access-list 99 permit 5x.7x.2xx.5x
access-list 99 deny   any log
no cdp run
banner motd ^C
                           Internet Router
                    Authorized Personnel Only^C
!
line con 0
 exec-timeout 5 0
 login
line aux 0
 exec-timeout 0 10
 no exec
line vty 0 4
 access-class 99 in
 exec-timeout 5 0
 password 7 03065E0C1302234D185D4D50
 login
 transport input telnet
line vty 5 15
 password 7 03065E0C1302234D185D4D50
 login
!
end
0
 
Don JohnstonInstructorCommented:
Your ACL is only affecting telnet, not SNMP. So if you're have problems with SNMP access, the problem is elsewhere.
0
 
9413systemsAuthor Commented:
So your saying the router is accepting all SNMP traffic???
0
 
Don JohnstonInstructorCommented:
No. I'm saying the ACL isn't your problem.

If that was your complete config, then the problem is that you haven't enabled SNMP.

snmp-server community <string> RO
snmp-server community <string> RW

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/ffun_c/fcfprt3/fcf014.htm
0
 
9413systemsAuthor Commented:
OK I will enable SNMP and test again.

This is odd though, because the other routers that I was able to successfully setup dont have SNMP enabled and Im still able to get bandwidth traffic.

I will try enabling SNMP and test again.
0
 
9413systemsAuthor Commented:
This worked for me.  Thanks. donjohnston.  I'm still curious how SNMP worked for my other cisco routers when SNMP was not enabled.  Anyhow this worked for this particular router. Thanks.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 8
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now