Solved

Polling IP addresses through a DMZ

Posted on 2009-03-31
11
713 Views
Last Modified: 2012-05-06
Hello, I have an snmpc server which polls all the IP addresses of routers & switches on our Corporate LAN (inside interface) and also our Server DMZ network (dmz 4 interface).  I am using Cisco ASA firewall.

i can get the Corporate LAN to poll - range 10.216.0.0/13 & 10.224.0.0/13
I cant get the server dmz range to poll range 192.168.0.0/16

I have correct ports open for snmpc ie udp 161/162 tcp 165-170
I have the access list correct on the routers & switches

I can login into the routers & switches on the dmz.  I would like to get them polling though.

Info: the server itself sits on the dmz4 in vlan 12

Does it need a Static route back into the Dmz or something?

Any help appreciated, Kevin
0
Comment
Question by:ohareka
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 19

Accepted Solution

by:
nodisco earned 500 total points
ID: 24034786
Hi

Can you post a config on this as theres quite a bit of detail here.
Is the problem dmz also located on the same asa?
If your snmp server is on the dmz4 interface and you can get snmp from the inside networks but not the dmz then there are a couple of possiblities:
There is no nat translation (either nat 0 or static translation) available for the dmz4 > dmz traffic.
The snmp engine is using icmp to poll and icmp is not allowed on the dmz interface

If you could post a config of the asa, this would be easier to work out.  

cheers
0
 

Author Comment

by:ohareka
ID: 24040212
This is the asa config and the dmz mgt switch
snmp is using snmp v1 to poll

Hopefully you can spot something, regards Kevin
0
 
LVL 19

Expert Comment

by:nodisco
ID: 24044773
hey there

this is your core router config that you have posted - can you also post your asa config?

FYI - i would remove the 3825 you have posted and repost with the passwords hashed out and get rid of the first 3 octets of your public ip - just to protect in case of someone trying to hack.  Edit out the asa passwords/first 3 octets of public ip also.

cheers
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:ohareka
ID: 24050548
hello , this is the asa config
0
 
LVL 19

Expert Comment

by:nodisco
ID: 24053971
What is a sample ip that you cannot ping?
0
 
LVL 19

Expert Comment

by:nodisco
ID: 24053980
sorry - I mean a sample ip that you cannot do snmp for
0
 

Author Comment

by:ohareka
ID: 24054454
192.168.10.3 which is on vlan 1 on the dmz
the server i am polling from is 192 168.12.16 which is on vlan 12 on the same switch
0
 
LVL 19

Expert Comment

by:nodisco
ID: 24056033
hey there

Looking through the config, I don't think you will have any access from the 192.168.12.0 network to dmz4 as there is no translation - is this the case?
Your dmz4 is a higher (more secure) network than the DMZ management network (50 and 45 security levels)

If so - as a quick test, add the following static which will allow DMZ management into the dmz4 for just your snmp server 192.168.12.16 and try snmp/ping etc to a dmz4 machine from 192.168.12.16.

static (DMZ4-Management,dmz4) 192.168.12.16 192.168.12.16 netmask 255.255.255.255
0
 

Author Comment

by:ohareka
ID: 24081375
Hello again.  I tried the config from above namely: static (DMZ4-Management,dmz4) 192.168.12.16 192.168.12.16 netmask 255.255.255.255  but no luck yet.  I also changed the security for DMZ mgt to 50 and gave dmz4 45 but no luck either.  I also tried any source to the server using all interfaces and IP as the service but again no joy.

Is it possibly something to do with routing or vlans etc.  I have posted the configs again and just put in the relevant bits this time.  Could it be trunking is missing somewhere on the network.
sw-bretldmz01.txt
asa-config-05-Feb-2009.doc
0
 

Author Comment

by:ohareka
ID: 24081518
I also tried this but it wouldnt accept it:
nat (DMZ4-Management) 0 access-list DMZ4-Management_nat0_outbound

These 2 lines are already in the config and must have been entered by a previous administrator.
nat (inside) 0 access-list inside_nat0_outbound
nat (dmz4) 0 access-list dmz4_nat0_outbound

 


0
 

Author Closing Comment

by:ohareka
ID: 31568279
Hello again.  eventually i have had some success and today i was able to get some of the switches/routers polling on vlan 1 on the dmz.  It seems to be related to trunking and static routes.

old setup
---------
interface GigabitEthernet0/1
 switchport mode trunk


new setup
---------
interface GigabitEthernet0/1
 description To SW-XXXX01
 switchport trunk allowed vlan 1,12,80,192,193
 switchport mode trunk
!
It seems to like the fact i have allowed the individual vlans.  Some switches worked ok with just 'switchport mode trunk'

I think i also now have to put in a static route to get across the wan
ip route 192.168.12.0 255.255.255.252 192.168.11.254

I still have some work to do on this but i have got about 5 or 6 switches polling on vlan 1 so i'm heading in the right direction.  So trunking and static translation seem to be the way ahead.

Thanks for your efforts, Kevin

0

Featured Post

Enroll in June's Course of the Month

June’s Course of the Month is now available! Experts Exchange’s Premium Members, Team Accounts, and Qualified Experts have access to a complimentary course each month as part of their membership—an extra way to sharpen your skills and increase training.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question