Link to home
Start Free TrialLog in
Avatar of ohareka
ohareka

asked on

Polling IP addresses through a DMZ

Hello, I have an snmpc server which polls all the IP addresses of routers & switches on our Corporate LAN (inside interface) and also our Server DMZ network (dmz 4 interface).  I am using Cisco ASA firewall.

i can get the Corporate LAN to poll - range 10.216.0.0/13 & 10.224.0.0/13
I cant get the server dmz range to poll range 192.168.0.0/16

I have correct ports open for snmpc ie udp 161/162 tcp 165-170
I have the access list correct on the routers & switches

I can login into the routers & switches on the dmz.  I would like to get them polling though.

Info: the server itself sits on the dmz4 in vlan 12

Does it need a Static route back into the Dmz or something?

Any help appreciated, Kevin
ASKER CERTIFIED SOLUTION
Avatar of nodisco
nodisco
Flag of New Zealand image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of ohareka
ohareka

ASKER

This is the asa config and the dmz mgt switch
snmp is using snmp v1 to poll

Hopefully you can spot something, regards Kevin
hey there

this is your core router config that you have posted - can you also post your asa config?

FYI - i would remove the 3825 you have posted and repost with the passwords hashed out and get rid of the first 3 octets of your public ip - just to protect in case of someone trying to hack.  Edit out the asa passwords/first 3 octets of public ip also.

cheers
Avatar of ohareka

ASKER

hello , this is the asa config
What is a sample ip that you cannot ping?
sorry - I mean a sample ip that you cannot do snmp for
Avatar of ohareka

ASKER

192.168.10.3 which is on vlan 1 on the dmz
the server i am polling from is 192 168.12.16 which is on vlan 12 on the same switch
hey there

Looking through the config, I don't think you will have any access from the 192.168.12.0 network to dmz4 as there is no translation - is this the case?
Your dmz4 is a higher (more secure) network than the DMZ management network (50 and 45 security levels)

If so - as a quick test, add the following static which will allow DMZ management into the dmz4 for just your snmp server 192.168.12.16 and try snmp/ping etc to a dmz4 machine from 192.168.12.16.

static (DMZ4-Management,dmz4) 192.168.12.16 192.168.12.16 netmask 255.255.255.255
Avatar of ohareka

ASKER

Hello again.  I tried the config from above namely: static (DMZ4-Management,dmz4) 192.168.12.16 192.168.12.16 netmask 255.255.255.255  but no luck yet.  I also changed the security for DMZ mgt to 50 and gave dmz4 45 but no luck either.  I also tried any source to the server using all interfaces and IP as the service but again no joy.

Is it possibly something to do with routing or vlans etc.  I have posted the configs again and just put in the relevant bits this time.  Could it be trunking is missing somewhere on the network.
sw-bretldmz01.txt
asa-config-05-Feb-2009.doc
Avatar of ohareka

ASKER

I also tried this but it wouldnt accept it:
nat (DMZ4-Management) 0 access-list DMZ4-Management_nat0_outbound

These 2 lines are already in the config and must have been entered by a previous administrator.
nat (inside) 0 access-list inside_nat0_outbound
nat (dmz4) 0 access-list dmz4_nat0_outbound

 


Avatar of ohareka

ASKER

Hello again.  eventually i have had some success and today i was able to get some of the switches/routers polling on vlan 1 on the dmz.  It seems to be related to trunking and static routes.

old setup
---------
interface GigabitEthernet0/1
 switchport mode trunk


new setup
---------
interface GigabitEthernet0/1
 description To SW-XXXX01
 switchport trunk allowed vlan 1,12,80,192,193
 switchport mode trunk
!
It seems to like the fact i have allowed the individual vlans.  Some switches worked ok with just 'switchport mode trunk'

I think i also now have to put in a static route to get across the wan
ip route 192.168.12.0 255.255.255.252 192.168.11.254

I still have some work to do on this but i have got about 5 or 6 switches polling on vlan 1 so i'm heading in the right direction.  So trunking and static translation seem to be the way ahead.

Thanks for your efforts, Kevin