Solved

Polling IP addresses through a DMZ

Posted on 2009-03-31
11
701 Views
Last Modified: 2012-05-06
Hello, I have an snmpc server which polls all the IP addresses of routers & switches on our Corporate LAN (inside interface) and also our Server DMZ network (dmz 4 interface).  I am using Cisco ASA firewall.

i can get the Corporate LAN to poll - range 10.216.0.0/13 & 10.224.0.0/13
I cant get the server dmz range to poll range 192.168.0.0/16

I have correct ports open for snmpc ie udp 161/162 tcp 165-170
I have the access list correct on the routers & switches

I can login into the routers & switches on the dmz.  I would like to get them polling though.

Info: the server itself sits on the dmz4 in vlan 12

Does it need a Static route back into the Dmz or something?

Any help appreciated, Kevin
0
Comment
Question by:ohareka
  • 6
  • 5
11 Comments
 
LVL 19

Accepted Solution

by:
nodisco earned 500 total points
Comment Utility
Hi

Can you post a config on this as theres quite a bit of detail here.
Is the problem dmz also located on the same asa?
If your snmp server is on the dmz4 interface and you can get snmp from the inside networks but not the dmz then there are a couple of possiblities:
There is no nat translation (either nat 0 or static translation) available for the dmz4 > dmz traffic.
The snmp engine is using icmp to poll and icmp is not allowed on the dmz interface

If you could post a config of the asa, this would be easier to work out.  

cheers
0
 

Author Comment

by:ohareka
Comment Utility
This is the asa config and the dmz mgt switch
snmp is using snmp v1 to poll

Hopefully you can spot something, regards Kevin
0
 
LVL 19

Expert Comment

by:nodisco
Comment Utility
hey there

this is your core router config that you have posted - can you also post your asa config?

FYI - i would remove the 3825 you have posted and repost with the passwords hashed out and get rid of the first 3 octets of your public ip - just to protect in case of someone trying to hack.  Edit out the asa passwords/first 3 octets of public ip also.

cheers
0
 

Author Comment

by:ohareka
Comment Utility
hello , this is the asa config
0
 
LVL 19

Expert Comment

by:nodisco
Comment Utility
What is a sample ip that you cannot ping?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 19

Expert Comment

by:nodisco
Comment Utility
sorry - I mean a sample ip that you cannot do snmp for
0
 

Author Comment

by:ohareka
Comment Utility
192.168.10.3 which is on vlan 1 on the dmz
the server i am polling from is 192 168.12.16 which is on vlan 12 on the same switch
0
 
LVL 19

Expert Comment

by:nodisco
Comment Utility
hey there

Looking through the config, I don't think you will have any access from the 192.168.12.0 network to dmz4 as there is no translation - is this the case?
Your dmz4 is a higher (more secure) network than the DMZ management network (50 and 45 security levels)

If so - as a quick test, add the following static which will allow DMZ management into the dmz4 for just your snmp server 192.168.12.16 and try snmp/ping etc to a dmz4 machine from 192.168.12.16.

static (DMZ4-Management,dmz4) 192.168.12.16 192.168.12.16 netmask 255.255.255.255
0
 

Author Comment

by:ohareka
Comment Utility
Hello again.  I tried the config from above namely: static (DMZ4-Management,dmz4) 192.168.12.16 192.168.12.16 netmask 255.255.255.255  but no luck yet.  I also changed the security for DMZ mgt to 50 and gave dmz4 45 but no luck either.  I also tried any source to the server using all interfaces and IP as the service but again no joy.

Is it possibly something to do with routing or vlans etc.  I have posted the configs again and just put in the relevant bits this time.  Could it be trunking is missing somewhere on the network.
sw-bretldmz01.txt
asa-config-05-Feb-2009.doc
0
 

Author Comment

by:ohareka
Comment Utility
I also tried this but it wouldnt accept it:
nat (DMZ4-Management) 0 access-list DMZ4-Management_nat0_outbound

These 2 lines are already in the config and must have been entered by a previous administrator.
nat (inside) 0 access-list inside_nat0_outbound
nat (dmz4) 0 access-list dmz4_nat0_outbound

 


0
 

Author Closing Comment

by:ohareka
Comment Utility
Hello again.  eventually i have had some success and today i was able to get some of the switches/routers polling on vlan 1 on the dmz.  It seems to be related to trunking and static routes.

old setup
---------
interface GigabitEthernet0/1
 switchport mode trunk


new setup
---------
interface GigabitEthernet0/1
 description To SW-XXXX01
 switchport trunk allowed vlan 1,12,80,192,193
 switchport mode trunk
!
It seems to like the fact i have allowed the individual vlans.  Some switches worked ok with just 'switchport mode trunk'

I think i also now have to put in a static route to get across the wan
ip route 192.168.12.0 255.255.255.252 192.168.11.254

I still have some work to do on this but i have got about 5 or 6 switches polling on vlan 1 so i'm heading in the right direction.  So trunking and static translation seem to be the way ahead.

Thanks for your efforts, Kevin

0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now