• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 733
  • Last Modified:

Polling IP addresses through a DMZ

Hello, I have an snmpc server which polls all the IP addresses of routers & switches on our Corporate LAN (inside interface) and also our Server DMZ network (dmz 4 interface).  I am using Cisco ASA firewall.

i can get the Corporate LAN to poll - range 10.216.0.0/13 & 10.224.0.0/13
I cant get the server dmz range to poll range 192.168.0.0/16

I have correct ports open for snmpc ie udp 161/162 tcp 165-170
I have the access list correct on the routers & switches

I can login into the routers & switches on the dmz.  I would like to get them polling though.

Info: the server itself sits on the dmz4 in vlan 12

Does it need a Static route back into the Dmz or something?

Any help appreciated, Kevin
0
ohareka
Asked:
ohareka
  • 6
  • 5
1 Solution
 
nodiscoCommented:
Hi

Can you post a config on this as theres quite a bit of detail here.
Is the problem dmz also located on the same asa?
If your snmp server is on the dmz4 interface and you can get snmp from the inside networks but not the dmz then there are a couple of possiblities:
There is no nat translation (either nat 0 or static translation) available for the dmz4 > dmz traffic.
The snmp engine is using icmp to poll and icmp is not allowed on the dmz interface

If you could post a config of the asa, this would be easier to work out.  

cheers
0
 
oharekaAuthor Commented:
This is the asa config and the dmz mgt switch
snmp is using snmp v1 to poll

Hopefully you can spot something, regards Kevin
0
 
nodiscoCommented:
hey there

this is your core router config that you have posted - can you also post your asa config?

FYI - i would remove the 3825 you have posted and repost with the passwords hashed out and get rid of the first 3 octets of your public ip - just to protect in case of someone trying to hack.  Edit out the asa passwords/first 3 octets of public ip also.

cheers
0
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

 
oharekaAuthor Commented:
hello , this is the asa config
0
 
nodiscoCommented:
What is a sample ip that you cannot ping?
0
 
nodiscoCommented:
sorry - I mean a sample ip that you cannot do snmp for
0
 
oharekaAuthor Commented:
192.168.10.3 which is on vlan 1 on the dmz
the server i am polling from is 192 168.12.16 which is on vlan 12 on the same switch
0
 
nodiscoCommented:
hey there

Looking through the config, I don't think you will have any access from the 192.168.12.0 network to dmz4 as there is no translation - is this the case?
Your dmz4 is a higher (more secure) network than the DMZ management network (50 and 45 security levels)

If so - as a quick test, add the following static which will allow DMZ management into the dmz4 for just your snmp server 192.168.12.16 and try snmp/ping etc to a dmz4 machine from 192.168.12.16.

static (DMZ4-Management,dmz4) 192.168.12.16 192.168.12.16 netmask 255.255.255.255
0
 
oharekaAuthor Commented:
Hello again.  I tried the config from above namely: static (DMZ4-Management,dmz4) 192.168.12.16 192.168.12.16 netmask 255.255.255.255  but no luck yet.  I also changed the security for DMZ mgt to 50 and gave dmz4 45 but no luck either.  I also tried any source to the server using all interfaces and IP as the service but again no joy.

Is it possibly something to do with routing or vlans etc.  I have posted the configs again and just put in the relevant bits this time.  Could it be trunking is missing somewhere on the network.
sw-bretldmz01.txt
asa-config-05-Feb-2009.doc
0
 
oharekaAuthor Commented:
I also tried this but it wouldnt accept it:
nat (DMZ4-Management) 0 access-list DMZ4-Management_nat0_outbound

These 2 lines are already in the config and must have been entered by a previous administrator.
nat (inside) 0 access-list inside_nat0_outbound
nat (dmz4) 0 access-list dmz4_nat0_outbound

 


0
 
oharekaAuthor Commented:
Hello again.  eventually i have had some success and today i was able to get some of the switches/routers polling on vlan 1 on the dmz.  It seems to be related to trunking and static routes.

old setup
---------
interface GigabitEthernet0/1
 switchport mode trunk


new setup
---------
interface GigabitEthernet0/1
 description To SW-XXXX01
 switchport trunk allowed vlan 1,12,80,192,193
 switchport mode trunk
!
It seems to like the fact i have allowed the individual vlans.  Some switches worked ok with just 'switchport mode trunk'

I think i also now have to put in a static route to get across the wan
ip route 192.168.12.0 255.255.255.252 192.168.11.254

I still have some work to do on this but i have got about 5 or 6 switches polling on vlan 1 so i'm heading in the right direction.  So trunking and static translation seem to be the way ahead.

Thanks for your efforts, Kevin

0

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now