[c-nsp] FW: SNMP from OUTSIDE to DMZ over VPN (PIX 7.2(2))

Bagosi Rómeó Romeo.Bagosi at integris.hu
Wed Nov 28 11:41:02 EST 2007 

The configuration was:
snmp-server host outside ...
And now I configured the:
snmp-server host dmz ...

And now it works!!!!

(The management server is outside from the pix.)
Who'd have thought it?! The PIX thinks that the management server is in the dmz zone, because of the vpn. Interesting:)

Thank You Fred!
Best Regards

-----Original Message-----
From: Fred Reimer [mailto:freimer at ctiusa.com] 
Sent: Wednesday, November 28, 2007 4:20 PM
To: Bagosi Rómeó; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] FW: SNMP from OUTSIDE to DMZ over VPN (PIX 7.2(2))

I have not configured this myself, but...  

What does your syslog configuration look like?

Would

snmp-server host dmz

instead of

snmp-server host outside

help?

What do your logs show?

And lastly, have you opened a case with Cisco?

Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS
Senior Network Engineer
Coleman Technologies, Inc.
954-298-1697




> -----Original Message-----
> From: Bagosi Rómeó [mailto:Romeo.Bagosi at integris.hu]
> Sent: Wednesday, November 28, 2007 3:21 AM
> To: Fred Reimer; cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] FW: SNMP from OUTSIDE to DMZ over VPN
> (PIX 7.2(2))
> 
> The management-access is alredy configured (I can use the
> syslog for example)
> But this vpn-filter thing is not clear for me. I've searched
> about it, but didn't found anything to allow snmp traffic (I
> can "filter" it, with this command).
> 
> -----Original Message-----
> From: Fred Reimer [mailto:freimer at ctiusa.com]
> Sent: Tuesday, November 27, 2007 7:34 PM
> To: Bagosi Rómeó; cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] FW: SNMP from OUTSIDE to DMZ over VPN
> (PIX 7.2(2))
> 
> group-policy attributes
>   vpn-filter
> 
> and/or
> 
> management-access
> 
> Look them up.
> 
> Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS
> Senior Network Engineer
> Coleman Technologies, Inc.
> 954-298-1697
> 
> 
> 
> 
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> > bounces at puck.nether.net] On Behalf Of Bagosi Rómeó
> > Sent: Tuesday, November 27, 2007 10:38 AM
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] FW: SNMP from OUTSIDE to DMZ over VPN
> (PIX
> > 7.2(2))
> >
> >
> >
> >
> >
> > ________________________________
> >
> > From: Bagosi Rómeó
> > Sent: Tuesday, November 27, 2007 4:37 PM
> > To: 'gagandeep singh'
> > Subject: RE: [c-nsp] SNMP from OUTSIDE to DMZ over VPN
> (PIX
> > 7.2(2))
> >
> >
> >
> > Thank you, i've found this link, but the problem is that
> we
> > don't want to snmp query the outside interface (it's not
> > permitted to communicate through VPN).
> >
> >
> >
> > ________________________________
> >
> > From: gagandeep singh [mailto:gpanjeta2003 at yahoo.co.in]
> > Sent: Tuesday, November 27, 2007 8:53 AM
> > To: Bagosi Rómeó
> > Subject: Re: [c-nsp] SNMP from OUTSIDE to DMZ over VPN
> (PIX
> > 7.2(2))
> >
> >
> >
> > Try this link.
> >
> >
> >
> >
> http://www.cisco.com/en/US/products/sw/netmgtsw/ps2032/produ
> > cts_configuration_example09186a0080094497.shtml
> >
> > Bagosi Rómeó <Romeo.Bagosi at integris.hu> wrote:
> >
> > 	Hello Experts!
> >
> > 	I have the following problem.
> > 	I want to monitor my PIX with SNMP over VPN.
> >
> > 	The network look like this:
> > 	inside --- ASA ---------- PIX --- dmz
> >
> > 	I have a monitoring server on the ASA inside interface
> > (ex. 10.200.0.205). The PIX dmz interface: 10.250.130.1
> > 	The traffic from ASA inside network to PIX dmz network
> > travels through VPN.
> >
> > 	I want to query PIX's dmz interface with SNMP from the
> > monitoring server, I can't.
> > 	I've configured the snmp things (snmp-server host
> > outside 10.200.0.205 poll community ****** version 2c) and
> > the "management-access dmz" command, but still doesn't
> > works, and I found nothing with G**gle, about this.
> >
> > 	Anybody has alredy the same scenario?
> >
> > 	Thank you,
> > 	RB
> > 	_______________________________________________
> > 	cisco-nsp mailing list cisco-nsp at puck.nether.net
> > 	https://puck.nether.net/mailman/listinfo/cisco-nsp
> > 	archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
> >
> >
> >
> > ________________________________
> >
> > size=1 width="100%" align=center>
> >
> > Now you can chat without downloading messenger. Click here
> >
> <http://in.rd.yahoo.com/tagline_webmessenger_5/*http:/in.mes
> > senger.yahoo.com/webmessengerpromo.php>  to know how.
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list