Cisco Firewall :: Making SNMP To Work On ASA5505?

Sep 1, 2011

I have a customer with an ASA5505 where it will not reply to SNMP polls from any source, i have followed the configuration guide [URL].at and tested another ASA in our internal network and i have that working fine on our LAN, here is the snmp and logging sections of the show-run on the ASA, it there anything obvious im missing to make the SNMP work on this device?
snmp-server host outside 203.XX.75.122 community XXXX
snmp-server host outside 203.XX.84.196 community XXXX
snmp-server host outside 203.XX.86.82 community XXXX
snmp-server host outside 82.XX.244.3 community XXX

[Code] .....

View 3 Replies


Cisco Firewall :: ASA5505 SNMP Polling Fails?

May 31, 2012

I am having issues with monitoring our Cisco ASA5505 devices with "SolarWinds Orion NPM 10.2" through the use of SNMPv2. On some devices we see that SNMP polling stops and that the ASA's interfaces would show up as unknown - usually when the link to the device goes down/up or after a random ammount of time. At that point SNMP polling data is no longer updated and all we can rely on is ICMP for device status. I can resolve the issue by restarting the remote ASA OR restarting the SolarWinds server after which polling resumes. We are only seeing this behaviour with our remote ASA's.
Our setup is as follows:
Head End: Cisco ASA 5520 [ASA 8.3(2)]
Remote: Cisco ASA 5505 [ASA 8.3(2)] 
I have found a SolarWinds article listed below that possibly identifies the issue that we are having but am not sure where to start.

View 8 Replies View Related

Cisco Firewall :: Get DHCP Information From ASA5505 Using SNMP?

Feb 13, 2013

I have a ASA5505 with version 8.4(3) that it's working as a DHCP server and I would like to get information about IPs availables (or assignated) on theirs pools via SNMP but I can't find the MIB or OID that I need.
What MIB that I need?

View 1 Replies View Related

Cisco Firewall :: ASA5540 In Multiple-context SNMP / Icmp Doesn't Work

Jun 10, 2013

what´s going on with an asa540 configure in multiple-context mode.   I Have a cacti server on my lan and now I´m try to monitoring the interface with snmp. When I try to get this information returns the error message:
JUN 11 2013 01:52:00: %ASA-1-1-6021: Deny UDP reverse path check from to IP_SRV_CACTI on interface inside
JUN 11 2013 01:52:01: %ASA-1-1-6021: Deny UDP reverve path check from to IP_SRV_CACTI on interface inside
If I try to ping returns the same error:
 JUN 11 2013 01:56:09: %ASA-1-1-6021: Deny icmp  reverse path check from to IP_SRV_CACTI on interface inside
Following attached the conf of my asa   My question is Why I can´t ping or even use snmp ?

View 5 Replies View Related

Cisco Firewall :: Outside To Inside Not Work ASA5505

May 8, 2013

I am very new to Cisco ASA and I am trying many days to implement the design below but still cannot get it done. The situation I am facing is

- a host (e.g. under Inside interface can contact to outside without any problem.
- however a host outside (e.g. in VLAN1 or outside this network) cannot contact host under Inside interface. I am using PING test and always get Request Time Out. [code]

View 12 Replies View Related

Cisco Firewall :: 8.2 (ASA5510) / 8.4(2) (ASA5505) - Why Doesn't Route Map / Set IP Next-hop Work

Jan 2, 2012

I need to be able to redirect some HTTP traffic to an Ironport WSA (for now) on a DMZ interface, the initial config I'm trying to test is along the lines of the following (don't have access to the ASA at the moment to cut-and-paste):
access-list 101 deny any any neq www
access-list 101 deny tcp host any
access-list 101 permit tcp any any
route-map proxy-redirect permit 101
     match ip address 101
     set ip next-hop
Unfortunately the ASA does not take the "set ip next-hop" command, I get an invalid input error message and if I at the route map config prompt type "?" only the "metric" and "metric-type" commands are listed as available.
This happens both on 8.2 (ASA5510) and 8.4(2) (ASA5505). Since others are able to make this work, I assume there's something else on the ASA that I have to set to enable this command?

View 2 Replies View Related

Cisco AAA/Identity/Nac :: Making ACS 5.3 Work Correctly With NCS

Jun 18, 2012

I am trying to get the ACS 5.3 to work with NCS but cannot make it work correctly. url...But this does not show how the ACS referencing AD groups would work when determining which custom attributes to use.
On the ACS 5.3 i have set up the following .The ad is working and in Users and identity stores/External identity stores/Active Directory then my AD test works fine.I have set up the  Users and Identity stores/Identity Groups with appropriate ip s.I have configured the Network Device Groups/Network Devices and AAA Clients with the ip address and Authenication optionsA.In Policy Elements/Authorisation and Permissions/device administration/shell profiles.I have creeated a shell  profile called network shell pro which das a common tasks of def priv = 0 and max priv = 15

Now i can get into the NCS but i do not see any of the administration buttons on NCS - so this means the custom attributes are not working.i shouldnt need a user for this on the ACS as its using AD.

View 2 Replies View Related

Making Voip Softphone To Work On Vpn?

Mar 14, 2011

How do i make sure that my voip softphone is going through the vpn i have and the other party ( voip prvider is seeing the vpn ip insted of my real ip

View 2 Replies View Related

Cisco Firewall :: ASA5505 And Asterisk Remote Softphone Doesn't Work

Jan 5, 2012

I have a problem with mi telephony server. My network topology is very simple. I have an ASA5505 connected to Internet throught an ISP. Behind ASA5505 I have a ToIP Server that operate well inside LAN network. However, when I try to register two or more extensions (Softphones) from Internet, Softphones some times it registers sucessfully, but some times doesn´t work.
The other hand, when softphones outside from LAN get register sucessfully in Asterisk server, is not possible that one of this calling the other one, and Asterisk server detects them as "UNREACHABLE". I don´t know if the problem are all commands of traffic inspect or if the problem is referenced to a particular UC proxy License.
These are configuration lines:
object-group service elastix-ports
service-object udp eq sip
service-object udp gt 10000


View 1 Replies View Related

Cisco VPN :: ASA5505 Remote SNMP Monitoring Over VPN

Apr 3, 2012

We currently have a few 5505s installed at client sites which are connected via s2s ipsec VPN to our datacenter's 5510.  We are using Nagios to monitor the local data center and remote client infrastructure (over the VPNs) which has been working well.
We would like to also monitor the remote 5505s using SNMP over the s2s tunnels but it doesn't seem to be working, the connection is timing out.  We've configured the remote 5505s with the same snmp statement we used on the 5510 (snmp-server host inside <remote datacenter IP> poll community ***** version 2c) yet the Nagios SNMP check cannot connect to the remote 5505s.  We've also tried the command using 'outside' without any luck, not sure how to get SNMP to route over the VPN. 

View 15 Replies View Related

Cisco Firewall :: Making Webserver On 8080 Available To The Outside On 80?

May 14, 2012

We're running three networks (inside, outside and dmz). Inside is, dmz is, outside is a static ip allocated by our ISP. We'd like to configure the following:All traffic from the outside to [static provider ip] on port 80 should go to port 8080.

View 14 Replies View Related

Cisco VPN :: WRVS4400N To Change ISP And Making Changes In Firewall

May 12, 2011

We have a customer that recently changed IT Vedors and came to us. We needed to change the ISP and need to make changes in their Firewall. I went out on site and wasn't able to get into the Routers and I contacted the previos company but they wouldn't release that information. So we had to reset the devices and set everything back up. Everything works great except before they had an IPSEC VPN Tunnel between the 2 buildings. Both Buildings have WRVS4400N Routers and I have setup a VPN IPSEC Tunnel on both sides. I have named them the same and the summary says that both are up. But when I try to go from one side to the other I am unable to Ping or resolve anything. I called Cisco but they said they are out of warranty. Cisco directed me here.

View 1 Replies View Related

Cisco Firewall :: ASA 5505 Making A Device Inaccessible Via Vpn

Apr 21, 2013

Within a workgroup environment we  have four large drives, statically assigned and all accessbile via VPN.  Our FW is a Cisco ASA-5505. Where within the ASA-5505 GUI can one of these drives be made inaccessible via VPN ?

View 0 Replies View Related

Cisco Switches :: SG300 Port Counters Via SNMP / Do They Work

May 24, 2013

I've got an SG300-10 connected back to back (trunked) with a Cisco 3560X switch, across a fibre link and am seeing some big inconsistencies in terms of unicast data transferred across the ports between them.
During a night time window of 4am - 6am I run backups which involves a large copy of files, that almost saturates a GigE link - we can see from the 3560X end that the link is running at a bit over 800MBit/sec of throughput, sustained.  The duration of this transfer is consistent with the size of the files being transferred (ie just over an hour, and is what I'd expect for a data transfer of about that amount).  Back-of-the-envelope calculations indicate that the 3560X is measuring this data throughput correctly.
However on the SG300 end of the link, which is also being polled by the same application (Cacti), I'm observing spikey counts of only around 20MBit/sec during that window.  These counters are very obviously incorrect - there's a huge amount more data moving across the port than that.  The incorrect calculations are showing on both the trunk port out of the SG300 (uplink) as well as the interface where the NAS is connected in (which is an access port).
Cacti is polling the OID:  .  which translates to IF-MIB::ifOutOctets.57 = Counter32.I'm running version but this problem is not new to this release - previous releases and 1.2 based releases also had this problem.
It looks like multicast traffic may be being counted correctly (that's only a suspicion though), however what I am certain of is that there is a very large discrepancy with the unicast traffic counts.Is this OID the correct one to be using for this switch? 

View 2 Replies View Related

Making Linux Router / Firewall / Proxy From Dell Poweredge 1950?

Apr 7, 2012

Ok, so what I want to do is make a router/firewall/proxy (maybe add webserver/FTP as well). Just to start off I want to say that I have moderate knowledge of Linux, enough to administer it from the CL. I have setup routers before but it was years ago and I've forgotten some of the details involved. What I do is a base LAMP install, with DNS, Samba, DHCP server, OpenSSH and then Webmin for easier administration. I've also installed EHCP (easy hosting control panel) in the past but have not at this point.

So, what I want to know is how do I setup the NIC's in the etc/network/interfaces file. Let's say that eth0 connects to the modem and eth1 & 2 are internal adapters. Currently my network is running a Linksys WRT54GL with DD-WRT and the router is set to DHCP for the WAN connection and DHCP is running on the internal network as well. The modem is at and is giving the router an address of my internal network is ( I would like to setup my internal router address to so I guess I need to set it to static in my interfaces config and then set my eth0 to dhcp. Does this sound correct?

So if I do the above my only question is how do I setup the routing tables after that? I always get messed up when I need to make the switch from my Linksys router to my Linux box. I'm not worried about firewall rules at first I can change those once I have the router up and running. I just don't know if I need to make some kind of bridge to bridge the eth0 and eth1 (external NIC and internal NIC).

View 3 Replies View Related

Cisco Switching/Routing :: Nexus 5548 Snmp-write Of Vlan Doesn't Work

Feb 22, 2012

I am trying to configerate static switchports on our nexus 5548 (nx-os 5.1(3)N1(1)) over snmp.The support-list url... states that the CISCO- VLAN- MEMBERSHIP- MIB is supported.I can read the information, but if i try to set vmVlan or vmVlanType i get the message: "SET failed. ("ip-address"). Information: Not Writable."I can use set_request in general (e.g. CISCO-CONFIG-COPY-MIB). how to set the vlan and vlan-type over snmp?

View 3 Replies View Related

Cisco VPN :: Remote Access Vpn Wizard Does Not Work Asa5505

Apr 3, 2013

I have a brand new ASA 5505 running version 8.2(5). Got connected with the ASDM and ran the setup wizard and the remote access VPN wizard. I am not able to ping the outside interface from the internet, and my VPN client gets no response when trying to connect.

View 5 Replies View Related

Cisco VPN :: ASA5505 Phase 1 And 2 Are Completed But Windows Client Doesn't Work

Dec 12, 2010

i tried to configured L2TP connection on ASA5505.Phase 1 and Phase 2 are completed but Windows Client doesn't work. [code]

View 4 Replies View Related

Cisco Firewall :: Monitoring ASA 5505 Firewall Active / Standby Pair Using SNMP?

Sep 7, 2011

How I can actively monitor the interfaces and overall status of 2 x ASA 5500s in an Active/Standby configuration?
I can setup monitoring of the interfaces on the Active member but I'm not sure how to manage the Standby member?

View 1 Replies View Related

Cisco Firewall :: SNMP V3 Support IOS On Pix Firewall 515E?

Jun 13, 2012

I have an Pix 515E firewall with Pix724-33.bin IOS. I just want to know that does this IOS support SNMPV3 or I will have to upgarde it with some other version.

View 1 Replies View Related

Cisco Firewall :: Users Behind ASA5505 Firewall Are Unable To Access Internet

Feb 24, 2011

I have a normal setup of ASA5505 (without security license) connected behind an internet router. From the ASA5505 console I can ping the Internet. However, users behind the Firewall on the internal LAN, cannot ping the Internet even though NATing is configured. The users can ping the Inside interface of the Firewall so there is no internal reachability problem. In addition, I noticed that the NAT inside access list is not having any hit counts at all when users are trying to reach the internet.

When i replace the ASA5505 with a router with NAT overload configuration on it, the setup works normally and users are able to browse the internet.

The ASA5505 configuration is shown below.

hostname Firewall

interface Ethernet0/0
description Connected To Internet Router
switchport access vlan 10


View 2 Replies View Related

Cisco Firewall :: ASA5505 Lose Configuration If Upgrade Firewall

May 17, 2011

i have asa 5505 with the asdm v5.2 (4), and the asa v7.2(4). This platform has a base license. if i upgrade adsm and asa on v6.2(1) and v8.2(2) if I lose my license and that you need to activate them? i configured site to site vpn (this firewall and the another) that i lose my configuration if i upgrade my firewall.

View 2 Replies View Related

Cisco Firewall :: ASA5505 Can't Ping New Firewall On Inside Interface

Jul 14, 2011

I've recently upgraded my old firewall from a PIX to an ASA5505 and have been trying to match up the configuration settings to no avail. I have is that I can't ping the new firewall on it's inside interface, despite having "icmp permit any inside" in the running config. Secondly, the server I have on there ("Sar") can't connect out to the internet.I've included the ASA's running config incase anybody can see if something stands out. I have a feeling it's either not letting anything onto the inside interface, or there is no nat going on. Lastly (and possibly relevant), the firewall is actually going at the end of a vlan, which is different to the firewall's inside vlan number. I don't know if this is actually the problem because the server can't connect out even if connected directly into the firewall.

View 32 Replies View Related

Cisco Firewall :: Unable To Ping Internet IPs From ASA5505 Firewall

Jan 9, 2013

Internet ISP -> Juniper SRX 210 Ge-0/0/0
Juniper fe0/0/2  -> Cisco ASA 5505
Cisco ASA 5505 - >Inernal LAN switch.
1.  Internet  is connected to Juniper Ge0/0/0  via /30 IP.
2. Juniper fe0/0/2 port is configured as inet port and configured the Internal public LAN pool provided by the ISP. And this port is directly connected to  Cisco ASA 5505 E0/0. Its a /28 pool IP address. This interface is configured as outside and security level set to 0.

From Juniper SRX, am able to ping public Internet IPs (

1. From ASA am unable to ping public ip configured on Juniper G0/0/0 port.(/30)
2. From ASA no other Public internet IP is pinging.
Troubleshooting Done so far.
1, Configured icmp inspection on ASA.
2. Used the packet tracer in ASA, it shows the packet is flowing outside without a drop.
3.  Allowed all services in untrust zone in bound traffic in Juniper SRX.
4. Viewed the logs when I was trying the ping in ASA. It says "Tear down ICMP connection for faddrr **** gaddr **

View 2 Replies View Related

Cisco Firewall :: SNMP Server On PIX IOS 7.2 Over VPN

Sep 4, 2011

I have a simple query for the issues I m facing currently.I have @ remote site  remote site PIX firewall which is configurd to get the Snmp poll on the server locate outside via site to site VPN.There is another snmp server located also in inside which I’m not managing it .
below are the command for the snmp configured on PIX.
 snmp-server host inside x.x.x.x community XXXXX ---This is not managed by us
snmp-server host inside x.x.x.x community XXXXX 
snmp-server host outside y.y.y.y (private IP tunneled though VPN)  poll community YYYYY ---Managed by us
snmp-server host outside y.y.y.y  poll community YYYYY


there are 2 snmp community & server defined in snmp-server host command for 2 different IP address belongs to snmp server  and we can only define one global snmp-server community for any one of them .Question is how the snmp community take a precedence currently I am able to ping from my snmp server from outside to the PIX firewall outside interface over L2L VPN but somehow the snmp server is not listening when i do port query on 161 por!.

View 3 Replies View Related

Cisco Firewall :: Max SNMP Hosts On ASA 8.2?

Nov 13, 2012

Seems like something simple, but can't find on What are the max SNMP hosts allowed on an ASA 8.2 code? That would be Polls and Traps?                  

View 1 Replies View Related

Cisco Firewall :: Does 8.4(2) Support Snmp V3

Oct 13, 2011

Does 8.4(2) support snmp v3?

View 1 Replies View Related

Cisco Firewall :: ASA5505 Firewall Rule Not Blocking

Apr 1, 2013

I'm trying to troubleshoot an ASA5505.
The original goal was to block "Mumble/Murmur" (a voip app) traffic, which runs on TCP/UDP 64738, both inbound and outbound, except to a certain host (
However, when nothing I tried seemed to make a difference, just to troubleshoot, I decided to try blocking all inbound traffic.  I first disconnected ethernet port 0/0 to ensure that it was cabled correctly and the outside interface went down when I did.  That worked as expected, so I confirmed I had the right interface and it was cabled correctly.
I then applied a "any any deny ip" rule as the first element in the outside interface access_list, as you can see below.  However, it appears to have had no real effect and the hit count is very low (it should be astronomical).
show ver 
Cisco Adaptive Security Appliance Software Version 9.0(2)
Device Manager Version 7.1(2) 
Compiled on Thu 21-Feb-13 13:10 by builders
System image file is "disk0:/asa902-k8.bin"


View 4 Replies View Related

Cisco Firewall :: Multiple SNMP Strings On Pix-501?

Aug 16, 2012

Does the pix-501 support multiple SNMP communities?  Im trying to add a second one, but the original community string gets removed when I add the new one.  If we can have multiple SNMP hosts, then I woud imagine you could have multiple strings. I thought it was like most switches and routers, which can have the following:
snmp-server community STRING1
snmp-server community STRING2
The Pix-501 is currently running on version 6.3(5).

View 2 Replies View Related

Cisco Firewall :: Get Information From ASA5520 Using SNMP V2c

Jun 14, 2011

i would like to get information from my ASA5520 using SNMP V2c such as :
-xtable entries
-ARP cache table
does it's possible or not ..

View 2 Replies View Related

Cisco Firewall :: ASA 5520 - SNMP Outside Interface

Mar 16, 2013

i have a Problem with SNMP on the ASA Outside Interface. I want to monitor the Interface via SNMP (linkup, link down). I have a Active/Passive Cluster running on 8.4.2 and configured SNMP (v1) for Test on the Outside Interface. It's not that hard but when i try to test my Configuration with (peerless) SNMP Tester the Interface doesn't respond. Did i forget to configure something? Searched the forum but didn't find anything useful.

View 4 Replies View Related

Cisco Firewall :: ASA 5505 / SNMP Monitoring Over VPN Tunnel?

Mar 27, 2008

I am trying to monitor my ASA 5505. This asa is connect via a ip-sec tunnel to our network. I have no problems with snmp monitoring devices behind the ASA, but when trying to monitor the asa itself I do not get a SNMP response.

View 2 Replies View Related

Cisco Firewall :: Cannot Specify RO On Snmp-server Command With Older Pix 501 6.3

Oct 23, 2012

i am wanting to open up snmp on a pix 501 6.3 version.  I am planning on doing it with the following configuration: [code]

I noticed you cannot specify RO on the snmp-server command with the older pix.  I don't want this configuration to open up any write access to the pix.  Is there a way to specify only read only for snmp

View 1 Replies View Related

Copyrights 2005-15, All rights reserved