I have a customer with an ASA5505 where it will not reply to SNMP polls from any source, i have followed the configuration guide [URL].at and tested another ASA in our internal network and i have that working fine on our LAN, here is the snmp and logging sections of the show-run on the ASA, it there anything obvious im missing to make the SNMP work on this device?
snmp-server host outside 203.XX.75.122 community XXXX
snmp-server host outside 203.XX.84.196 community XXXX
snmp-server host outside 203.XX.86.82 community XXXX
snmp-server host outside 82.XX.244.3 community XXX
I am having issues with monitoring our Cisco ASA5505 devices with "SolarWinds Orion NPM 10.2" through the use of SNMPv2. On some devices we see that SNMP polling stops and that the ASA's interfaces would show up as unknown - usually when the link to the device goes down/up or after a random ammount of time. At that point SNMP polling data is no longer updated and all we can rely on is ICMP for device status. I can resolve the issue by restarting the remote ASA OR restarting the SolarWinds server after which polling resumes. We are only seeing this behaviour with our remote ASA's.
Our setup is as follows: Head End: Cisco ASA 5520 [ASA 8.3(2)] Remote: Cisco ASA 5505 [ASA 8.3(2)]
I have found a SolarWinds article listed below that possibly identifies the issue that we are having but am not sure where to start.
I have a ASA5505 with version 8.4(3) that it's working as a DHCP server and I would like to get information about IPs availables (or assignated) on theirs pools via SNMP but I can't find the MIB or OID that I need.
what´s going on with an asa540 configure in multiple-context mode. I Have a cacti server on my lan and now I´m try to monitoring the interface with snmp. When I try to get this information returns the error message:
CISCOASA/CONTEXTA# JUN 11 2013 01:52:00: %ASA-1-1-6021: Deny UDP reverse path check from 10.6.6.6 to IP_SRV_CACTI on interface inside JUN 11 2013 01:52:01: %ASA-1-1-6021: Deny UDP reverve path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
If I try to ping returns the same error:
CISCOASA/CONTEXTA# JUN 11 2013 01:56:09: %ASA-1-1-6021: Deny icmp reverse path check from 10.6.6.6 to IP_SRV_CACTI on interface inside
Following attached the conf of my asa My question is Why I can´t ping or even use snmp ?
I am very new to Cisco ASA and I am trying many days to implement the design below but still cannot get it done. The situation I am facing is
- a host (e.g. 192.168.5.10) under Inside interface can contact to outside without any problem. - however a host outside (e.g. in VLAN1 or outside this network) cannot contact host under Inside interface. I am using PING test and always get Request Time Out. [code]
I need to be able to redirect some HTTP traffic to an Ironport WSA (for now) on a DMZ interface, the initial config I'm trying to test is along the lines of the following (don't have access to the ASA at the moment to cut-and-paste):
access-list 101 deny any any neq www access-list 101 deny tcp host 10.0.2.2 any access-list 101 permit tcp any any
route-map proxy-redirect permit 101 match ip address 101 set ip next-hop 10.0.2.2
Unfortunately the ASA does not take the "set ip next-hop" command, I get an invalid input error message and if I at the route map config prompt type "?" only the "metric" and "metric-type" commands are listed as available.
This happens both on 8.2 (ASA5510) and 8.4(2) (ASA5505). Since others are able to make this work, I assume there's something else on the ASA that I have to set to enable this command?
I am trying to get the ACS 5.3 to work with NCS but cannot make it work correctly. url...But this does not show how the ACS referencing AD groups would work when determining which custom attributes to use.
On the ACS 5.3 i have set up the following .The ad is working and in Users and identity stores/External identity stores/Active Directory then my AD test works fine.I have set up the Users and Identity stores/Identity Groups with appropriate ip s.I have configured the Network Device Groups/Network Devices and AAA Clients with the ip address and Authenication optionsA.In Policy Elements/Authorisation and Permissions/device administration/shell profiles.I have creeated a shell profile called network shell pro which das a common tasks of def priv = 0 and max priv = 15
Now i can get into the NCS but i do not see any of the administration buttons on NCS - so this means the custom attributes are not working.i shouldnt need a user for this on the ACS as its using AD.
I have a problem with mi telephony server. My network topology is very simple. I have an ASA5505 connected to Internet throught an ISP. Behind ASA5505 I have a ToIP Server that operate well inside LAN network. However, when I try to register two or more extensions (Softphones) from Internet, Softphones some times it registers sucessfully, but some times doesn´t work.
The other hand, when softphones outside from LAN get register sucessfully in Asterisk server, is not possible that one of this calling the other one, and Asterisk server detects them as "UNREACHABLE". I don´t know if the problem are all commands of traffic inspect or if the problem is referenced to a particular UC proxy License.
We currently have a few 5505s installed at client sites which are connected via s2s ipsec VPN to our datacenter's 5510. We are using Nagios to monitor the local data center and remote client infrastructure (over the VPNs) which has been working well.
We would like to also monitor the remote 5505s using SNMP over the s2s tunnels but it doesn't seem to be working, the connection is timing out. We've configured the remote 5505s with the same snmp statement we used on the 5510 (snmp-server host inside <remote datacenter IP> poll community ***** version 2c) yet the Nagios SNMP check cannot connect to the remote 5505s. We've also tried the command using 'outside' without any luck, not sure how to get SNMP to route over the VPN.
We're running three networks (inside, outside and dmz). Inside is 10.0.1.0/24, dmz is 10.0.2.0/24, outside is a static ip allocated by our ISP. We'd like to configure the following:All traffic from the outside to [static provider ip] on port 80 should go to 10.0.2.200 port 8080.
We have a customer that recently changed IT Vedors and came to us. We needed to change the ISP and need to make changes in their Firewall. I went out on site and wasn't able to get into the Routers and I contacted the previos company but they wouldn't release that information. So we had to reset the devices and set everything back up. Everything works great except before they had an IPSEC VPN Tunnel between the 2 buildings. Both Buildings have WRVS4400N Routers and I have setup a VPN IPSEC Tunnel on both sides. I have named them the same and the summary says that both are up. But when I try to go from one side to the other I am unable to Ping or resolve anything. I called Cisco but they said they are out of warranty. Cisco directed me here.
Within a workgroup environment we have four large drives, statically assigned and all accessbile via VPN. Our FW is a Cisco ASA-5505. Where within the ASA-5505 GUI can one of these drives be made inaccessible via VPN ?
I've got an SG300-10 connected back to back (trunked) with a Cisco 3560X switch, across a fibre link and am seeing some big inconsistencies in terms of unicast data transferred across the ports between them.
During a night time window of 4am - 6am I run backups which involves a large copy of files, that almost saturates a GigE link - we can see from the 3560X end that the link is running at a bit over 800MBit/sec of throughput, sustained. The duration of this transfer is consistent with the size of the files being transferred (ie just over an hour, and is what I'd expect for a data transfer of about that amount). Back-of-the-envelope calculations indicate that the 3560X is measuring this data throughput correctly.
However on the SG300 end of the link, which is also being polled by the same application (Cacti), I'm observing spikey counts of only around 20MBit/sec during that window. These counters are very obviously incorrect - there's a huge amount more data moving across the port than that. The incorrect calculations are showing on both the trunk port out of the SG300 (uplink) as well as the interface where the NAS is connected in (which is an access port).
Cacti is polling the OID: .188.8.131.52.184.108.40.206.1.16.57 which translates to IF-MIB::ifOutOctets.57 = Counter32.I'm running version 220.127.116.11 but this problem is not new to this release - previous releases and 1.2 based releases also had this problem.
It looks like multicast traffic may be being counted correctly (that's only a suspicion though), however what I am certain of is that there is a very large discrepancy with the unicast traffic counts.Is this OID the correct one to be using for this switch?
Ok, so what I want to do is make a router/firewall/proxy (maybe add webserver/FTP as well). Just to start off I want to say that I have moderate knowledge of Linux, enough to administer it from the CL. I have setup routers before but it was years ago and I've forgotten some of the details involved. What I do is a base LAMP install, with DNS, Samba, DHCP server, OpenSSH and then Webmin for easier administration. I've also installed EHCP (easy hosting control panel) in the past but have not at this point.
So, what I want to know is how do I setup the NIC's in the etc/network/interfaces file. Let's say that eth0 connects to the modem and eth1 & 2 are internal adapters. Currently my network is running a Linksys WRT54GL with DD-WRT and the router is set to DHCP for the WAN connection and DHCP is running on the internal network as well. The modem is at 192.168.254.254 and is giving the router an address of 192.168.254.1 my internal network is 192.168.1.1 (192.168.1.0/24). I would like to setup my internal router address to 192.168.1.1 so I guess I need to set it to static in my interfaces config and then set my eth0 to dhcp. Does this sound correct?
So if I do the above my only question is how do I setup the routing tables after that? I always get messed up when I need to make the switch from my Linksys router to my Linux box. I'm not worried about firewall rules at first I can change those once I have the router up and running. I just don't know if I need to make some kind of bridge to bridge the eth0 and eth1 (external NIC and internal NIC).
I am trying to configerate static switchports on our nexus 5548 (nx-os 5.1(3)N1(1)) over snmp.The support-list url... states that the CISCO- VLAN- MEMBERSHIP- MIB is supported.I can read the information, but if i try to set vmVlan or vmVlanType i get the message: "SET failed. ("ip-address"). Information: Not Writable."I can use set_request in general (e.g. CISCO-CONFIG-COPY-MIB). how to set the vlan and vlan-type over snmp?
I have a brand new ASA 5505 running version 8.2(5). Got connected with the ASDM and ran the setup wizard and the remote access VPN wizard. I am not able to ping the outside interface from the internet, and my VPN client gets no response when trying to connect.
I have a normal setup of ASA5505 (without security license) connected behind an internet router. From the ASA5505 console I can ping the Internet. However, users behind the Firewall on the internal LAN, cannot ping the Internet even though NATing is configured. The users can ping the Inside interface of the Firewall so there is no internal reachability problem. In addition, I noticed that the NAT inside access list is not having any hit counts at all when users are trying to reach the internet.
When i replace the ASA5505 with a router with NAT overload configuration on it, the setup works normally and users are able to browse the internet.
The ASA5505 configuration is shown below.
interface Ethernet0/0 description Connected To Internet Router switchport access vlan 10
i have asa 5505 with the asdm v5.2 (4), and the asa v7.2(4). This platform has a base license. if i upgrade adsm and asa on v6.2(1) and v8.2(2) if I lose my license and that you need to activate them? i configured site to site vpn (this firewall and the another) that i lose my configuration if i upgrade my firewall.
I've recently upgraded my old firewall from a PIX to an ASA5505 and have been trying to match up the configuration settings to no avail. I have is that I can't ping the new firewall on it's inside interface, despite having "icmp permit any inside" in the running config. Secondly, the server I have on there ("Sar") can't connect out to the internet.I've included the ASA's running config incase anybody can see if something stands out. I have a feeling it's either not letting anything onto the inside interface, or there is no nat going on. Lastly (and possibly relevant), the firewall is actually going at the end of a vlan, which is different to the firewall's inside vlan number. I don't know if this is actually the problem because the server can't connect out even if connected directly into the firewall.
Internet ISP -> Juniper SRX 210 Ge-0/0/0 Juniper fe0/0/2 -> Cisco ASA 5505 Cisco ASA 5505 - >Inernal LAN switch.
1. Internet is connected to Juniper Ge0/0/0 via /30 IP.
2. Juniper fe0/0/2 port is configured as inet port and configured the Internal public LAN pool provided by the ISP. And this port is directly connected to Cisco ASA 5505 E0/0. Its a /28 pool IP address. This interface is configured as outside and security level set to 0.
From Juniper SRX, am able to ping public Internet IPs (18.104.22.168).
1. From ASA am unable to ping public ip configured on Juniper G0/0/0 port.(/30) 2. From ASA no other Public internet IP is pinging.
Troubleshooting Done so far.
1, Configured icmp inspection on ASA. 2. Used the packet tracer in ASA, it shows the packet is flowing outside without a drop. 3. Allowed all services in untrust zone in bound traffic in Juniper SRX. 4. Viewed the logs when I was trying the ping 22.214.171.124 in ASA. It says "Tear down ICMP connection for faddrr **** gaddr **
I have a simple query for the issues I m facing currently.I have @ remote site remote site PIX firewall which is configurd to get the Snmp poll on the server locate outside via site to site VPN.There is another snmp server located also in inside which I’m not managing it . ======================================================================== below are the command for the snmp configured on PIX. snmp-server host inside x.x.x.x community XXXXX ---This is not managed by us snmp-server host inside x.x.x.x community XXXXX snmp-server host outside y.y.y.y (private IP tunneled though VPN) poll community YYYYY ---Managed by us snmp-server host outside y.y.y.y poll community YYYYY
there are 2 snmp community & server defined in snmp-server host command for 2 different IP address belongs to snmp server and we can only define one global snmp-server community for any one of them .Question is how the snmp community take a precedence currently I am able to ping from my snmp server from outside to the PIX firewall outside interface over L2L VPN but somehow the snmp server is not listening when i do port query on 161 por!.
The original goal was to block "Mumble/Murmur" (a voip app) traffic, which runs on TCP/UDP 64738, both inbound and outbound, except to a certain host (126.96.36.199).
However, when nothing I tried seemed to make a difference, just to troubleshoot, I decided to try blocking all inbound traffic. I first disconnected ethernet port 0/0 to ensure that it was cabled correctly and the outside interface went down when I did. That worked as expected, so I confirmed I had the right interface and it was cabled correctly.
I then applied a "any any deny ip" rule as the first element in the outside interface access_list, as you can see below. However, it appears to have had no real effect and the hit count is very low (it should be astronomical).
show ver Cisco Adaptive Security Appliance Software Version 9.0(2) Device Manager Version 7.1(2) Compiled on Thu 21-Feb-13 13:10 by builders System image file is "disk0:/asa902-k8.bin"
Does the pix-501 support multiple SNMP communities? Im trying to add a second one, but the original community string gets removed when I add the new one. If we can have multiple SNMP hosts, then I woud imagine you could have multiple strings. I thought it was like most switches and routers, which can have the following:
snmp-server community STRING1 snmp-server community STRING2
The Pix-501 is currently running on version 6.3(5).
i have a Problem with SNMP on the ASA Outside Interface. I want to monitor the Interface via SNMP (linkup, link down). I have a Active/Passive Cluster running on 8.4.2 and configured SNMP (v1) for Test on the Outside Interface. It's not that hard but when i try to test my Configuration with (peerless) SNMP Tester the Interface doesn't respond. Did i forget to configure something? Searched the forum but didn't find anything useful.
I am trying to monitor my ASA 5505. This asa is connect via a ip-sec tunnel to our network. I have no problems with snmp monitoring devices behind the ASA, but when trying to monitor the asa itself I do not get a SNMP response.