|
| | | Forum Newbie
Group: Forum Members
Last Login: 6/3/2008 6:54:33 PM
Posts: 3, Visits: 18 |
| | Hello, I have a problem with tray to monitoring Cisco Pix 501 with the SNMP Active Monitor. Whe i did the discover device, the WUP found the Active Monitor Interface (inside and outside but with the default address,in this case the private ip address), snmp and telnet, but when i change the defaul ip address for the public, for example, the WUP begins to indicate that some active monitor this fall. If I change again for the default interface, the device is show up. In the credential tabs, I put the oid for this device (Cisco PIX 500 Series Firewalls 501 1.3.6.1.4.1.9.1.417). I copy the cisco mibs inside the mibs folders. I create a new snmp active monitor with de OID 1.3.6.1.4.1.9.1.417, but whe i did the test faild, and show me the folling text: SNMP check (SNMP_Pix501) for 10.195.0.1
OID=1.3.6.1.4.1.9.1.417 Instance= Argument=
ReadCommunity=public Timeout=2 Retries=1
Comment=
Failed to read SNMP value. Error=Response packet contained the error: No Such Name I doubt that, How is the correct step that I have to do for monitoring any cisco device. Thks for all |
| |
| | | Forum Member
Group: Forum Members
Last Login: Yesterday @ 4:41:05 PM
Posts: 37, Visits: 366 |
| | Sounds like SNMP is not configured on the PIX, did you add the community string there? |
| |
| | | Forum Newbie
Group: Forum Members
Last Login: 6/3/2008 6:54:33 PM
Posts: 3, Visits: 18 |
| | Yes, the pix has configured the snmp community... |
| |
| | | Time Traveler
Group: Forum Members
Last Login: 6/19/2008 4:58:30 PM
Posts: 534, Visits: 1,874 |
| That should be normal behavior.
WhatsUp comes from the inside interface, so the PIX won't answer the SNMP requests on the public interface (unless you define it as the management interface, which is a very very bad idea, besides the fact there is no reason to do so).
If you need to monitor the public interface you should define it as a secondary address (the inside one being the default one, so that the perf monitors works) and assign this address to the monitors you need. |
| |
| | | Forum Newbie
Group: Forum Members
Last Login: 6/3/2008 6:54:33 PM
Posts: 3, Visits: 18 |
| | Thks for the answer. The main idea is monitor both interface (inside and outside) and only allow my range public to access. When I add the device, I put the internal ip address and I add the outside ip as secondary not as the managment interface. When i did the discover the active monitor found Interface (1) - PIX Firewall 'outside' interface (Public IP),
Interface (2) - PIX Firewall 'inside' interface (Private IP) and SNMP, but the ip address configure automaticaly is the default (internal ip), and when i edit the active monitor Interface (1) and change for the public ip, the WUP show me the interface (1) down. I dont understand why... Which is the way to monitor correctly Cisco Pix ? Thkis ! |
| |
| | | Time Traveler
Group: Forum Members
Last Login: 6/19/2008 4:58:30 PM
Posts: 534, Visits: 1,874 |
| Ok, I understand.
You must not change the IP address used by the monitor.
Yes, it does use the inside interface to connect to the device, but it still checks the outside interface internal state.
Now if you want to have a TCP test (which will actually attempt a connection) on the outside interface, in that case you will need to change the interface used by the monitor (also it might not work without changing the PIX configuration : I'm not sure you can make "loopback" connections by default).
But you must use the same interface for all SNMP monitors. |
| |
|
|