[mrtg] Re: SNMP routing over NAT (Cisco 2600)
Dave Williams
dave_williams at eli.net
Fri Jun 8 18:33:19 MEST 2001
MRTG (really SNMP) can work in a NAT environment. The firewall software deployed at our company uses
"stateful" rules allowing hosts outside the firewall to pass through the firewall only to SNMP requests
generated from the inside or trusted network. The firewall translates the IP address of the "inside" MRTG
server to an outside address using a specific firewall-generated user UDP port number. The outside host
responds to the SNMP request using the translated IP address and port number. The firewall translates the
destinatination IP address to back to the MRTG server's real address and forwards the reply packet to the
MRTG server. NAT really isn't the obstacle, the firewall rules are what drop UDP (SNMP) packets.
"Stateful" rules must translate UDP inside port numbers to make this work. Using Static IP address
translations for "inside" host addresses isn't really necessary either when using "stateful" UDP rules.
For my purposes this is secure because the "outside" hosts are connected to the Internet using router
equipment owned and managed by my company. If you are intending to manage devices that traverse Internet
routers your company doesn't own and manage, I recommend you explore VPN/IP-SEC products that will encrypt
the packet payload to keep SNMP traffic secure. I would also not install RW community strings and of
course use something other than "public/private" for community strings too.
Mike Singleton wrote:
> I have been told by out chief network engineer that SNMP is NOT routeable over NAT.. is this correct??
>
> DaVita Inc.
>
> --
> Unsubscribe mailto:mrtg-request at list.ee.ethz.ch?subject=unsubscribe
> Archive http://www.ee.ethz.ch/~slist/mrtg
> FAQ http://faq.mrtg.org Homepage http://www.mrtg.org
> WebAdmin http://www.ee.ethz.ch/~slist/lsg2.cgi
--
Unsubscribe mailto:mrtg-request at list.ee.ethz.ch?subject=unsubscribe
Archive http://www.ee.ethz.ch/~slist/mrtg
FAQ http://faq.mrtg.org Homepage http://www.mrtg.org
WebAdmin http://www.ee.ethz.ch/~slist/lsg2.cgi
More information about the mrtg
mailing list