[mrtg] Re: PIX

Joseph Pierini JPierini at mmlive.com
Sat Jun 19 01:58:28 MEST 2004 

I notice that your ACL for SNMP has no hit counts, but your ICMP does, so I
assume that you can ping the PIX from the MRTG server. That leaves me
confused and at a loss, however I still stand by my statement that it will
work via the outside interface.
 
Being this is a lab device, and shouldn't be a security risk, would you mind
sharing the entire pix config, after you edit the passwords and real IP's?
Perhaps there's something else affecting the snmp response. Also, what
version  PIX is this and what PIX bin are you running?
 
Kindest regards,
 
Joseph Pierini
 
-----Original Message-----
From: FabioAlKas at aol.com [mailto:FabioAlKas at aol.com] 
Sent: Friday, June 18, 2004 12:36 PM
To: JPierini at mmlive.com; kj at sunclipse.com; mrtg at list.ee.ethz.ch
Subject: Re: [mrtg] Re: PIX


In a message dated 18/06/2004 15:33:29 E. South America Standard Tim,
JPierini at mmlive.com writes:

With the kindest of regards, I disagree. I have MRTG monitoring all my Cisco
PIX firewalls via the outside interface. Add the following line to your PIX
config:

snmp-server host outside xxx.xxx.xxx.xxx

where xxx.xxx.xxx.xxx is the IP address of your MRTG server. Ensure that
your allow SNMP through the firewall protecting your MRTG server.

Joseph Pierini

Here is the configs for my cisco in a lab enviroment:
 
INTS:
 
access-group PERMIT_ICMP in interface outside1
access-group PERMIT_ICMP in interface inside1
 
ACL:
 
access-list PERMIT_ICMP line 1 permit icmp any any (hitcnt=777)
access-list PERMIT_ICMP line 16 permit udp any any eq snmp (hitcnt=0)
 
 
SNMP:
 
snmp-server host outside2 10.10.10.10
snmp-server location public
snmp-server contact public
snmp-server community public
snmp-server enable traps
 
and i´m using this line on mrtg:
 
/usr/local/mrtg-2/bin/cfgmaker public at 10.10.10.10
<mailto:public at 10.10.10.10> 
 
The mrtg host is direct connected at the outside interface, and there is no
firewalls between host and pix.
 
This is only for test, if works i will use the correct MIB for this
equipament.
 
And the Public comunity and ip was change on the information above.
 
I still got the error no response received.
 
Thanks for your help.
 
Best Regards
================================================
Fabio Al kas
ICNET Network Coordinator
Infrastructure & IT 
America OnLine -  <http://www.aol.com.br/> Brazil


--
Unsubscribe mailto:mrtg-request at list.ee.ethz.ch?subject=unsubscribe
Archive     http://www.ee.ethz.ch/~slist/mrtg
FAQ         http://faq.mrtg.org    Homepage     http://www.mrtg.org
WebAdmin    http://www.ee.ethz.ch/~slist/lsg2.cgi

More information about the mrtg mailing list