Configure Your Firewall for SNMP

KB ID 0001034 

Problem

Had a requirement to let SNMP traffic though a firewall this week, I have a client that has both SolarWinds and SCOM, and they need to monitor the external Citrix ADC load balancers. For SNMP we simply need UDP ports 161 and 162 (See below) but SolarWinds maintains ‘ping’ connectivity to the monitored assets, so ICMP also needs to be open.

Inbound Ports

Inbound SNMP Ports

Outbound Ports

Outbound SNMP Ports

Solution

As my ‘weapon of choice’ is a Cisco ASA, here’s how to set it up.

1. Connect to the firewall and proceed to global configuration mode.

User Access Verification

Password:******* Type help or ‘?’ for a list of available commands. Petes-ASA> enable Password: ******** Petes-ASA# configure terminal Petes-ASA(config)#

2. Assuming my inside interface is called ‘inside’ allow the traffic outbound then apply that ACL to the firewall with an access-group command.

Cisco ASA – ‘access-group’ Warning

Petes-ASA(config)# access-list outbound permit udp host 192.168.1.100 host 172.16.1.10 eq 161 Petes-ASA(config)# access-list outbound permit icmp host 192.168.1.100 host 172.16.1.10 Petes-ASA(config)# access-group outbound in interface inside

3. Assuming my outside interface is called ‘outside’ allow the traffic inbound then apply that ACL to the firewall with an access-group command.

Cisco ASA – ‘access-group’ Warning

Petes-ASA(config)# access-list inbound permit udp host 172.16.1.10 host 192.168.1.100 eq 161 Petes-ASA(config)# access-list inbound permit icmp host 172.16.1.10 host 192.168.1.100 Petes-ASA(config)# access-group inbound in interface outside

Note: Simply allowing ICMP will not permit ‘ping’ see the following article;

Cisco Firewalls and PING

4. Save the changes.

Petes-ASA(config)# write memory Building configuration… Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de [OK] Petes-ASA(config)#

Also

You may want to open UDP 514 (syslog) from the device to the monitoring server, (assuming you have configured syslog on the monitored device). If the monitored device cannot communicate make sure it’s not using DNS to resolve the monitoring server (if so you may need to open UDP 53 to a DNS server).

Related Articles, References, Credits, or External Links

NA

 

Author: Migrated

Share This Post On