KB ID 0001034
Problem
Had a requirement to let SNMP traffic though a firewall this week, I have a client that has both SolarWinds and SCOM, and they need to monitor the external Citrix ADC load balancers. For SNMP we simply need UDP ports 161 and 162 (See below) but SolarWinds maintains ‘ping’ connectivity to the monitored assets, so ICMP also needs to be open.
Inbound Ports
Outbound Ports
Solution
As my ‘weapon of choice’ is a Cisco ASA, here’s how to set it up.
1. Connect to the firewall and proceed to global configuration mode.
[box] User Access Verification
Password:*******
Type help or ‘?’ for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)#
[/box]
2. Assuming my inside interface is called ‘inside’ allow the traffic outbound then apply that ACL to the firewall with an access-group command.
Cisco ASA – ‘access-group’ Warning
[box] Petes-ASA(config)# access-list outbound permit udp host 192.168.1.100 host 172.16.1.10 eq 161
Petes-ASA(config)# access-list outbound permit icmp host 192.168.1.100 host 172.16.1.10
Petes-ASA(config)# access-group outbound in interface inside [/box]
3. Assuming my outside interface is called ‘outside’ allow the traffic inbound then apply that ACL to the firewall with an access-group command.
Cisco ASA – ‘access-group’ Warning
[box]Petes-ASA(config)# access-list inbound permit udp host 172.16.1.10 host 192.168.1.100 eq 161
Petes-ASA(config)# access-list inbound permit icmp host 172.16.1.10 host 192.168.1.100
Petes-ASA(config)# access-group inbound in interface outside [/box]
Note: Simply allowing ICMP will not permit ‘ping’ see the following article;
4. Save the changes.
[box]Petes-ASA(config)# write memory
Building configuration…
Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de
[OK]
Petes-ASA(config)#[/box]
Also
You may want to open UDP 514 (syslog) from the device to the monitoring server, (assuming you have configured syslog on the monitored device). If the monitored device cannot communicate make sure it’s not using DNS to resolve the monitoring server (if so you may need to open UDP 53 to a DNS server).
Related Articles, References, Credits, or External Links
NA