Configure Your Firewall for SNMP

KB ID 0001034 

Problem

Had a requirement to let SNMP traffic though a firewall this week, I have a client that has both SolarWinds and SCOM, and they need to monitor the external Citrix ADC load balancers. For SNMP we simply need UDP ports 161 and 162 (See below) but SolarWinds maintains ‘ping’ connectivity to the monitored assets, so ICMP also needs to be open.

Inbound Ports

Outbound Ports

Solution

As my ‘weapon of choice’ is a Cisco ASA, here’s how to set it up.

1. Connect to the firewall and proceed to global configuration mode.

[box] User Access Verification

Password:*******
Type help or ‘?’ for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)#

[/box]

2. Assuming my inside interface is called ‘inside’ allow the traffic outbound then apply that ACL to the firewall with an access-group command.

Cisco ASA – ‘access-group’ Warning

[box] Petes-ASA(config)# access-list outbound permit udp host 192.168.1.100 host 172.16.1.10 eq 161
Petes-ASA(config)# access-list outbound permit icmp host 192.168.1.100 host 172.16.1.10
Petes-ASA(config)# access-group outbound in interface inside [/box]

3. Assuming my outside interface is called ‘outside’ allow the traffic inbound then apply that ACL to the firewall with an access-group command.

Cisco ASA – ‘access-group’ Warning

[box]Petes-ASA(config)# access-list inbound permit udp host 172.16.1.10 host 192.168.1.100 eq 161
Petes-ASA(config)# access-list inbound permit icmp host 172.16.1.10 host 192.168.1.100
Petes-ASA(config)# access-group inbound in interface outside [/box]

Note: Simply allowing ICMP will not permit ‘ping’ see the following article;

Cisco Firewalls and PING

4. Save the changes.

[box]Petes-ASA(config)# write memory
Building configuration…
Cryptochecksum: aab5e5a2 c707770d f7350728 d9ac34de
[OK]
Petes-ASA(config)#[/box]

Also

You may want to open UDP 514 (syslog) from the device to the monitoring server, (assuming you have configured syslog on the monitored device). If the monitored device cannot communicate make sure it’s not using DNS to resolve the monitoring server (if so you may need to open UDP 53 to a DNS server).

Related Articles, References, Credits, or External Links

NA

 

Cisco ASA – ‘access-group’ Warning

KB ID 0001035

Problem

I’ve been writing Cisco ASA walkthroughs for years, and littered all over PeteNetLive you will see me warning readers every time I use access-group commands. So I’ve finally got round to putting this article up so I can reference it in future.

What is an Access-Group command?

You use an access-group command to apply an access-list to an interface, in a particular direction (in or out). Although I always apply access-groups in an interface to avoid confusion.

Example

[box]

Create an access list first

access-list outbound permit tcp host 192.168.1.1 any eq www

Then nothing will happen unless you apply that ACL to an interface with an 
access-group command.

access-group outbound in interface inside

[/box]

Solution

So Why The Access-Group Warning?

Reason 1

When I post articles and direct you to allow traffic though a firewall, I make the assumption that you do not have any ACL’s already applied with access-group commands. if you did, and followed my tutorials blindly then you would overwrite your access-groups, and any existing ACLs would stop working! (The ACL would still be there, you would need to reapply them though).

Reason 2

By default traffic will flow though the ASA from interfaces that have a higher (more secure) security level, to interfaces with a lower security level. Thats why you can get out though a new firewall without adding any rules. However every ACL has an implicit deny on the end of it. So if you have a mail server and allow out SMTP for example, as soon as you apply the ACL with your access-group command you STOP ALL OTHER OUTBOUND COMMUNICATION until that is allowed also.

So How Can You Make Sure I’m Not About to Break Anything?

Easy, your firewall will tell you if you have any access-groups already in use, with a ‘show run access-group‘ command. Below you can see theres three and what interface they are applied to.

[box]

User Access Verification

Password: ******** Type help or ‘?’ for a list of available commands. PetesASA> enable Password: ******** PetesASA# show run access-group access-group inside-in in interface outside access-group outside-in in interface inside access-group DMZ-in in interface DMZ PetesASA#

[/box]

I’ve deliberately shown a naming convention I don’t usually use, I typically have an ACL called outbound for outgoing traffic, and inbound for incoming traffic. If your firewall has different named ACLs applied with access-group commands USE YOUR ACL NAME, NOT THE ONES IN MY ARTICLES!

I’ve followed Your Article and It Works But Everything Else Has Stopped Working!

OK remember (Reason 2) above, you need to allow the traffic out again. The simplest way to do that is with a permit ip any any command which is what you had originally*, (I prefer to only allow out what traffic needs to go out, but I’m a firewall nut!)

*Note: To avoid emails form the pedants, you actually had all protocols open, not just IP.

[box]

Assuming the last commands you issued looked something a little like..

access-list outbound permit tcp host 192.168.1.1 any eq www
access-group outbound in interface inside

Now that works, but everything else does not, you have fallen foul of the ‘implicit deny’, so allow out the traffic you want to allow out i.e.

access-list outbound permit ip any any

 

[/box]

 

Related Articles, References, Credits, or External Links

NA