AS, Raj Kumar wrote: > Hi Group, > > If I want to monitor a router behind the firewall, what are all the services > do I have to enable. > Just SNMP will do?? Do I have to enable any specific ports??
Just SNMP will usually do. (UDP port 161). Typically you would allow UDP 161 as a destination port. Source ports will be greater than 1024. Only allow SNMP in the direction required. I assume you'll be monitoring a router connecting to an untrusted network. so be careful as to what you allow back in. If in doubt don't allow anything at first, try cfgmaker / mrtg against the router and watch to see the drops in your f/w logs. Create the firewall rules only to pass the snmp traffic that you see being dropped between your mrtg host & the router. Make sure you router has strong community strings (not public / private) and preferrably Read-Only access that is restricted to the mrtg host IP address with local access lists as well (This is especially the case if your router is connected to the internet). -- Thanks, Don Harvie Ph +61 2 9882 5963 Snr Network & Firewall Engineer, Fax +61 2 9882 5993 Telstra Internetworking Solutions Mob +61 417 411 427 Level 3, 112 Talavera Rd Email [EMAIL PROTECTED] North Ryde NSW 2113 [EMAIL PROTECTED] (personal) Australia -- Unsubscribe mailto:[EMAIL PROTECTED] Archive http://www.ee.ethz.ch/~slist/mrtg FAQ http://faq.mrtg.org Homepage http://www.mrtg.org WebAdmin http://www.ee.ethz.ch/~slist/lsg2.cgi
