I notice that your ACL for SNMP has no hit counts, but your ICMP does, so I assume that you can ping the PIX from the MRTG server. That leaves me confused and at a loss, however I still stand by my statement that it will work via the outside interface. Being this is a lab device, and shouldn't be a security risk, would you mind sharing the entire pix config, after you edit the passwords and real IP's? Perhaps there's something else affecting the snmp response. Also, what version PIX is this and what PIX bin are you running? Kindest regards, Joseph Pierini -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, June 18, 2004 12:36 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: [mrtg] Re: PIX
In a message dated 18/06/2004 15:33:29 E. South America Standard Tim, [EMAIL PROTECTED] writes: With the kindest of regards, I disagree. I have MRTG monitoring all my Cisco PIX firewalls via the outside interface. Add the following line to your PIX config: snmp-server host outside xxx.xxx.xxx.xxx where xxx.xxx.xxx.xxx is the IP address of your MRTG server. Ensure that your allow SNMP through the firewall protecting your MRTG server. Joseph Pierini Here is the configs for my cisco in a lab enviroment: INTS: access-group PERMIT_ICMP in interface outside1 access-group PERMIT_ICMP in interface inside1 ACL: access-list PERMIT_ICMP line 1 permit icmp any any (hitcnt=777) access-list PERMIT_ICMP line 16 permit udp any any eq snmp (hitcnt=0) SNMP: snmp-server host outside2 10.10.10.10 snmp-server location public snmp-server contact public snmp-server community public snmp-server enable traps and i´m using this line on mrtg: /usr/local/mrtg-2/bin/cfgmaker [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> The mrtg host is direct connected at the outside interface, and there is no firewalls between host and pix. This is only for test, if works i will use the correct MIB for this equipament. And the Public comunity and ip was change on the information above. I still got the error no response received. Thanks for your help. Best Regards ================================================ Fabio Al kas ICNET Network Coordinator Infrastructure & IT America OnLine - <http://www.aol.com.br/> Brazil -- Unsubscribe mailto:[EMAIL PROTECTED] Archive http://www.ee.ethz.ch/~slist/mrtg FAQ http://faq.mrtg.org Homepage http://www.mrtg.org WebAdmin http://www.ee.ethz.ch/~slist/lsg2.cgi
