Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Can't Poll SNMP

0 views
Skip to first unread message

pd...@hotmail.com

unread,
Jun 19, 2007, 4:20:27 PM6/19/07
to
Greetings,
Having a little nail chewer here and I was hopeing someone could shed
some expert advice. Config is working great but I can't seen to enable
or allow SNMP on this router. My SNMP server keeps on saying it can't
contact the device. I'm using the serial0 IP address (1.1.1.1). Any
information would be greatly appreciated.

interface Serial0
ip address 1.1.1.1 255.255.255.252
ip access-group 101 in
ip nat outside

!
ip nat pool jad 5.5.5.5 5.5.5.5 netmask 255.255.255.248
ip nat inside source list 1 pool jad overload
ip nat inside source static tcp 1.1.1.1 23 1.1.1.1 23 extendable
ip nat inside source static 192.168.1.4 6.6.6.6
ip nat inside source static 192.168.1.3 2.2.2.2
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.1.2
no ip http server
!
!
access-list 1 permit any
access-list 101 permit ip any host 1.1.1.1
access-list 101 permit tcp any host 2.2.2.2 eq www
access-list 101 permit tcp any host 2.2.2.2 eq 443
access-list 101 permit tcp any host 2.2.2.2 eq pop3
access-list 101 permit tcp any host 2.2.2.2 eq 1723
access-list 101 permit udp any host 2.2.2.2 eq 1723
access-list 101 permit tcp any host 2.2.2.2 eq 3389
access-list 101 permit udp any host 2.2.2.2 eq 444
access-list 101 permit gre any host 2.2.2.2
access-list 101 permit tcp any host 6.6.6.6 eq www
access-list 101 permit tcp any host 6.6.6.6 eq ftp
access-list 101 deny ip any any
snmp-server community public RO

Chris

unread,
Jun 19, 2007, 6:22:32 PM6/19/07
to

You don't say where your snmp server is? Is it on the inside network or on
the outside? Can you ping from the snmp server to the router?

Chris.

Trendkill

unread,
Jun 20, 2007, 7:12:40 AM6/20/07
to

Try creating a read or read/write string and using that. I also
recommend using a source interface of your loopback, presuming you
have one. Secondly, you have an access list that is only allowing
traffic in from the IPs listed in ACL 101. Is your SNMP server
enabled in that list? If not, there is an implicit deny and it will
be blocked.

Martin Gallagher

unread,
Jun 20, 2007, 8:44:22 AM6/20/07
to
On Tue, 19 Jun 2007 13:20:27 -0700, pdyne wrote:

> Greetings,
> Having a little nail chewer here and I was hopeing someone could shed
> some expert advice. Config is working great but I can't seen to enable
> or allow SNMP on this router. My SNMP server keeps on saying it can't
> contact the device. I'm using the serial0 IP address (1.1.1.1). Any
> information would be greatly appreciated.
>
>
>
> interface Serial0
> ip address 1.1.1.1 255.255.255.252

> ...
> ip nat outside
>
> !


> ip nat inside source list 1 pool jad overload

> !
> access-list 1 permit any

There is a reason why they have an ACL in the nat config, and that's so
you can properly specify which traffic should, and should not, be natted.

By saying all traffic is eligible for nat, you've invited the router to
meddle with things such as responses from your SNMP server, and modify the
packets so they aren't recognised when they arrive at your client.

--
Rgds,
Martin

pd...@hotmail.com

unread,
Jun 20, 2007, 11:21:11 AM6/20/07
to
On Jun 19, 6:22 pm, Chris <mandrake...@hotmail.com> wrote:
> Chris.- Hide quoted text -
>
> - Show quoted text -

I tried that but no luck,

pd...@hotmail.com

unread,
Jun 20, 2007, 11:22:43 AM6/20/07
to
> be blocked.- Hide quoted text -

>
> - Show quoted text -

access-list 101 permit ip any host 1.1.1.1 <--- i have this acl to
allow anthing to the serial0 IP (1.1.1.1). I'll try the RW next.

pd...@hotmail.com

unread,
Jun 20, 2007, 11:24:52 AM6/20/07
to
On Jun 20, 8:44 am, Martin Gallagher <mgall...@notme.zeta.org.au>
wrote:
> Martin- Hide quoted text -

>
> - Show quoted text -

the SNMP server is in a remote location. What modification do you
suggest?

Martin Gallagher

unread,
Jun 21, 2007, 5:37:05 AM6/21/07
to
On Wed, 20 Jun 2007 08:24:52 -0700, pdyne wrote:

>
> the SNMP server is in a remote location. What modification do you
> suggest?

The router is configured with snmp-server commands so it seems to think
of itself as a server too.

You have static translations for 192.168.1.[34] so if I guess your
internal network is 192.168.1.0/24, then an appropriate NAT ACL would be

!
access-list 1 permit 192.168.1.0 0.0.0.255
!

You already have a static translation for 1.1.1.1:23 to 1.1.1.1:23 so it
seems you have almost discovered this for yourself. Another symptom of an
over broad ACL is an inability to telnet to the router outside i/f from
outside.

--
Rgds,
Martin

pd...@hotmail.com

unread,
Jun 27, 2007, 11:15:00 AM6/27/07
to
On Jun 21, 5:37 am, Martin Gallagher <mgall...@notme.zeta.org.au>
wrote:

Hi Martin,
So just to confirm, if specify the allowed subnet to nat, i can remove
the 1.1.1.1:23 to 1.1.1.1:23 ?

Thanks,

Martin Gallagher

unread,
Jun 28, 2007, 8:12:11 AM6/28/07
to
On Wed, 27 Jun 2007 08:15:00 -0700, pdyne wrote:

> So just to confirm, if specify the allowed subnet to nat, i can remove
> the 1.1.1.1:23 to 1.1.1.1:23 ?

Yep. As long as the NAT ACL deosn't match 1.1.1.1, you should be good
to go.

--
Rgds,
Martin

0 new messages