PDA

View Full Version : snmp through netscreen 5gt



jeff@surofsky.net
04-25-08, 10:30 AM
Hello,

I have 2 servers behind a netscreen 5gt firewall, they are (DMZ)
192.168.100.2 and (Trusted) 192.168.200.2

I need to be able to do snmp queries on BOTH servers so I need to do
port redirection. I also need to do snmp queries on the netscreen
itself.

I setup a VIP for port 60161 to be forwarded to 161 on 192.168.100.2
but it is not working.

The netscreen has a class A ip address on the untrusted side.

Did I miss a step?

thanks

jeff

Alan Strassberg
04-25-08, 10:38 AM
In article <ac7f8fc0-edac-415d-a7d9-fc455fe588cb@26g2000hsk.googlegroups.com>,
<jeff@surofsky.net> wrote:
>Hello,
>
>I have 2 servers behind a netscreen 5gt firewall, they are (DMZ)
>192.168.100.2 and (Trusted) 192.168.200.2
>
>I need to be able to do snmp queries on BOTH servers so I need to do
>port redirection. I also need to do snmp queries on the netscreen
>itself.
>
>I setup a VIP for port 60161 to be forwarded to 161 on 192.168.100.2
>but it is not working.
>
>The netscreen has a class A ip address on the untrusted side.

Did you "set vip multi-port" (save & reboot)?
For the device itself you need to enable on the interface
(e.g. Network > Interface > Trust > Edit - and check the box).
Know debug?

alan

Niles Ferrier
04-25-08, 01:51 PM
On Apr 25, 11:38 am, pale...@sonic.net (Alan Strassberg) wrote:
> In article <ac7f8fc0-edac-415d-a7d9-fc455fe58...@26g2000hsk.googlegroups.com>,
>
> <j...@surofsky.net> wrote:
> >Hello,
>
> >I have 2 servers behind a netscreen 5gt firewall, they are (DMZ)
> >192.168.100.2 and (Trusted) 192.168.200.2
>
> >I need to be able to do snmp queries on BOTH servers so I need to do
> >port redirection. I also need to do snmp queries on the netscreen
> >itself.
>
> >I setup a VIP for port 60161 to be forwarded to 161 on 192.168.100.2
> >but it is not working.
>
> >The netscreen has a class A ip address on the untrusted side.
>
> Did you "set vip multi-port" (save & reboot)?
> For the device itself you need to enable on the interface
> (e.g. Network > Interface > Trust > Edit - and check the box).
> Know debug?
>
> alan

yes, we "set vip multi-port" and rebooted the firewall many times.

We have this setup and working for RDP for both servers on two
different ports for RDP. 8085 and 8086. We modeled the snmp forwarding
the same way.

I have checked the policies log and snmp activity isnt in the log.
however, the system that I am using to test is nagios and is testing
ports 8443 and that is in the log.

Burkhard Ott
04-28-08, 01:46 AM
Am Fri, 25 Apr 2008 11:51:19 -0700 schrieb Niles Ferrier:

> On Apr 25, 11:38 am, pale...@sonic.net (Alan Strassberg) wrote:
>> In article <ac7f8fc0-edac-415d-a7d9-fc455fe58...@26g2000hsk.googlegroups.com>,
>>
>> <j...@surofsky.net> wrote:
>> >Hello,
[..]
> We have this setup and working for RDP for both servers on two
> different ports for RDP. 8085 and 8086. We modeled the snmp forwarding
> the same way.
>
> I have checked the policies log and snmp activity isnt in the log.
> however, the system that I am using to test is nagios and is testing
> ports 8443 and that is in the log.

You can observer the traffic better with:

set ffilter dst-ip x.x.x.x
debug flow basic
get db stream
or set the snoop filter

So you can see if ther comes traffic and what happens with those packets.

regards

Niles Ferrier
05-02-08, 08:51 AM
On Apr 28, 2:46 am, Burkhard Ott <postmas...@derith.de> wrote:
> Am Fri, 25 Apr 2008 11:51:19 -0700 schrieb Niles Ferrier:
>
>
>
> > On Apr 25, 11:38 am, pale...@sonic.net (Alan Strassberg) wrote:
> >> In article <ac7f8fc0-edac-415d-a7d9-fc455fe58...@26g2000hsk.googlegroups.com>,
>
> >> <j...@surofsky.net> wrote:
> >> >Hello,
> [..]
> > We have this setup and working for RDP for both servers on two
> > different ports for RDP. 8085 and 8086. We modeled the snmp forwarding
> > the same way.
>
> > I have checked the policies log and snmp activity isnt in the log.
> > however, the system that I am using to test is nagios and is testing
> > ports 8443 and that is in the log.
>
> You can observer the traffic better with:
>
> set ffilter dst-ip x.x.x.x
> debug flow basic
> get db stream
> or set the snoop filter
>
> So you can see if ther comes traffic and what happens with those packets.
>
> regards

I ended up changing the snmp port on the servers and the redirection
works fine. I was thinking that maybe it had to do with the fact that
we want to monitor the netscreen itself over 161.

Thanks agian.

jeff