snmp through netscreen 5gt

snmp through netscreen 5gt
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Networking Firewalls    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
snmp through netscreen 5gt jeff 04-25-2008
Posted by on April 25, 2008, 11:30 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hello,

I have 2 servers behind a netscreen 5gt firewall, they are (DMZ)
192.168.100.2 and (Trusted) 192.168.200.2

I need to be able to do snmp queries on BOTH servers so I need to do
port redirection. I also need to do snmp queries on the netscreen
itself.

I setup a VIP for port 60161 to be forwarded to 161 on 192.168.100.2
but it is not working.

The netscreen has a class A ip address on the untrusted side.

Did I miss a step?

thanks

jeff

Posted by Alan Strassberg on April 25, 2008, 11:38 am
If you were  Registered and logged in, you could reply and use other advanced thread options
>Hello,
>
>I have 2 servers behind a netscreen 5gt firewall, they are (DMZ)
>192.168.100.2 and (Trusted) 192.168.200.2
>
>I need to be able to do snmp queries on BOTH servers so I need to do
>port redirection. I also need to do snmp queries on the netscreen
>itself.
>
>I setup a VIP for port 60161 to be forwarded to 161 on 192.168.100.2
>but it is not working.
>
>The netscreen has a class A ip address on the untrusted side.

        Did you "set vip multi-port" (save & reboot)?
        For the device itself you need to enable on the interface
        (e.g. Network > Interface > Trust > Edit - and check the box).
        Know debug?

                                        alan

Posted by Niles Ferrier on April 25, 2008, 2:51 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
On Apr 25, 11:38 am, pale...@sonic.net (Alan Strassberg) wrote:
>
> >Hello,
>
> >I have 2 servers behind a netscreen 5gt firewall, they are (DMZ)
> >192.168.100.2 and (Trusted) 192.168.200.2
>
> >I need to be able to do snmp queries on BOTH servers so I need to do
> >port redirection. I also need to do snmp queries on the netscreen
> >itself.
>
> >I setup a VIP for port 60161 to be forwarded to 161 on 192.168.100.2
> >but it is not working.
>
> >The netscreen has a class A ip address on the untrusted side.
>
> Did you "set vip multi-port" (save & reboot)?
> For the device itself you need to enable on the interface
> (e.g. Network > Interface > Trust > Edit - and check the box).
> Know debug?
>
> alan

yes, we "set vip multi-port" and rebooted the firewall many times.

We have this setup and working for RDP for both servers on two
different ports for RDP. 8085 and 8086. We modeled the snmp forwarding
the same way.

I have checked the policies log and snmp activity isnt in the log.
however, the system that I am using to test is nagios and is testing
ports 8443 and that is in the log.


Posted by Burkhard Ott on April 28, 2008, 2:46 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Am Fri, 25 Apr 2008 11:51:19 -0700 schrieb Niles Ferrier:

> On Apr 25, 11:38 am, pale...@sonic.net (Alan Strassberg) wrote:
>>
>> >Hello,
[..]
> We have this setup and working for RDP for both servers on two
> different ports for RDP. 8085 and 8086. We modeled the snmp forwarding
> the same way.
>
> I have checked the policies log and snmp activity isnt in the log.
> however, the system that I am using to test is nagios and is testing
> ports 8443 and that is in the log.

You can observer the traffic better with:

set ffilter dst-ip x.x.x.x
debug flow basic
get db stream
or set the snoop filter

So you can see if ther comes traffic and what happens with those packets.

regards

Posted by Niles Ferrier on May 2, 2008, 9:51 am
If you were  Registered and logged in, you could reply and use other advanced thread options
> Am Fri, 25 Apr 2008 11:51:19 -0700 schrieb Niles Ferrier:
>
>
>
> > On Apr 25, 11:38 am, pale...@sonic.net (Alan Strassberg) wrote:
> >> In article
>
> >> >Hello,
> [..]
> > We have this setup and working for RDP for both servers on two
> > different ports for RDP. 8085 and 8086. We modeled the snmp forwarding
> > the same way.
>
> > I have checked the policies log and snmp activity isnt in the log.
> > however, the system that I am using to test is nagios and is testing
> > ports 8443 and that is in the log.
>
> You can observer the traffic better with:
>
> set ffilter dst-ip x.x.x.x
> debug flow basic
> get db stream
> or set the snoop filter
>
> So you can see if ther comes traffic and what happens with those packets.
>
> regards

I ended up changing the snmp port on the servers and the redirection
works fine. I was thinking that maybe it had to do with the fact that
we want to monitor the netscreen itself over 161.

Thanks agian.

jeff

Similar ThreadsPosted
netscreen troubleshooting /snmp November 28, 2005, 6:36 pm
Firebox 3 and SNMP March 15, 2007, 8:18 pm
Enabling SNMP on checkpoint October 14, 2007, 10:38 am
VPN problems from Linksys WAG54G to Netscreen 208 using netscreen client November 28, 2005, 5:36 pm
Netscreen 5gt vip September 17, 2005, 5:35 pm
VPN over NetScreen 5GT September 27, 2005, 3:05 am
Netscreen with PXE October 27, 2005, 4:45 pm
Netscreen 5GT October 27, 2005, 9:11 am
Netscreen-10 DMZ March 31, 2006, 4:32 am
Netscreen 5XP (25) April 3, 2006, 7:21 am

The site map in XML format XML site map

Contact Us | Privacy Policy