Can't Poll SNMP

Discussion in 'Cisco' started by pdyne@hotmail.com, Jun 19, 2007.

  1. Guest

    Greetings,
    Having a little nail chewer here and I was hopeing someone could shed
    some expert advice. Config is working great but I can't seen to enable
    or allow SNMP on this router. My SNMP server keeps on saying it can't
    contact the device. I'm using the serial0 IP address (1.1.1.1). Any
    information would be greatly appreciated.



    interface Serial0
    ip address 1.1.1.1 255.255.255.252
    ip access-group 101 in
    ip nat outside

    !
    ip nat pool jad 5.5.5.5 5.5.5.5 netmask 255.255.255.248
    ip nat inside source list 1 pool jad overload
    ip nat inside source static tcp 1.1.1.1 23 1.1.1.1 23 extendable
    ip nat inside source static 192.168.1.4 6.6.6.6
    ip nat inside source static 192.168.1.3 2.2.2.2
    ip classless
    ip route 0.0.0.0 0.0.0.0 1.1.1.2
    no ip http server
    !
    !
    access-list 1 permit any
    access-list 101 permit ip any host 1.1.1.1
    access-list 101 permit tcp any host 2.2.2.2 eq www
    access-list 101 permit tcp any host 2.2.2.2 eq 443
    access-list 101 permit tcp any host 2.2.2.2 eq pop3
    access-list 101 permit tcp any host 2.2.2.2 eq 1723
    access-list 101 permit udp any host 2.2.2.2 eq 1723
    access-list 101 permit tcp any host 2.2.2.2 eq 3389
    access-list 101 permit udp any host 2.2.2.2 eq 444
    access-list 101 permit gre any host 2.2.2.2
    access-list 101 permit tcp any host 6.6.6.6 eq www
    access-list 101 permit tcp any host 6.6.6.6 eq ftp
    access-list 101 deny ip any any
    snmp-server community public RO
    , Jun 19, 2007
    #1
    1. Advertising

  2. Chris Guest

    On Tue, 19 Jun 2007 13:20:27 -0700, wrote:

    > Greetings,
    > Having a little nail chewer here and I was hopeing someone could shed
    > some expert advice. Config is working great but I can't seen to enable
    > or allow SNMP on this router. My SNMP server keeps on saying it can't
    > contact the device. I'm using the serial0 IP address (1.1.1.1). Any
    > information would be greatly appreciated.
    >
    >
    >
    > interface Serial0
    > ip address 1.1.1.1 255.255.255.252
    > ip access-group 101 in
    > ip nat outside
    >
    > !
    > ip nat pool jad 5.5.5.5 5.5.5.5 netmask 255.255.255.248
    > ip nat inside source list 1 pool jad overload
    > ip nat inside source static tcp 1.1.1.1 23 1.1.1.1 23 extendable
    > ip nat inside source static 192.168.1.4 6.6.6.6
    > ip nat inside source static 192.168.1.3 2.2.2.2
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 1.1.1.2
    > no ip http server
    > !
    > !
    > access-list 1 permit any
    > access-list 101 permit ip any host 1.1.1.1
    > access-list 101 permit tcp any host 2.2.2.2 eq www
    > access-list 101 permit tcp any host 2.2.2.2 eq 443
    > access-list 101 permit tcp any host 2.2.2.2 eq pop3
    > access-list 101 permit tcp any host 2.2.2.2 eq 1723
    > access-list 101 permit udp any host 2.2.2.2 eq 1723
    > access-list 101 permit tcp any host 2.2.2.2 eq 3389
    > access-list 101 permit udp any host 2.2.2.2 eq 444
    > access-list 101 permit gre any host 2.2.2.2
    > access-list 101 permit tcp any host 6.6.6.6 eq www
    > access-list 101 permit tcp any host 6.6.6.6 eq ftp
    > access-list 101 deny ip any any
    > snmp-server community public RO


    You don't say where your snmp server is? Is it on the inside network or on
    the outside? Can you ping from the snmp server to the router?

    Chris.
    Chris, Jun 19, 2007
    #2
    1. Advertising

  3. Trendkill Guest

    On Jun 19, 4:20 pm, wrote:
    > Greetings,
    > Having a little nail chewer here and I was hopeing someone could shed
    > some expert advice. Config is working great but I can't seen to enable
    > or allow SNMP on this router. My SNMP server keeps on saying it can't
    > contact the device. I'm using the serial0 IP address (1.1.1.1). Any
    > information would be greatly appreciated.
    >
    > interface Serial0
    > ip address 1.1.1.1 255.255.255.252
    > ip access-group 101 in
    > ip nat outside
    >
    > !
    > ip nat pool jad 5.5.5.5 5.5.5.5 netmask 255.255.255.248
    > ip nat inside source list 1 pool jad overload
    > ip nat inside source static tcp 1.1.1.1 23 1.1.1.1 23 extendable
    > ip nat inside source static 192.168.1.4 6.6.6.6
    > ip nat inside source static 192.168.1.3 2.2.2.2
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 1.1.1.2
    > no ip http server
    > !
    > !
    > access-list 1 permit any
    > access-list 101 permit ip any host 1.1.1.1
    > access-list 101 permit tcp any host 2.2.2.2 eq www
    > access-list 101 permit tcp any host 2.2.2.2 eq 443
    > access-list 101 permit tcp any host 2.2.2.2 eq pop3
    > access-list 101 permit tcp any host 2.2.2.2 eq 1723
    > access-list 101 permit udp any host 2.2.2.2 eq 1723
    > access-list 101 permit tcp any host 2.2.2.2 eq 3389
    > access-list 101 permit udp any host 2.2.2.2 eq 444
    > access-list 101 permit gre any host 2.2.2.2
    > access-list 101 permit tcp any host 6.6.6.6 eq www
    > access-list 101 permit tcp any host 6.6.6.6 eq ftp
    > access-list 101 deny ip any any
    > snmp-server community public RO


    Try creating a read or read/write string and using that. I also
    recommend using a source interface of your loopback, presuming you
    have one. Secondly, you have an access list that is only allowing
    traffic in from the IPs listed in ACL 101. Is your SNMP server
    enabled in that list? If not, there is an implicit deny and it will
    be blocked.
    Trendkill, Jun 20, 2007
    #3
  4. On Tue, 19 Jun 2007 13:20:27 -0700, pdyne wrote:

    > Greetings,
    > Having a little nail chewer here and I was hopeing someone could shed
    > some expert advice. Config is working great but I can't seen to enable
    > or allow SNMP on this router. My SNMP server keeps on saying it can't
    > contact the device. I'm using the serial0 IP address (1.1.1.1). Any
    > information would be greatly appreciated.
    >
    >
    >
    > interface Serial0
    > ip address 1.1.1.1 255.255.255.252
    > ...
    > ip nat outside
    >
    > !
    > ip nat inside source list 1 pool jad overload
    > !
    > access-list 1 permit any


    There is a reason why they have an ACL in the nat config, and that's so
    you can properly specify which traffic should, and should not, be natted.

    By saying all traffic is eligible for nat, you've invited the router to
    meddle with things such as responses from your SNMP server, and modify the
    packets so they aren't recognised when they arrive at your client.

    --
    Rgds,
    Martin
    Martin Gallagher, Jun 20, 2007
    #4
  5. Guest

    On Jun 19, 6:22 pm, Chris <> wrote:
    > On Tue, 19 Jun 2007 13:20:27 -0700, wrote:
    > > Greetings,
    > > Having a little nail chewer here and I was hopeing someone could shed
    > > some expert advice. Config is working great but I can't seen to enable
    > > or allow SNMP on this router. My SNMP server keeps on saying it can't
    > > contact the device. I'm using the serial0 IP address (1.1.1.1). Any
    > > information would be greatly appreciated.

    >
    > > interface Serial0
    > > ip address 1.1.1.1 255.255.255.252
    > > ip access-group 101 in
    > > ip nat outside

    >
    > > !
    > > ip nat pool jad 5.5.5.5 5.5.5.5 netmask 255.255.255.248
    > > ip nat inside source list 1 pool jad overload
    > > ip nat inside source static tcp 1.1.1.1 23 1.1.1.1 23 extendable
    > > ip nat inside source static 192.168.1.4 6.6.6.6
    > > ip nat inside source static 192.168.1.3 2.2.2.2
    > > ip classless
    > > ip route 0.0.0.0 0.0.0.0 1.1.1.2
    > > no ip http server
    > > !
    > > !
    > > access-list 1 permit any
    > > access-list 101 permit ip any host 1.1.1.1
    > > access-list 101 permit tcp any host 2.2.2.2 eq www
    > > access-list 101 permit tcp any host 2.2.2.2 eq 443
    > > access-list 101 permit tcp any host 2.2.2.2 eq pop3
    > > access-list 101 permit tcp any host 2.2.2.2 eq 1723
    > > access-list 101 permit udp any host 2.2.2.2 eq 1723
    > > access-list 101 permit tcp any host 2.2.2.2 eq 3389
    > > access-list 101 permit udp any host 2.2.2.2 eq 444
    > > access-list 101 permit gre any host 2.2.2.2
    > > access-list 101 permit tcp any host 6.6.6.6 eq www
    > > access-list 101 permit tcp any host 6.6.6.6 eq ftp
    > > access-list 101 deny ip any any
    > > snmp-server community public RO

    >
    > You don't say where your snmp server is? Is it on the inside network or on
    > the outside? Can you ping from the snmp server to the router?
    >
    > Chris.- Hide quoted text -
    >
    > - Show quoted text -


    I tried that but no luck,
    , Jun 20, 2007
    #5
  6. Guest

    On Jun 20, 7:12 am, Trendkill <> wrote:
    > On Jun 19, 4:20 pm, wrote:
    >
    >
    >
    >
    >
    > > Greetings,
    > > Having a little nail chewer here and I was hopeing someone could shed
    > > some expert advice. Config is working great but I can't seen to enable
    > > or allow SNMP on this router. My SNMP server keeps on saying it can't
    > > contact the device. I'm using the serial0 IP address (1.1.1.1). Any
    > > information would be greatly appreciated.

    >
    > > interface Serial0
    > > ip address 1.1.1.1 255.255.255.252
    > > ip access-group 101 in
    > > ip nat outside

    >
    > > !
    > > ip nat pool jad 5.5.5.5 5.5.5.5 netmask 255.255.255.248
    > > ip nat inside source list 1 pool jad overload
    > > ip nat inside source static tcp 1.1.1.1 23 1.1.1.1 23 extendable
    > > ip nat inside source static 192.168.1.4 6.6.6.6
    > > ip nat inside source static 192.168.1.3 2.2.2.2
    > > ip classless
    > > ip route 0.0.0.0 0.0.0.0 1.1.1.2
    > > no ip http server
    > > !
    > > !
    > > access-list 1 permit any
    > > access-list 101 permit ip any host 1.1.1.1
    > > access-list 101 permit tcp any host 2.2.2.2 eq www
    > > access-list 101 permit tcp any host 2.2.2.2 eq 443
    > > access-list 101 permit tcp any host 2.2.2.2 eq pop3
    > > access-list 101 permit tcp any host 2.2.2.2 eq 1723
    > > access-list 101 permit udp any host 2.2.2.2 eq 1723
    > > access-list 101 permit tcp any host 2.2.2.2 eq 3389
    > > access-list 101 permit udp any host 2.2.2.2 eq 444
    > > access-list 101 permit gre any host 2.2.2.2
    > > access-list 101 permit tcp any host 6.6.6.6 eq www
    > > access-list 101 permit tcp any host 6.6.6.6 eq ftp
    > > access-list 101 deny ip any any
    > > snmp-server community public RO

    >
    > Try creating a read or read/write string and using that. I also
    > recommend using a source interface of your loopback, presuming you
    > have one. Secondly, you have an access list that is only allowing
    > traffic in from the IPs listed in ACL 101. Is your SNMP server
    > enabled in that list? If not, there is an implicit deny and it will
    > be blocked.- Hide quoted text -
    >
    > - Show quoted text -


    access-list 101 permit ip any host 1.1.1.1 <--- i have this acl to
    allow anthing to the serial0 IP (1.1.1.1). I'll try the RW next.
    , Jun 20, 2007
    #6
  7. Guest

    On Jun 20, 8:44 am, Martin Gallagher <>
    wrote:
    > On Tue, 19 Jun 2007 13:20:27 -0700, pdyne wrote:
    > > Greetings,
    > > Having a little nail chewer here and I was hopeing someone could shed
    > > some expert advice. Config is working great but I can't seen to enable
    > > or allow SNMP on this router. My SNMP server keeps on saying it can't
    > > contact the device. I'm using the serial0 IP address (1.1.1.1). Any
    > > information would be greatly appreciated.

    >
    > > interface Serial0
    > > ip address 1.1.1.1 255.255.255.252
    > > ...
    > > ip nat outside

    >
    > > !
    > > ip nat inside source list 1 pool jad overload
    > > !
    > > access-list 1 permit any

    >
    > There is a reason why they have an ACL in the nat config, and that's so
    > you can properly specify which traffic should, and should not, be natted.
    >
    > By saying all traffic is eligible for nat, you've invited the router to
    > meddle with things such as responses from your SNMP server, and modify the
    > packets so they aren't recognised when they arrive at your client.
    >
    > --
    > Rgds,
    > Martin- Hide quoted text -
    >
    > - Show quoted text -


    the SNMP server is in a remote location. What modification do you
    suggest?
    , Jun 20, 2007
    #7
  8. On Wed, 20 Jun 2007 08:24:52 -0700, pdyne wrote:

    >
    > the SNMP server is in a remote location. What modification do you
    > suggest?


    The router is configured with snmp-server commands so it seems to think
    of itself as a server too.

    You have static translations for 192.168.1.[34] so if I guess your
    internal network is 192.168.1.0/24, then an appropriate NAT ACL would be

    !
    access-list 1 permit 192.168.1.0 0.0.0.255
    !

    You already have a static translation for 1.1.1.1:23 to 1.1.1.1:23 so it
    seems you have almost discovered this for yourself. Another symptom of an
    over broad ACL is an inability to telnet to the router outside i/f from
    outside.

    --
    Rgds,
    Martin
    Martin Gallagher, Jun 21, 2007
    #8
  9. Guest

    On Jun 21, 5:37 am, Martin Gallagher <>
    wrote:
    > On Wed, 20 Jun 2007 08:24:52 -0700, pdyne wrote:
    >
    > > the SNMP server is in a remote location. What modification do you
    > > suggest?

    >
    > The router is configured with snmp-server commands so it seems to think
    > of itself as a server too.
    >
    > You have static translations for 192.168.1.[34] so if I guess your
    > internal network is 192.168.1.0/24, then an appropriate NAT ACL would be
    >
    > !
    > access-list 1 permit 192.168.1.0 0.0.0.255
    > !
    >
    > You already have a static translation for 1.1.1.1:23 to 1.1.1.1:23 so it
    > seems you have almost discovered this for yourself. Another symptom of an
    > over broad ACL is an inability to telnet to the router outside i/f from
    > outside.
    >
    > --
    > Rgds,
    > Martin


    Hi Martin,
    So just to confirm, if specify the allowed subnet to nat, i can remove
    the 1.1.1.1:23 to 1.1.1.1:23 ?

    Thanks,
    , Jun 27, 2007
    #9
  10. On Wed, 27 Jun 2007 08:15:00 -0700, pdyne wrote:

    > So just to confirm, if specify the allowed subnet to nat, i can remove
    > the 1.1.1.1:23 to 1.1.1.1:23 ?


    Yep. As long as the NAT ACL deosn't match 1.1.1.1, you should be good
    to go.

    --
    Rgds,
    Martin
    Martin Gallagher, Jun 28, 2007
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. William W. Plummer

    Poll for new mail?

    William W. Plummer, Jul 3, 2004, in forum: Firefox
    Replies:
    1
    Views:
    378
    Moz Champion
    Jul 3, 2004
  2. news.easynews.com

    SNMP - Cisco - SNMP

    news.easynews.com, Mar 4, 2004, in forum: Cisco
    Replies:
    0
    Views:
    767
    news.easynews.com
    Mar 4, 2004
  3. mpopovits

    MCSD/MCAD Exam Poll

    mpopovits, Jul 16, 2003, in forum: MCSD
    Replies:
    0
    Views:
    1,152
    mpopovits
    Jul 16, 2003
  4. Fred Zimmerman

    Transcender value (Informal Poll)

    Fred Zimmerman, Oct 2, 2003, in forum: MCSD
    Replies:
    7
    Views:
    497
  5. Brunswick Lowe

    Poll

    Brunswick Lowe, Jan 24, 2004, in forum: MCSD
    Replies:
    32
    Views:
    1,894
    The Poster Formerly Known as Kline Sphere
    Jan 28, 2004
Loading...

Share This Page