snmp through netscreen 5gt - Firewalls

This is a discussion on snmp through netscreen 5gt - Firewalls ; Hello, I have 2 servers behind a netscreen 5gt firewall, they are (DMZ) 192.168.100.2 and (Trusted) 192.168.200.2 I need to be able to do snmp queries on BOTH servers so I need to do port redirection. I also need to ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: snmp through netscreen 5gt

  1. snmp through netscreen 5gt

    Hello,

    I have 2 servers behind a netscreen 5gt firewall, they are (DMZ)
    192.168.100.2 and (Trusted) 192.168.200.2

    I need to be able to do snmp queries on BOTH servers so I need to do
    port redirection. I also need to do snmp queries on the netscreen
    itself.

    I setup a VIP for port 60161 to be forwarded to 161 on 192.168.100.2
    but it is not working.

    The netscreen has a class A ip address on the untrusted side.

    Did I miss a step?

    thanks

    jeff

  2. Re: snmp through netscreen 5gt

    In article ,
    wrote:
    >Hello,
    >
    >I have 2 servers behind a netscreen 5gt firewall, they are (DMZ)
    >192.168.100.2 and (Trusted) 192.168.200.2
    >
    >I need to be able to do snmp queries on BOTH servers so I need to do
    >port redirection. I also need to do snmp queries on the netscreen
    >itself.
    >
    >I setup a VIP for port 60161 to be forwarded to 161 on 192.168.100.2
    >but it is not working.
    >
    >The netscreen has a class A ip address on the untrusted side.


    Did you "set vip multi-port" (save & reboot)?
    For the device itself you need to enable on the interface
    (e.g. Network > Interface > Trust > Edit - and check the box).
    Know debug?

    alan

  3. Re: snmp through netscreen 5gt

    On Apr 25, 11:38 am, pale...@sonic.net (Alan Strassberg) wrote:
    > In article ,
    >
    > wrote:
    > >Hello,

    >
    > >I have 2 servers behind a netscreen 5gt firewall, they are (DMZ)
    > >192.168.100.2 and (Trusted) 192.168.200.2

    >
    > >I need to be able to do snmp queries on BOTH servers so I need to do
    > >port redirection. I also need to do snmp queries on the netscreen
    > >itself.

    >
    > >I setup a VIP for port 60161 to be forwarded to 161 on 192.168.100.2
    > >but it is not working.

    >
    > >The netscreen has a class A ip address on the untrusted side.

    >
    > Did you "set vip multi-port" (save & reboot)?
    > For the device itself you need to enable on the interface
    > (e.g. Network > Interface > Trust > Edit - and check the box).
    > Know debug?
    >
    > alan


    yes, we "set vip multi-port" and rebooted the firewall many times.

    We have this setup and working for RDP for both servers on two
    different ports for RDP. 8085 and 8086. We modeled the snmp forwarding
    the same way.

    I have checked the policies log and snmp activity isnt in the log.
    however, the system that I am using to test is nagios and is testing
    ports 8443 and that is in the log.


  4. Re: snmp through netscreen 5gt

    Am Fri, 25 Apr 2008 11:51:19 -0700 schrieb Niles Ferrier:

    > On Apr 25, 11:38 am, pale...@sonic.net (Alan Strassberg) wrote:
    >> In article ,
    >>
    >> wrote:
    >> >Hello,

    [..]
    > We have this setup and working for RDP for both servers on two
    > different ports for RDP. 8085 and 8086. We modeled the snmp forwarding
    > the same way.
    >
    > I have checked the policies log and snmp activity isnt in the log.
    > however, the system that I am using to test is nagios and is testing
    > ports 8443 and that is in the log.


    You can observer the traffic better with:

    set ffilter dst-ip x.x.x.x
    debug flow basic
    get db stream
    or set the snoop filter

    So you can see if ther comes traffic and what happens with those packets.

    regards

  5. Re: snmp through netscreen 5gt

    On Apr 28, 2:46 am, Burkhard Ott wrote:
    > Am Fri, 25 Apr 2008 11:51:19 -0700 schrieb Niles Ferrier:
    >
    >
    >
    > > On Apr 25, 11:38 am, pale...@sonic.net (Alan Strassberg) wrote:
    > >> In article ,

    >
    > >> wrote:
    > >> >Hello,

    > [..]
    > > We have this setup and working for RDP for both servers on two
    > > different ports for RDP. 8085 and 8086. We modeled the snmp forwarding
    > > the same way.

    >
    > > I have checked the policies log and snmp activity isnt in the log.
    > > however, the system that I am using to test is nagios and is testing
    > > ports 8443 and that is in the log.

    >
    > You can observer the traffic better with:
    >
    > set ffilter dst-ip x.x.x.x
    > debug flow basic
    > get db stream
    > or set the snoop filter
    >
    > So you can see if ther comes traffic and what happens with those packets.
    >
    > regards


    I ended up changing the snmp port on the servers and the redirection
    works fine. I was thinking that maybe it had to do with the fact that
    we want to monitor the netscreen itself over 161.

    Thanks agian.

    jeff

+ Reply to Thread