Hello,
I'm having some difficulties in getting SNMP working from the untrust side.
I'm trying to get PING, SSH, and SNMP working over the internet connection (at-2/0/0)
What I'm trying to accomplish is:
ping permitted from prefix-list allow_ext_icmp_in
and;
ssh/snmp permitted from prefix-list allow_ext_snmp_in
I can confirm that ping is working as expected, as is ssh access. However, any attempts at SNMP fail/timeout
root@cacti:~$ snmpwalk -v 2c -c MyCommunityString my.public.ip Timeout: No Response from my.public.ip
I know that the issue is not related to a firewall at the remote monitoring side, as I can get SNMP working without an issue if I connect my Cisco 857.
I've looked through other forum posts trying to find an answer, but most of these seem to relate to not having snmp within host-inbound-traffic which I think I've got right?
I've included config snippets which I think are relevant, but if there's anything else you wish to see - please let me know.
I would greatly appreciate any feedback/input from anyone who can tell me where i've gone wrong, as I'm a little stuck and out of ideas.
bcummings@srx320> show version Hostname: srx320 Model: srx320 Junos: 15.1X49-D75.5 JUNOS Software Release [15.1X49-D75.5]
bcummings@srx320> show configuration security zones security-zone untrust
screen untrust-screen;
host-inbound-traffic {
system-services {
ping;
ssh;
snmp;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
at-2/0/0.0 {
host-inbound-traffic {
system-services {
snmp;
ping;
ssh;
}
}
}
pp0.0;
}bcummings@srx320> show configuration snmp
description "SRX320";
location "My House";
contact "meh@devnull";
community MyCommunityString {
authorization read-only;
}
routing-instance-access;bcummings@srx320> show configuration firewall family inet filter WAN-Incoming
term Allow-ICMP-Known {
from {
source-address {
192.168.2.0/24;
}
source-prefix-list {
allow_ext_icmp_in;
}
protocol icmp;
icmp-type [ echo-request echo-reply unreachable time-exceeded source-quench ];
}
then accept;
}
term Deny-ICMP-Other {
from {
protocol icmp;
}
then {
log;
discard;
}
}
term Allow-SSH-Known {
from {
source-prefix-list {
allow_ext_snmp_in;
}
protocol tcp;
port ssh;
}
then accept;
}
term Deny-SSH-Other {
from {
protocol tcp;
port ssh;
}
then {
log;
discard;
}
}
term Allow-SNMP-Known {
from {
source-prefix-list {
allow_ext_snmp_in;
}
protocol udp;
destination-port snmp;
}
then accept;
}
term Deny-SNMP-Other {
from {
protocol [ tcp udp ];
port snmp;
}
then {
log;
discard;
}
}
term Allow-All {
then accept;
}bcummings@srx320> show configuration policy-options
prefix-list allow_ext_icmp_in {
46.137.x.x/32;
69.143.x.x/24;
69.162.x.x/24;
122.248.x.x/32;
180.189.x.x/25;
}
prefix-list allow_ext_snmp_in {
180.189.x.x/25;
}bcummings@srx320> show snmp statistics
SNMP statistics:
Input:
Packets: 5691, Bad versions: 0, Bad community names: 0,
Bad community uses: 0, ASN parse errors: 0,
Too bigs: 0, No such names: 0, Bad values: 0,
Read onlys: 0, General errors: 0,
Total request varbinds: 5691, Total set varbinds: 0,
Get requests: 0, Get nexts: 5691, Set requests: 0,
Get responses: 0, Traps: 0,
Silent drops: 0, Proxy drops: 0, Commit pending drops: 0,
Throttle drops: 0, Duplicate request drops: 0
V3 Input:
Unknown security models: 0, Invalid messages: 0
Unknown pdu handlers: 0, Unavailable contexts: 0
Unknown contexts: 0, Unsupported security levels: 0
Not in time windows: 0, Unknown user names: 0
Unknown engine ids: 0, Wrong digests: 0, Decryption errors: 0
Output:
Packets: 5691, Too bigs: 0, No such names: 0,
Bad values: 0, General errors: 0,
Get requests: 0, Get nexts: 0, Set requests: 0,
Get responses: 5691, Traps: 0
Performance:
Average response time(ms): 397936.09
Number of requests dispatched to subagents in last:
1 minute:0, 5 minutes:0, 15 minutes:0
Number of responses dispatched to NMS in last:
1 minute:0, 5 minutes:0, 15 minutes:0