Brad, if you had said Gauntlet firewall I could tell you how to do it :((
Gauntlet by design also blocks ping and SNMP but I was able to configure the
firewall so that both are permitted from our NetView server (only) to
specific devices on the outside and the DMZ and back. In Gauntlet this is
done by configuring "packet screen" rules. I'm surprised that the Cisco
firewall doesn't have something similar. Seems this would be a fairly common
need.
Blaine Owens
Eastman Chemical Company
Phone - (423)-229-3579
Fax - (423)-229-1188
bowens@eastman.com
> -----Original Message-----
> From: Brad Martin [SMTP:bmartin@METLIFE.COM]
> Sent: Wednesday, July 21, 1999 3:00 PM
> To: NV-L@UCSBVM.ucsb.edu
> Subject: Managing Firewalls
>
> Does anyone have experience managing Cisco PIX firewalls? By design, Cisco
> doesn't allow ICMP pings to the Outside and DMZ interfaces. In addition,
> the
> SNMP agent doesn't support the IP or AT tables (making discovery nearly
> impossible). At present, the firewalls are defined as a generic
> "Connector"
> objects. The non-pingable interfaces were manually added and then
> unmanaged.
>
> According to Cisco, the only way to determine that everything is OK is to
> send
> an snmpget to the inside interface requesting the status MIB's in the
> interface
> table. I can write the scripts to verify status, but I'm not sure how to
> modify
> the map icons and keep netmon from changing it back.
>
> Brad Martin
> MetLife (212) 578-8884.
|