nv-l

Re: NV V5 - Firewall/Routing table -Reply -Reply

1998-08-25 11:54:05
Subject: Re: NV V5 - Firewall/Routing table -Reply -Reply
From: Hal Dorsman <DORSMANH AT SPH.HBOCVAN DOT COM>
To: nv-l AT lists.tivoli DOT com
Date: Tue, 25 Aug 1998 09:54:05 -0600
Yes, you must be able to pass SNMP through your firewall for Netview
to be able to discover your external routers.  I am not familiar with the
Cisco PIX so I cannot tell you if or how that is possible.  But from you
describe, the routing is fine (you can ping) but Netview cannot get SNMP
due to the firewall filter.

Hal

>>> "Kirsten S, Campbell" <Kirsten.Campbell AT NAUTEC.CWPLC DOT COM>
08/25/98 03:26am >>>
I have a problem getting Netview to discover this new network outside
the firewall.
I can do MIB browse through Netview, and I can ping the routers, but I
cannot get Netview to discover the routers????!!!!!
I spoke to the people in US who have installed the Firewall (Cisco PIX),
and they have told me that they have disabled the SNMP function. My
argument is that I need this enabled. Can anyone verify this????

Thanks for your help,                    Kirsten





joel.gerber AT USAA DOT COM on 24-08-98 06:12:18 PM

Please respond to NV-L AT UCSBVM.ucsb DOT edu

To:   NV-L AT UCSBVM.ucsb DOT edu
cc:    (bcc: Kirsten Campbell/NAUTEC)
Subject:  Re: NV V5 - Firewall/Routing table -Reply




We are also using NetView to manage devices that are external to our
firewall.  As far as I know, NetView is not aware that address
translation
is going on at all.  It will only see the "real" IP addresses and networks.
You will need to define an address for your NetView server, as Hal
mentioned, so that the devices outside the firewall can communicate with
the
NetView box for things like sending traps, etc.  The biggest problem we
had
implementing network management was that a lot of static routes had to
be
added.  NetView needs a route to every IP subnet just so it can ping the
IP
addresses on the router interfaces.  The actual user traffic flowing
through
your firewall network only needs routes to get from one end to the other.
It does not need a route for every hop in between, so you will need to
add
more routes if you want NetView to be able to monitor every device and
interface.
        -----Original Message-----
        From:   Hal Dorsman [SMTP:DORSMANH AT SPH.HBOCVAN DOT COM]
        Sent:   Monday, August 24, 1998 11:41
        To:     NV-L AT UCSBVM.UCSB DOT EDU
        Subject:        NV V5 - Firewall/Routing table -Reply
        Netview can handle external networks/hosts through a firewall just
fine.
        Simply define a route on your Netview box  to the external network
with
        your firewall as the gateway.  Define a translated address for your
        Netview box on your firewall so it can be seen from the outside.
Your
        external router will have to have the address of your Netview
station
        with your firewall as your gateway so your router will know how to
find
        your internal Netview box.  Add a rule in your firewall allowing
SNMP
        from your external networks to your translated address for your
        Netview station.  Add a rule allowing SNMP out from your Netview
box
to
        your external networks.
        You didn't say what firewall, but I am using Checkpoint Firewall-1
and am
        running Netview through it to monitor several remote frame-relay
WAN
        sites.  Works great.
        Let me know if you have any problems.
        Hal Dorsman
        Network Adminstrator
        Saint Patrick Hospital
        Missoula, Montana, USA
        >>> "Kirsten S, Campbell"
<Kirsten.Campbell AT NAUTEC.CWPLC DOT COM>
        08/24/98 10:50am >>>
        All (Could someone please send me an ACK if they receive this),
             We are installing firewalls, and will now have to monitor
external
        customers networks.
             My question is:   How do Netview cope with the routing tables,
when
        we
        are doing address translation in the Firewall??
                       Will Netview try and link "address translated"
objects with
        the "real" objects, using the router table in the "address
translated"
        object???
             Thanks for any help given.
                       Kirsten

<Prev in Thread] Current Thread [Next in Thread>