how to configure Cacti to link to Cisco ASA (VM)?

[isdept]

Hi Professional,

I tried many ways to configure, but ALL failed. Please provide step by step for configuration of Cacti and Cisco ASA ?

Please refer to the attachment files for details.

Cheers

[netniV]

So you have the SNMP configuration setup there, and you can snmp a Cisco ASA as I do it:



Make sure that the Cacti box can see the firewall and route to it correctly. Also, make sure that the IP you put in the SNMP configuration on the firewall is the cacti servers (if it is another server, you need to add a second line). Make sure that Cacti is using the same SNMP version, community (and if required auth details if it's v3).

[MrRat]

You have hidden all of the information of value to assist. We would assume you would be using internal addressing so it’s probably not of any use to hide it. In short configure snmp on the interface you want to communicate on, allow the src ip in the acl and snmp config. Post more specific config for more specific info.

[isdept]

So you have the SNMP configuration setup there, and you can snmp a Cisco ASA as I do it:



Make sure that the Cacti box can see the firewall and route to it correctly. Also, make sure that the IP you put in the SNMP configuration on the firewall is the cacti servers (if it is another server, you need to add a second line). Make sure that Cacti is using the same SNMP version, community (and if required auth details if it's v3).

---------------------------------------------
Thanks !

The gateway used in Cacti is the Cisco AVA (Firewall) IP address. Cacti can ping Cisco AVA, Cisco AVA also can ping Cacti.
Using the same SNMP version, community for connection. But it still failed.

[netniV]

Does it work using SNMPWALK from the console of the cacti server?

[Pucho]

I'm assuming Cisco ASA is not your area of expertise.

On your first post you posted an screenshot that could lead to where the issue is. Make sure the interface you have specified under SNMP host access list section is the interface the Cacti servers is coming from.

Additional to that you could go to Monitoring pane and fire up the logging view console and filter by cacti's server ip and see if you see the traffic, either allowed or dropped.

If the traffic doesn't show up there, you could also either run a packet capture from ASDM or Packet tracer to emulate the traffic and see if it spots anything. Next if would be, if you see the traffic while running the packet capture but still doesn't work, ssh to the ASA and set up a capture as follow: capture _SomeName_ type asp-drop all and after a few attempts from the cacti server try "show capture _SomeName_ | include _what_ever_cacti_server_ip_is

[isdept]

Does it work using SNMPWALK from the console of the cacti server?

Sorry ! where is the SNMPWALK in Cacti ?

[isdept]

I'm assuming Cisco ASA is not your area of expertise.

On your first post you posted an screenshot that could lead to where the issue is. Make sure the interface you have specified under SNMP host access list section is the interface the Cacti servers is coming from.

Additional to that you could go to Monitoring pane and fire up the logging view console and filter by cacti's server ip and see if you see the traffic, either allowed or dropped.

If the traffic doesn't show up there, you could also either run a packet capture from ASDM or Packet tracer to emulate the traffic and see if it spots anything. Next if would be, if you see the traffic while running the packet capture but still doesn't work, ssh to the ASA and set up a capture as follow: capture _SomeName_ type asp-drop all and after a few attempts from the cacti server try "show capture _SomeName_ | include _what_ever_cacti_server_ip_is

============================

Thanks for your reply.

(1) You mean I need to input the Cacti IP Address into the IP Address field in SNMP Host Access List in Cisco ASA, right ?
(2) "go to Monitoring pane and fire up the logging view console and filter by cacti's server ip", --> Please refer the attachment File.
I tried to input the Cacti server IP in "Search" field, but no log.

[netniV]

What I would do if I was you, use the Packet Capture Wizard on the ASA, see if you see any snmp traffic from the cacti server. Best way to do that is use snmpwalk at the command line so you know exactly when it's being initiated (I would actually disable the device in Cacti prior to this to ensure Cacti does attempt it at the same time).

[Pucho]

I'm sorry, you got it wrong...

(1) You mean I need to input the Cacti IP Address into the IP Address field in SNMP Host Access List in Cisco ASA, right ?
Of course, SNMP host access list should include the interface the Cacti server is coming from, eg INSIDE or whatever you named it AND the ip of the Cacti Server plus making sure snmp version and community match as well.

(2) "go to Monitoring pane and fire up the logging view console and filter by cacti's server ip", --> Please refer the attachment File.
I was talking about ASDM interface, see picture attached.

CiscoASA-SNMP.jpg (183.18 KiB) Viewed 1817 times

I tried to input the Cacti server IP in "Search" field, but no log.