SNMP source interface

[redster]

Hi all,

Is there a way to edit the source IP address that checkpoint uses for sending SNMP traps?

I have a simple VPN tunnel between 2 offices both running checkpoing R54.
From office A i would like to monitor the SNMP traps sent by checkpoint from office B.

I have allowed the SNMP traffic to be encrypted across the VPN but here is the problem

1 From office A SNMP-READ to internal interface of Firewall@Office B is sent ok.
2 From Office B SNMP-READ is decrypted ok
3 Office B firewall then sends back SNMP-TRAP encrypted but as External IP for its source
4 Office A sees this SNMP-TRAP as a source that is the External IP address from Firewall B not the internal address and rejects the packet.

So can i edit the policy to make Firewall B send out as its internal interface address?

From OfficeA i also have a VPN tunnel setup with an office running a PIX and on the PIX i can use
"MANAGEMENT ACCESS INSIDE" and "SNMP-SERVER HOST a.b.c.d INSIDE" to achieve the effect of sending using the internal interface IP address.

[northlandboy]

Redster, what platform are you running on? With IPSO, you can set the "Trap PDU Agent Address"

If you're using SPLAT, then there should be a way to do it - look for the documentation for the net-snmp package.

I'm not quite sure I follow the flow between steps 2 and 3 though - if I send an snmp-get to a node, I don't expect to receive a trap - I just expect to see and snmp response. Traps are for asynchronous events, like a link failure.

I think you would only get a trap in response to an snmp-get if you had the wrong community string, and it responded with an snmp authentication failure.

[dondma]

You can alwways exclude the SNMP ports being used in the advanced VPN community properties. But then you will need to create an allow rule for this.

D