Hi Team,
We are trying to configure SNMP traps on all devices. Traps are working fine when the devices are below SRX 240 firewall (trust zone or same network).
But the issue comes when edge devices initiate a trap from untrust to trust zone.
snmp configuration on Edge devices :
*consider following example
trap-options {
source-address 14.x.x.1;
}
trap-group Zabbix-trap {
version v2;
destination-port 162;
categories {
authentication;
remote-operations;
configuration;
}
targets {
14.x.x.2;
}
}
configuration on core firewall :
set security nat destination pool Zabbix_Trap address 192.168.10.2/32
set security nat destination pool Zabbix_Trap address port 162
set security nat destination rule-set untrust_vips rule TATA_Zabbix_Trap match destination-address 14.x.x.2/32
set security nat destination rule-set untrust_vips rule TATA_Zabbix_Trap match destination-port 162
set security nat destination rule-set untrust_vips rule TATA_Zabbix_Trap then destination-nat pool Zabbix_Trap
set security policies from-zone untrust to-zone trust policy Zabbix_Trap match source-address 14.x.x.1
set security policies from-zone untrust to-zone trust policy Zabbix_Trap match destination-address Zabbix
set security policies from-zone untrust to-zone trust policy Zabbix_Trap match application SNMP
set security policies from-zone untrust to-zone trust policy Zabbix_Trap then permit
set security policies from-zone untrust to-zone trust policy Zabbix_Trap then log session-init
set security policies from-zone untrust to-zone trust policy Zabbix_Trap then count
But when we are trying to configure traps on edge devices we have configured destination nat pool on the core firewall (SRX 240) and we have given the same target ip which we have given for snmp configuration on edge devices.
We have even configured a policy from untrust to trust zone and source as public ip ex: 14.x.x.x and destination as private ip of our zabbix server and allowed the application port as 162 for trap.
please find attached network architecture.
Can any one kindly assist in proceeding further.
Thanks,
Gautam