TMG7800 SNMP support

Revision as of 13:27, 2 February 2011

This article explains how to configure iptables in order to seamlessly forward SNMP traffic from the TMG's management interface to the adapter and the other way around. This allows an external equipment to request SNMP information from the adapter by querying the TMG management interface's IP address.

In order to achieve most of the instructions in this article, you will need to login as root on your TMG (or an account with superuser privileges).

Requirements

The release installed on the target system must be one of the following:

• 2.3.36 RC1 or later 2.3.x releases
• 2.4.28 RC1 or later 2.4.x releases
• 2.5.10 RC1 or later 2.5.x releases

The target unit is a TMG5800 or TMG7800. Your license must allow the use of SNMP on the adapter.

Collect information about your TMG

In order to setup iptables correctly, the following information is needed:

1. The IP address of the TMG's management interface (can be obtained using ifconfig mgmt0). If you are using DHCP, it is not needed.
2. The IP addresses of both the Linux host and the adapter on the internal interface:
   1. The host IP address can be obtained using ifconfig int0.
   2. The adapter host IP address can be obtained by opening a shell to the adapter and using print_net.

A typical TMG setup will have the following configuration. This configuration will be used in the following instructions; replace the corresponding settings with your own.

• Management interface IP: DHCP
• Internal Linux IP: 172.31.1.2
• Internal adapter IP: 172.31.1.1

Installing net-snmp-utils (optional)

To know if net-snmp-utils is already installed, invoke snmpget on the command line of your TMG Linux host. The snmpget tool is used on the TMG to verify if the SNMP feature is available and working from the adapter.

1. If your management interface has direct Internet access, install net-snmp-utils: yum install net-snmp-utils
2. If your TMG is not connected to the Internet and CentOs5 is used, the net-snmp-libs-5.3.2.2-9.el5.x86_64.rpm, net-snmp-utils-5.3.2.2-9.el5.x86_64.rpm, net-snmp-5.3.2.2-9.el5.x86_64.rpm and lm_sensors-2.10.7-9.el5.x86_64.rpm packages must be downloaded from the the CentOs mirror distribution packages site, uploaded to the TMG and installed using
   

yum localinstall net-snmp-libs-5.3.2.2-9.el5.x86_64.rpm net-snmp-utils-5.3.2.2-9.el5.x86_64.rpm net-snmp-5.3.2.2-9.el5.x86_64.rpm lm_sensors-2.10.7-9.el5.x86_64.rpm

     4. Test SNMP:

snmpget -d -v 1 -c public 172.31.1.1 SNMPv2-MIB::sysUpTime.0

If this command does not work, check the Web portal to see if the unit has the SNMP license

Status -> Adapters -> Licensed Features -> search for SNMP

If it does not appear, contact TelcoBridges support group

Enabling IP forwarding

To enable IP forwarding permanently on the TMG, edit the /etc/sysctl.conf file and set the net.ipv4.ip_forward element to 1. For example:

 # Controls IP packet forwarding
 net.ipv4.ip_forward = 1

NOTE: A reboot is required to activate this setting. It is possible to enable it immediately by setting the contents of /proc/sys/net/ipv4/ip_forward to 1. For example:

echo 1 > /proc/sys/net/ipv4/ip_forward

Configuring iptables

Input the following lines at the command line:

 iptables -t nat -A PREROUTING -p udp -i eth0 --dport 161 -j DNAT --to-destination 172.31.1.1
 iptables -t nat -A POSTROUTING -p udp -o eth1 --dport 161 -j MASQUERADE

OR input the following lines if you are not using DHCP and want to use SNAT instead of MASQUERADE:

 iptables -t nat -A PREROUTING -p udp -i eth0 --dport 161 -j DNAT --to-destination 172.31.1.1
 iptables -t nat -A POSTROUTING -p udp -o eth1 --dport 161 -j SNAT --to-source 172.31.1.2

Consult the added rules by using

iptables -t nat -n -L

Permanently save the rules by using

service iptables save

If everything worked, SNMP requests should be answered from the TMG's management interface.

References

• Wikipedia's iptables article
• Official iptables website
• man iptables