6 Replies Latest reply on Apr 2, 2008 6:17 PM by simonpt

    Scanning a DMZ through a firewall

    simonpt

      We've recently installed ipMonitor and are currently running 9.0.1.  I've been able to scan internal networks fine and have also added selected IP addresses/services in the DMZ, but I'm not able to do a full scan of the DMZ.  When I specify the DMZ's IP address range, ipMonitor correctly identifies the IP addresses of the servers in the DMZ but when it attempts to scan each device it stops after a short while and displays "Scanning failed" in the State column.


      The firewall has a rule to allow the ipMonitor host to access the DMZ using any service.  I've checked the firewall's log and its not saying that it is blocking ipMonitor.  I've run up Wireshark on the ipMonitor host and it shows that the initial IP address discovery seems to be working okay between ipMonitor and one of the DMZ servers (ICMP echo request and reply, attempt to connect to lansurveyor port followed by an ICMP port unreachable response, SNMP v1 and v2c get-request of various 1.3.6.1.2.1.1 values, no response presumably because SNMP is not configured on the DMZ server, NBNS query and response).  However when ipMonitor moves onto the shortlived monitor scan, Wireshark shows absolutely no network activity between ipMonitor and the DMZ server.


      I've also looked through ipMonitor's logs but there's nothing to indicate why the device scans are failing.


      Can anyone please help with this?


      Thanks - Simon

        • Re: Scanning a DMZ through a firewall
          chris.lapoint

          It looks like you've already done a fair bit of troubleshooting yourself.  I think your best bet for this particular issue is to open a support ticket so we can get additional discovery logs and try to reproduce in-house. 

          • Re: Scanning a DMZ through a firewall
            Peter.Cooper

            Hello Simon,

            Just from the sounds of the situation, I would recommend the following:

            1. From within "Device Tab > Discovery > Previously Scan Results", select the DMZ server and delete it
            2. Next, from "Device Tab > Add New Device", supply the address / community / and network credential (*possible)
            3. Let it rescan and click the "modify button" to review everything it found.
            4. Let us know if that gets you any further / If support moves you along one step further?


            * Note: You can establish a trust relationship using the following technique:

            1. Create a local account (on the ipMonitor host) with a specific account name and password
            2. Create an identical local account (including password) on the DMZ server
            3. Use the credential wizard within the "Add New Device" page (Select Credential > New Credential) to register this account and password within ipMonitor for use.