Ad Widget

Collapse

Zabbix in the NAT'ed network

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • ProTON
    Member
    • Oct 2005
    • 77
    #1

    Zabbix in the NAT'ed network

    Hello,

    I have a Zabbix 1.4.5 Server on the DMZ. This way I can monitor servers that are in DMZ without any problem. However, now I want to monitor some workstations and servers from the internal LAN network. I have installed Zabbix agent on one of them, set server IP to my Zabbix server's DMZ IP. However the thing still doesn't work. I can:

    telnet zabbix_server_ip 10051 from the agent

    however I can't:

    telnet zabbix_agent_ip 10050 from the server.

    But I can:

    ping zabbix_agent_ip from the server.

    I'm wondering is this a bug in the agent and it doesn't expect packets from the outside (DMZ) network or I'm missing something?

    P.S. There is no firewall installed on the workstation agent is running.
    Tags: None
    • nelsonab
      Senior Member
      Zabbix Certified SpecialistZabbix Certified Professional
      • Sep 2006
      • 1233
      #2
      You could enable active checks on the agent make sure "DisableActive" is either commented out or set to "0" in your agentd_conf file. When you setup an item on the Zabbix server make sure the item is set to "Zabbix agent (active)". This will cause the agent to poll the Zabbix server and then send the items to the server at the appropriate interval. When you add an item however it won't show up immediately as the agent must first poll the server to find out what items it must check.

      Hope this helps.
      RHCE, author of zbxapi
      Ansible, the missing piece (Zabconf 2017): https://www.youtube.com/watch?v=R5T9NidjjDE
      Zabbix and SNMP on Linux (Zabconf 2015): https://www.youtube.com/watch?v=98PEHpLFVHM

        Comment

        • ProTON
          Member
          • Oct 2005
          • 77
          #3
          What about Host status in Hosts page? I haven't tried your suggestions yet, but Host status show me that it timed-out listening for agent.

          Active checks are enabled on the agent.

            Comment

            • tighep
              Senior Member
              • Dec 2007
              • 124
              #4
              I've got a fair amount of agents that are NAT'd from the server, where the real IP is different than what the server sees. In these cases, I'm not seeing any issues with communication. I wonder if it's a firewall issue not allowing the DMZ to communicate back to the local LAN via port 10050.

                Comment

                • ProTON
                  Member
                  • Oct 2005
                  • 77
                  #5
                  No, I'm allowing all the traffic from DMZ to LAN and back.

                  I'm wondering have you set ListenIP in the agent's config file? For me now it is set to LAN ip. Maybe I should comment it out all together?

                    Comment

                    • tighep
                      Senior Member
                      • Dec 2007
                      • 124
                      #6
                      I do not set the ListenIP in the config file, as these machines have just 1 IP, the routers do the NATing. I can telnet via the agent port from the server, I can also connect to the agent port from any machine, not just the server.

                        Comment

                        • ProTON
                          Member
                          • Oct 2005
                          • 77
                          #7
                          Seems that you were right about firewall. From the Wikipedia:

                          "Hosts in the DMZ should not be able to establish communication directly with any other host in the internal network, though communication with other hosts in the DMZ and to the external network is allowed."

                          So I guess I'm stuck with active checks here. They work as suggested by nelsonab but I'm still getting "No cummunication" and "TCP_RST" errors in the Hosts screen. Is there a way to disable them?

                            Comment

                            Previous template Next
                            Working...