topic Re: SNMP monitoring of FTD through IPSec in Network Security

SNMP monitoring of FTD through IPSec

Michael Bartholomæussen — Tue, 08 Nov 2022 11:52:27 GMT

Hi All,

I've deployed a FMC managed FTD at a remote office, where it's managed via OUTSIDE interface.

Usually with an ASA it's possible to query SNMP on the INSIDE interface through the IPSec.
This doesn't seems possible with the FTD. ICMP doesn't work either via the IPSec to INSIDE.

Any solution to this issue?

Regards,

Michael

Re: SNMP monitoring of FTD through IPSec

manabans — Wed, 09 Nov 2022 04:10:10 GMT

On ASA - If your VPN tunnel terminates on one interface, but you want to manage the ASA by accessing a different interface, you can identify that interface as a management-access interface. For example, if you enter the ASA from the outside interface, this feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface when entering from the outside interface. Management access is available via the following VPN tunnel types: IPsec clients, IPsec site-to-site, and the AnyConnect SSL VPN client.

management-access management_interface

The management_interface specifies the name of the management interface that you want to access when entering the ASA from another interface.

We can use the same command on FTD, which can be deployed via FMC Flex Policy. An enhancement is already in place to introduce this on the FMC UI, https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz48122

Re: SNMP monitoring of FTD through IPSec

Michael Bartholomæussen — Wed, 09 Nov 2022 08:00:46 GMT

Yes - this is exactly the option I'm missing on the FTD via FMC.

Just making sure, setting this option, will NOT change the interface where the FMC is managing the device?

Re: SNMP monitoring of FTD through IPSec

Michael Bartholomæussen — Mon, 14 Nov 2022 12:39:50 GMT

With the Flexconfig added to the FTD via FMC, I got syslog from INSIDE and I'm able to access INSIDE via HTTPS (only for test)

SNMP and SSH on the other hand doesn't work despite of the limited configuration through the FMC.

Any suggests to what I might have overlooked, or is there some kind of limitation?

Re: SNMP monitoring of FTD through IPSec

buffkata — Wed, 23 Nov 2022 16:16:04 GMT

Have you doublechecked the NAT/route for the snmp host IP ?

Re: SNMP monitoring of FTD through IPSec

Michael Bartholomæussen — Thu, 24 Nov 2022 08:59:15 GMT

I assume that my NAT correct as syslog and http works to the device, otherwise I guess it wouldn't, right?

Re: SNMP monitoring of FTD through IPSec

MHM Cisco World — Thu, 24 Nov 2022 09:56:46 GMT

can you draw the topology ?

Re: SNMP monitoring of FTD through IPSec

Michael Bartholomæussen — Fri, 25 Nov 2022 13:09:15 GMT

The topology is quite simple
FMC (DC-LAN)|---"DC FIREWALL"--------@--------"REMOTE FTD"----|REMOTE-LAN
The NAT is configured like so...
nat (INSIDE,OUTSIDE) source static REMOTE-LAN REMOTE-LAN destination static DC-LAN DC-LAN no-proxy-arp route-lookup

Re: SNMP monitoring of FTD through IPSec

tvotna — Fri, 25 Nov 2022 15:09:59 GMT

SNMP and SSH won't work, because they're implemented via nlp_int_tap interface. At least until Cisco re-architects this part of the code. Refer to this post: https://community.cisco.com/t5/cisco-bug-discussions/cscvt97205-snmppoll-snmptrap-to-remote-end-site-to-site-vpn-asa/td-p/4304139

ASA code has the same issue for SNMP (but not for SSH) as of 9.14, with the same root cause.

The status of the corresponding ENH is incorrect: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt97205. This bug wasn't fixed in the versions listed.

HTH