Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1307
Views
0
Helpful
3
Replies

SNMPget to the firewall inside interface across LAN-to-LAN VPN

Go to solution
smunzani
Level 1
Level 1

‎04-23-2013 07:10 PM - edited ‎03-11-2019 06:33 PM

Hi,

I am trying to poll remote ASA firewalls across lan-to-lan VPN. With "management-access inside" command I can ssh, telnet or ping remote ASA's inside interface without any problems. However I am unable to do the snmp polling.

Below are my snmp commands.

snmp-server host outside 172.24.100.35 community *****

snmp-server host comcast 172.24.100.35 community *****

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

snmp-server enable traps syslog

Below is command I am using to test.

snmpwalk -c Tampico-R0 -v 1 10.1.55.1

10.1.55.1 is remote ASA's inside interface.

172.24.100.35 local management station.

Any pointers? How can I poll remote ASA over the VPN?

Thanks in advance,


Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎04-23-2013 07:18 PM

Hi,

Maybe you can check an discussion from some time ago where I tested SNMP through L2L VPN.

https://supportforums.cisco.com/message/3603117

I think there might be a limitation on the command "management-access". I guess it only enables ICMP and management connections to the said interface through the L2L VPN.

What I tested before and what was discussed in the above linked discussion was to use the SNMP server command with the "outside" interface AND including the "outside" IP address as part of the L2L VPN configurations so that you can use the remote ASA "outside" interface as the interface for SNMP connections.

Hope this helps

- Jouni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎04-23-2013 07:18 PM

Hi,

Maybe you can check an discussion from some time ago where I tested SNMP through L2L VPN.

https://supportforums.cisco.com/message/3603117

I think there might be a limitation on the command "management-access". I guess it only enables ICMP and management connections to the said interface through the L2L VPN.

What I tested before and what was discussed in the above linked discussion was to use the SNMP server command with the "outside" interface AND including the "outside" IP address as part of the L2L VPN configurations so that you can use the remote ASA "outside" interface as the interface for SNMP connections.

Hope this helps

- Jouni

0 Helpful

Go to solution
smunzani
Level 1
Level 1
In response to Jouni Forss

‎04-23-2013 07:37 PM

You are absolutely right. Management-access command seems to work for telnet, ssh and ping but no snmp. I included public interface in the encryption domain and was able to access it across the VPN. I wish Cisco fixed internal interface for snmp too to keep the VPNs simple.

0 Helpful

Go to solution
smunzani
Level 1
Level 1
In response to smunzani

‎04-24-2013 07:36 AM

BTW, I already had a case open with Cisco because management-access didn't work for me earlier for pings either. So I asked Cisco Tech if there was a feature to support SNMP over management-access was in flight. He pointed me to following bug ID which is not exactly the same but similar.

CSCsc06844

Since this bug ID has severity of 6, I don't know if it will ever get implemented.

Nextscreen, Juniper SRX, Palo Alto allows polling of inside interface over the tunnel so I am not sure it would not be a rocket science. It just doesn't seem to fit Cisco's priority because many people have not complained.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card