04-23-2013 07:10 PM - edited 03-11-2019 06:33 PM
Hi,
I am trying to poll remote ASA firewalls across lan-to-lan VPN. With "management-access inside" command I can ssh, telnet or ping remote ASA's inside interface without any problems. However I am unable to do the snmp polling.
Below are my snmp commands.
snmp-server host outside 172.24.100.35 community *****
snmp-server host comcast 172.24.100.35 community *****
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
snmp-server enable traps syslog
Below is command I am using to test.
snmpwalk -c Tampico-R0 -v 1 10.1.55.1
10.1.55.1 is remote ASA's inside interface.
172.24.100.35 local management station.
Any pointers? How can I poll remote ASA over the VPN?
Thanks in advance,
Solved! Go to Solution.
04-23-2013 07:18 PM
Hi,
Maybe you can check an discussion from some time ago where I tested SNMP through L2L VPN.
https://supportforums.cisco.com/message/3603117
I think there might be a limitation on the command "management-access". I guess it only enables ICMP and management connections to the said interface through the L2L VPN.
What I tested before and what was discussed in the above linked discussion was to use the SNMP server command with the "outside" interface AND including the "outside" IP address as part of the L2L VPN configurations so that you can use the remote ASA "outside" interface as the interface for SNMP connections.
Hope this helps
- Jouni
04-23-2013 07:18 PM
Hi,
Maybe you can check an discussion from some time ago where I tested SNMP through L2L VPN.
https://supportforums.cisco.com/message/3603117
I think there might be a limitation on the command "management-access". I guess it only enables ICMP and management connections to the said interface through the L2L VPN.
What I tested before and what was discussed in the above linked discussion was to use the SNMP server command with the "outside" interface AND including the "outside" IP address as part of the L2L VPN configurations so that you can use the remote ASA "outside" interface as the interface for SNMP connections.
Hope this helps
- Jouni
04-23-2013 07:37 PM
You are absolutely right. Management-access command seems to work for telnet, ssh and ping but no snmp. I included public interface in the encryption domain and was able to access it across the VPN. I wish Cisco fixed internal interface for snmp too to keep the VPNs simple.
04-24-2013 07:36 AM
BTW, I already had a case open with Cisco because management-access didn't work for me earlier for pings either. So I asked Cisco Tech if there was a feature to support SNMP over management-access was in flight. He pointed me to following bug ID which is not exactly the same but similar.
Since this bug ID has severity of 6, I don't know if it will ever get implemented.
Nextscreen, Juniper SRX, Palo Alto allows polling of inside interface over the tunnel so I am not sure it would not be a rocket science. It just doesn't seem to fit Cisco's priority because many people have not complained.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide