cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

ASA SNMP polling via VPN Site-to-Site tunnel

11872
Views
15
Helpful
1
Comments

Introduction:

Purpose of this document is to show the way how you can monitor your remote ASA over Ipsec  Lan-to-Lan tunnel.

Scenario:

In my case I’ll try to use a common scenario, where you have HQ ASA and branch ASA which should be monitored/polled over VPN tunnel (which is in between). SNMP/NMS server will be behind the HQ ASA. In my test I will try to monitor/poll interface fastEthernet 0/0 on Branch ASA from SNMP/NMS Server.

NMS/SNMP server: 192.168.1.3/24

Branch ASA FastEthernet 0/0: 5.5.5.1/24

Topology:

Topo.jpg

Solution:

VPN configuration part:

On Branch ASA:

...

crypto ipsec ikev1 transform-set TRANS esp-3des esp-sha-hmac

...

crypto map MAP 10 match address ACL

crypto map MAP 10 set peer $peer ip address$

crypto map MAP 10 set ikev1 transform-set TRANS

crypto map MAP interface outside

crypto ikev1 enable outside

...

tunnel-group $peer ip address$ type ipsec-l2l

tunnel-group $peer ip address$ ipsec-attributes

ikev1 pre-shared-key cisco

...

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

...

In ACL for encryption you should have ip address/subnet of fastethernet interface 0/0 (or whatever)

# access-list ACL extended permit ip 5.5.5.0 255.255.255.0 192.168.1.0 255.255.255.0

On HQ ASA:

...

crypto ipsec ikev1 transform-set TRANS esp-3des esp-sha-hmac

...

crypto map MAP 10 match address ACL

crypto map MAP 10 set peer $peer ip address$

crypto map MAP 10 set ikev1 transform-set TRANS

crypto map MAP interface outside

crypto ikev1 enable outside

...

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

...

tunnel-group $peer ip address$ type ipsec-l2l

tunnel-group $peer ip address$ ipsec-attributes

ikev1 pre-shared-key cisco

In ACL for encryption should be defined ip address/subnet of NMS/SNMP server.

# access-list ACL extended permit ip 192.168.1.0 255.255.255.0 5.5.5.0 255.255.255.0

SNMP part:

On Branch ASA:

1.   You need to configure SNMP server and define interface behind which server is located, and this is a tricky part, since you need to define “inside” interface in order to push snmp traffic over the tunnel:

          # snmp-server host inside 192.168.1.3 community test version 2c

2.       You need to configure your “inside” interface as “management-access”.

          # management-access inside

Verification:

I’ve  done verification with “snmpwalk” command from snmp server:

root@VM:~# snmpwalk -v 2c -c test 5.5.5.1

iso.3.6.1.2.1.1.1.0 = STRING: "Cisco Adaptive Security Appliance Version 8.4(2)"

iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.9.1.227

iso.3.6.1.2.1.1.3.0 = Timeticks: (134200) 0:22:22.00

iso.3.6.1.2.1.1.4.0 = ""

iso.3.6.1.2.1.1.6.0 = ""

iso.3.6.1.2.1.1.7.0 = INTEGER: 4

iso.3.6.1.2.1.2.1.0 = INTEGER: 8

iso.3.6.1.2.1.2.2.1.1.2 = INTEGER: 2

iso.3.6.1.2.1.2.2.1.1.3 = INTEGER: 3

iso.3.6.1.2.1.2.2.1.1.4 = INTEGER: 4

Reference links:

1.       http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

2.       http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094a13.shtml

3.       http://www.cisco.com/en/US/docs/security/pix/pix72/quick/guide/sitvpn_p.html

Comments
Beginner

I am following the example above to setup the snmp over vpn. It is not working for me. After doing some research, I found the route-lookup command is needed on my NAT command. 

 

nat (INSIDE,OUTSIDE) source static LOCAL-NETS LOCAL-NETS destination static REMOTE-NETS REMOTE-NETS route-lookup

 

Reference link

https://www.tunnelsup.com/cisco-asa-drop-reason-unexpected-packet/

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here