Thanks, I saw that link earlier but never seen anyone state that it worked so I am hesitant to try. Unfortunately I do not have a lab with ASA's, just the production environment so I am a little cautious.

One think I don't understand is that all the Devices behind the firewall send syslog, and SNMP messages thought the tunnel and can ping through to the main office. The same actions when done on the ASA do not work, the ASA in the remote office can not ping the home office LAN, syslog and SNMP do not got through the tunnel to the Main office. Yet Netflow works fine. How would Netflow, originating on the ASA route through the tunnel but nothing else that is generated on the ASA  be able to?

This has got me confused.

Hi,

I got to admit I know absolutely nothing about Netflow.

Though regarding the ICMP, syslog and SNMP problems my best guess would be that ASA is indeed using the WAN IP to send the traffic as the destination addresses are on its outside interface side because of the VPN. And as that WAN IP is not included in the encryption domain it will just try to send the traffic through the Internet.

I guess I could try this setup up with my home ASA and our central VPN device and see for example if I can get my ASA to send syslogs to our syslog server.

- Jouni

Whew,

So i configured a totally new L2L VPN to our central/core device which connects our Syslog server and whan SNMP monitoring server to my ASA.

Both Syslog and SNMP work great from/to our servers.

I will post a more detailed description about this in abit. Now I need some coffee.

- Jouni

Hi,

So here some base info with changed IP addresses instead of the public ones

Central Syslog/SNMP Site

• VPN Device IP 1.1.1.1
• Syslog Server IP 10.10.10.1
• SNMP server IP 10.10.10.2

Customer Site

• VPN Device IP 2.2.2.2
• This IP address is also used Syslog/SNMP source

Customer Site VPN configuration

• ASA running version 8.4(3)
• Done quickly with the L2L VPN Wizard through ASDM (Below is from the ADSM CLI format preview)

    object-group network DM_INLINE_NETWORK_1

        network-object host 10.10.10.1

        network-object host 10.10.10.2

      access-list WAN_cryptomap line 1 extended permit ip host 2.2.2.2 object-group DM_INLINE_NETWORK_1

      group-policy GroupPolicy_1.1.1.1 internal

      group-policy GroupPolicy_1.1.1.1attributes

        vpn-tunnel-protocol ikev1

      exit

      tunnel-group 1.1.1.1 type ipsec-l2l

      tunnel-group 1.1.1.1 general-attributes

        default-group-policy GroupPolicy_1.1.1.1

      tunnel-group 1.1.1.1 ipsec-attributes

        ikev1 pre-shared-key PRESHAREDKEY

        isakmp keepalive threshold 10 retry 2

      crypto ikev1 enable  WAN

      crypto map WAN_map 1 match address WAN_cryptomap

      crypto map WAN_map 1 set  peer 1.1.1.1

      crypto map WAN_map 1 set  ikev1 transform-set  ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

      crypto map WAN_map interface  WAN

- Logging and SNMP settings

logging enable

logging timestamp

logging buffer-size 8192

logging buffered informational

logging trap informational

logging asdm debugging

logging device-id hostname

logging host WAN 10.10.10.1

snmp-server host WAN 10.10.10.2 community COMMUNITY

The Central site is a IOS device. I wont copy paste any configuration of it here since it follows the same lines as the above client side ASA test configuration.

Hope this helps. Please rate if it was helpfull

If you need any more information, please ask.

- Jouni

Thanks! I will come in early tomorrow morning and give it a shot. I will let you know how it goes.

Hi,

Did you get to test this? Did it work for you?

- Jouni

No I haven't, other things came up that I had to deal with and was unable to get to it last week. Additionally I started a new job this week, and passed that issue onto someone else at my previous employer. I will keep in contact with them and hopefully get a resolution for you.