Cisco ASA SNMP through VPN IPsec Site-to-Site

nEkToSAN · ‎04-04-2022

Hi, all!
I have two ASA (HQ-ASA and Branch-ASA), and StS IPsec VPN-tunnel between them. I`ve upgraded my Branch ASA 5512-X from Software Version 9.12(4)24 to Software Version 9.12(4)39.
Previously, my monitoring server in the HQ ASA's local network polled the branch ASA`s inside interface via SNMP through a vpn tunnel and it worked normally. After upgrade it stopped working. In loggs on Branch ASA I see that ASA see a connection between monitoring server and branch ASA`s inside interface as Builted, but SNMP-polling doesn`t work((. Also common traffic between other hosts walks through the VPN-tunnel normally.

HQ ASA config:

Spoiler

interface GigabitEthernet0/0.10
description World
vlan 10
nameif outside
security-level 0
ip address 66.66.66.66 255.255.255.224

interface GigabitEthernet0/0.20
description office
vlan 20
nameif inside
security-level 100
ip address 10.99.99.254 255.255.255.0

# -== Traffic between interfaces allowed by ACLs ==-

access-list IPSEC-ikev2-branch-asa extended permit ip 10.99.99.0 255.255.255.0 10.10.2.0 255.255.255.0

nat (inside,outside) source static 10.99.99.0-NET 10.99.99.0-NET destination static 10.10.2.0-NET 10.10.2.0-NET no-proxy-arp route-lookup

crypto ikev2 policy 1
encryption aes-256
integrity sha384
group 14
prf sha384
lifetime seconds 86400

group-policy branch-asa-POLICY internal
group-policy branch-asa-POLICY attributes
vpn-tunnel-protocol ikev2

tunnel-group 44.44.44.44 type ipsec-l2l
tunnel-group 44.44.44.44 general-attributes
default-group-policy branch-asa-POLICY
tunnel-group 44.44.44.44 ipsec-attributes
ikev2 remote-authentication pre-shared-key password987
ikev2 local-authentication pre-shared-key password123

crypto ipsec ikev2 ipsec-proposal ESP-AES256-SHA
protocol esp encryption aes-256
protocol esp integrity sha-256

crypto map cmap 1 match address IPSEC-ikev2-branch-asa
crypto map cmap 1 set pfs group14
crypto map cmap 1 set peer 44.44.44.44
crypto map cmap 1 set ikev2 ipsec-proposal ESP-AES256-SHA
crypto map cmap interface outside
crypto isakmp nat-traversal 30

interface GigabitEthernet0/0.10description Worldvlan 10nameif outsidesecurity-level 0ip address 66.66.66.66 255.255.255.224interface GigabitEthernet0/0.20description officevlan 20nameif insidesecurity-level 100ip address 10.99.99.254 255.255.255.0# -== Traffic between interfaces allowed by ACLs ==-access-list IPSEC-ikev2-branch-asa extended permit ip 10.99.99.0 255.255.255.0 10.10.2.0 255.255.255.0nat (inside,outside) source static 10.99.99.0-NET 10.99.99.0-NET destination static 10.10.2.0-NET 10.10.2.0-NET no-proxy-arp route-lookupcrypto ikev2 policy 1encryption aes-256integrity sha384group 14prf sha384lifetime seconds 86400group-policy branch-asa-POLICY internalgroup-policy branch-asa-POLICY attributesvpn-tunnel-protocol ikev2tunnel-group 44.44.44.44 type ipsec-l2ltunnel-group 44.44.44.44 general-attributesdefault-group-policy branch-asa-POLICYtunnel-group 44.44.44.44 ipsec-attributesikev2 remote-authentication pre-shared-key password987ikev2 local-authentication pre-shared-key password123crypto ipsec ikev2 ipsec-proposal ESP-AES256-SHAprotocol esp encryption aes-256protocol esp integrity sha-256crypto map cmap 1 match address IPSEC-ikev2-branch-asacrypto map cmap 1 set pfs group14crypto map cmap 1 set peer 44.44.44.44crypto map cmap 1 set ikev2 ipsec-proposal ESP-AES256-SHAcrypto map cmap interface outsidecrypto isakmp nat-traversal 30

Branch ASA config:

Spoiler

interface GigabitEthernet0/0.30
description World
vlan 30
nameif outside
security-level 0
ip address 44.44.44.44 255.255.255.224

interface GigabitEthernet0/0.40
description office
vlan 40
nameif inside
security-level 100
ip address 10.10.2.254 255.255.255.0

management-access inside

snmp-server host lan 10.99.99.20 poll community ***** version 2c
# 10.99.99.20 as like a monitoring server`s IP-address.

# -== Traffic between interfaces allowed by ACLs ==-

access-list IPSEC-ikev2-HQ-asa extended permit ip 10.10.2.0 255.255.255.0 10.99.99.0 255.255.255.0

nat (inside,outside) source static 10.10.2.0-NET 10.10.2.0-NET destination static 10.99.99.0-NET 10.99.99.0-NET no-proxy-arp route-lookup

crypto ikev2 policy 1
encryption aes-256
integrity sha384
group 14
prf sha384
lifetime seconds 86400

group-policy branch-asa-POLICY internal
group-policy branch-asa-POLICY attributes
vpn-tunnel-protocol ikev2

tunnel-group 66.66.66.66 type ipsec-l2l
tunnel-group 66.66.66.66 general-attributes
default-group-policy branch-asa-POLICY
tunnel-group 66.66.66.66 ipsec-attributes
ikev2 remote-authentication pre-shared-key password123
ikev2 local-authentication pre-shared-key password987

crypto ipsec ikev2 ipsec-proposal ESP-AES256-SHA
protocol esp encryption aes-256
protocol esp integrity sha-256

crypto map cmap 1 match address IPSEC-ikev2-HQ-asa
crypto map cmap 1 set pfs group14
crypto map cmap 1 set peer 66.66.66.66
crypto map cmap 1 set ikev2 ipsec-proposal ESP-AES256-SHA
crypto map cmap interface outside

interface GigabitEthernet0/0.30description Worldvlan 30nameif outsidesecurity-level 0ip address 44.44.44.44 255.255.255.224interface GigabitEthernet0/0.40description officevlan 40nameif insidesecurity-level 100ip address 10.10.2.254 255.255.255.0management-access insidesnmp-server host lan 10.99.99.20 poll community ***** version 2c# 10.99.99.20 as like a monitoring server`s IP-address.# -== Traffic between interfaces allowed by ACLs ==-access-list IPSEC-ikev2-HQ-asa extended permit ip 10.10.2.0 255.255.255.0 10.99.99.0 255.255.255.0nat (inside,outside) source static 10.10.2.0-NET 10.10.2.0-NET destination static 10.99.99.0-NET 10.99.99.0-NET no-proxy-arp route-lookupcrypto ikev2 policy 1encryption aes-256integrity sha384group 14prf sha384lifetime seconds 86400group-policy branch-asa-POLICY internalgroup-policy branch-asa-POLICY attributesvpn-tunnel-protocol ikev2tunnel-group 66.66.66.66 type ipsec-l2ltunnel-group 66.66.66.66 general-attributesdefault-group-policy branch-asa-POLICYtunnel-group 66.66.66.66 ipsec-attributesikev2 remote-authentication pre-shared-key password123ikev2 local-authentication pre-shared-key password987crypto ipsec ikev2 ipsec-proposal ESP-AES256-SHAprotocol esp encryption aes-256protocol esp integrity sha-256crypto map cmap 1 match address IPSEC-ikev2-HQ-asacrypto map cmap 1 set pfs group14crypto map cmap 1 set peer 66.66.66.66crypto map cmap 1 set ikev2 ipsec-proposal ESP-AES256-SHAcrypto map cmap interface outside

Earlier I read in other topic about adding a monitoring server`s IP-address and public IP-address of branch ASA to tunnel into crypto-map and SNMP-polling should work through tunnel, but... no. It doesn`t work too.
Also I read something about similar bug in software version 9.14.2 and that it was fixed in new firmware. But 9.12(4)39 is the latest version for ASA 5512.

Also, polling branch ASA to it`s public IP using default SNMP-port 161 failed too.
For now I came up with only one option: I change default port 161 to other port and polling Branch ASA from outside to it`s public IP using random port, for example 162.
Maybe, there are any other options for SNMP-polling through VPN-tunnel, not from "world"?