Solved: monitor remote site ASA and allow ACS for authentication

catalystexpress · ‎09-12-2012

Hi All,

I have a site to site VPN established and working fine, however am struggling to get two things configured, hope can get some help from you all

I need to monitor the remote ASA from my HQ, I use solarwind with snmp but am afraid if it would be a threat if i open snmp on my outside interface

"access-list acl_outside extended permit snmp 20.x.x.x 19.x.x.x" -- is this safe

my setup:

remote

10.8.0.0/20 ---- ASA --------Internet ---------- ASA --------10.0.0.0

wondering is there any other way i can get my remote ASA monitored

My next challenge is to add TACACS configuration to ASA, my ACS is 10.6.1.186 this can be reached from remote LAN(10.8.0.0/20), however not from ASA due to policy, how can i get this working

I searched on how to add source interface in TACACS config but could not get it

Many thanks for the support

Cheers..

Jennifer Halim · ‎09-21-2012

For the interface that you would like to use, can you pls add the following command:

management-access

Eg:

management-access server-vlan

or

management-access data-vlan

You can only configure 1 interface to be the management interface.

View solution in original post

Jennifer Halim · ‎09-12-2012

Yes, both can be achieved using the source interface configuration on the respective command.

For SNMP:

snmp host inside

For TACACS:

aaa-server (inside) host

Assuming that your ASA inside interface ip address is part of the crypto ACL.

Hope that helps.

catalystexpress · ‎09-12-2012

Thank you very much Jennifer

Let me try this and get back soon

cheers..

catalystexpress · ‎09-19-2012

I have tried the following but does not seem to help

1. i tried to allow snmp on the outside interface as below

MNL-FW01# sh run | include snm

access-list acl_outside extended permit udp host 2xxxxxxx host 1xxxxxx eq snmp

snmp-server host outside 2xxxxxx community *****

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

MNL-FW01#

=================================

snmp-server host outside 10.6.1.96 poll community ***** (tried even inside though it does not make much sense to me)

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

Can anyone help me please

many thanks for the support

cheers..

Jennifer Halim · ‎09-20-2012

It needs to be "inside" so the snmp server is actually sourced from the ASA inside interface, and it will match the crypto ACL and gets routed towards the VPN tunnel.

snmp-server host inside 10.6.1.96 poll community *****

Assuming that both the ASA inside interface ip address and 10.6.1.96 is part of your current crypto ACL subnets.

catalystexpress · ‎09-20-2012

Thank you very much Jennifer, i had tried this but does not work

crypto map VPN-SG 10 match address MNL-GFI_LAN

access-list MNL-GFI_LAN extended permit ip 10.8.0.0 255.255.240.0 10.0.0.0 255.0.0.0

access-list MNL-GFI_LAN extended permit ip 10.8.0.0 255.255.240.0 host 192.168.246.16

access-list acl_nat0 extended permit ip 10.8.0.0 255.255.240.0 10.0.0.0 255.0.0.0

access-list acl_nat0 extended permit ip 10.8.0.0 255.255.240.0 host 192.168.246.16

Any suggestions please

thank you

cheers..

Jennifer Halim · ‎09-21-2012

Can you ping the snmp server from the ASA when you source the ping from the inside interface?

ping inside 10.6.1.96?

catalystexpress · ‎09-21-2012

thanks again for the support

No am not able to ping, in below setup i have many vlan on the remote end and ASA is the GW so i try to ping using one of the so called inside interface which i name it as server-vlan or data-vlan

Remote HQ

10.8.0.0/20 ---- ASA 119.x.x.x. --------Internet ----------202.x.x.x.x ASA --------10.0.0.0

the acl for server-vlan interface allows

access-list acl_server-vlan extended permit ip any 10.0.0.0 255.0.0.0

Jennifer Halim · ‎09-21-2012

For the interface that you would like to use, can you pls add the following command:

management-access

Eg:

management-access server-vlan

or

management-access data-vlan

You can only configure 1 interface to be the management interface.

catalystexpress · ‎09-21-2012

added

management-access server-vlan

still can not ping

am very new to security and asa so not sure what else should i be trying

many thanks

cheers..

Jennifer Halim · ‎09-21-2012

Plsl kindly share full config from both ASA. Thanks.

catalystexpress · ‎09-21-2012

we are doing some change right now, will post the config tomorrow

Appreciate your help

thank you

cheers..

catalystexpress · ‎10-06-2012

your command helped to fix this issue

management-access

many thanks