09-12-2012 08:34 PM
Hi All,
I have a site to site VPN established and working fine, however am struggling to get two things configured, hope can get some help from you all
I need to monitor the remote ASA from my HQ, I use solarwind with snmp but am afraid if it would be a threat if i open snmp on my outside interface
"access-list acl_outside extended permit snmp 20.x.x.x 19.x.x.x" -- is this safe
my setup:
remote
10.8.0.0/20 ---- ASA --------Internet ---------- ASA --------10.0.0.0
wondering is there any other way i can get my remote ASA monitored
My next challenge is to add TACACS configuration to ASA, my ACS is 10.6.1.186 this can be reached from remote LAN(10.8.0.0/20), however not from ASA due to policy, how can i get this working
I searched on how to add source interface in TACACS config but could not get it
Many thanks for the support
Cheers..
Solved! Go to Solution.
09-21-2012 01:13 AM
For the interface that you would like to use, can you pls add the following command:
management-access
Eg:
management-access server-vlan
or
management-access data-vlan
You can only configure 1 interface to be the management interface.
09-12-2012 09:13 PM
Yes, both can be achieved using the source interface configuration on the respective command.
For SNMP:
snmp host inside
For TACACS:
aaa-server
Assuming that your ASA inside interface ip address is part of the crypto ACL.
Hope that helps.
09-12-2012 09:47 PM
Thank you very much Jennifer
Let me try this and get back soon
cheers..
09-19-2012 02:30 AM
I have tried the following but does not seem to help
1. i tried to allow snmp on the outside interface as below
MNL-FW01# sh run | include snm
access-list acl_outside extended permit udp host 2xxxxxxx host 1xxxxxx eq snmp
snmp-server host outside 2xxxxxx community *****
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
MNL-FW01#
MNL-FW01#
=================================
snmp-server host outside 10.6.1.96 poll community ***** (tried even inside though it does not make much sense to me)
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
Can anyone help me please
many thanks for the support
cheers..
09-20-2012 06:13 AM
It needs to be "inside" so the snmp server is actually sourced from the ASA inside interface, and it will match the crypto ACL and gets routed towards the VPN tunnel.
snmp-server host inside 10.6.1.96 poll community *****
Assuming that both the ASA inside interface ip address and 10.6.1.96 is part of your current crypto ACL subnets.
09-20-2012 09:32 PM
Thank you very much Jennifer, i had tried this but does not work
crypto map VPN-SG 10 match address MNL-GFI_LAN
access-list MNL-GFI_LAN extended permit ip 10.8.0.0 255.255.240.0 10.0.0.0 255.0.0.0
access-list MNL-GFI_LAN extended permit ip 10.8.0.0 255.255.240.0 host 192.168.246.16
access-list acl_nat0 extended permit ip 10.8.0.0 255.255.240.0 10.0.0.0 255.0.0.0
access-list acl_nat0 extended permit ip 10.8.0.0 255.255.240.0 host 192.168.246.16
Any suggestions please
thank you
cheers..
09-21-2012 12:10 AM
Can you ping the snmp server from the ASA when you source the ping from the inside interface?
ping inside 10.6.1.96?
09-21-2012 12:19 AM
thanks again for the support
No am not able to ping, in below setup i have many vlan on the remote end and ASA is the GW so i try to ping using one of the so called inside interface which i name it as server-vlan or data-vlan
Remote HQ
10.8.0.0/20 ---- ASA 119.x.x.x. --------Internet ----------202.x.x.x.x ASA --------10.0.0.0
the acl for server-vlan interface allows
access-list acl_server-vlan extended permit ip any 10.0.0.0 255.0.0.0
09-21-2012 01:13 AM
For the interface that you would like to use, can you pls add the following command:
management-access
Eg:
management-access server-vlan
or
management-access data-vlan
You can only configure 1 interface to be the management interface.
09-21-2012 01:22 AM
added
management-access server-vlan
still can not ping
am very new to security and asa so not sure what else should i be trying
many thanks
cheers..
09-21-2012 01:52 AM
Plsl kindly share full config from both ASA. Thanks.
09-21-2012 04:00 AM
we are doing some change right now, will post the config tomorrow
Appreciate your help
thank you
cheers..
10-06-2012 11:16 PM
your command helped to fix this issue
management-access
many thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide