I have two remote sites connected to the main office via Site-to-Site VPNs. The tunnels are up and working fine. The only thing I can not figure out is how to send traffic generated by the ASA through the tunnel. For instance I am trying to get the ASA's at the remote sites to send syslog and SNMP to the servers at the main office, but I have had no luck. I assume it is a routing issue but I can't seem to find the answer. Sylog and snmp traffic generated by devices on the LAN pass through the tunnel to the main office but not traffic generated on the ASA. When I debug the ASA I can see that when it is attempting to send traffic (SYSlog,SNMP) generated by the ASA routing fails.
|Routing failed to locate next hop for udp from NP Identity Ifc:192.168.20.1/514 to inside:172.20.5.55/514|
192.168.20.1 is the inside interface of the ASA.
How to I get traffic that starts on the ASA to route through the VPN tunnel?
Another thread/post on the these same forums handle the situation you mention.
See if its of any help
I havent had to lab the setup yet myself.
Thanks, I saw that link earlier but never seen anyone state that it worked so I am hesitant to try. Unfortunately I do not have a lab with ASA's, just the production environment so I am a little cautious.
One think I don't understand is that all the Devices behind the firewall send syslog, and SNMP messages thought the tunnel and can ping through to the main office. The same actions when done on the ASA do not work, the ASA in the remote office can not ping the home office LAN, syslog and SNMP do not got through the tunnel to the Main office. Yet Netflow works fine. How would Netflow, originating on the ASA route through the tunnel but nothing else that is generated on the ASA be able to?
This has got me confused.
I got to admit I know absolutely nothing about Netflow.
Though regarding the ICMP, syslog and SNMP problems my best guess would be that ASA is indeed using the WAN IP to send the traffic as the destination addresses are on its outside interface side because of the VPN. And as that WAN IP is not included in the encryption domain it will just try to send the traffic through the Internet.
I guess I could try this setup up with my home ASA and our central VPN device and see for example if I can get my ASA to send syslogs to our syslog server.
So i configured a totally new L2L VPN to our central/core device which connects our Syslog server and whan SNMP monitoring server to my ASA.
Both Syslog and SNMP work great from/to our servers.
I will post a more detailed description about this in abit. Now I need some coffee.
So here some base info with changed IP addresses instead of the public ones
Central Syslog/SNMP Site
Customer Site VPN configuration
object-group network DM_INLINE_NETWORK_1
network-object host 10.10.10.1
network-object host 10.10.10.2
access-list WAN_cryptomap line 1 extended permit ip host 126.96.36.199 object-group DM_INLINE_NETWORK_1
group-policy GroupPolicy_188.8.131.52 internal
tunnel-group 184.108.40.206 type ipsec-l2l
tunnel-group 220.127.116.11 general-attributes
tunnel-group 18.104.22.168 ipsec-attributes
ikev1 pre-shared-key PRESHAREDKEY
isakmp keepalive threshold 10 retry 2
crypto ikev1 enable WAN
crypto map WAN_map 1 match address WAN_cryptomap
crypto map WAN_map 1 set peer 22.214.171.124
crypto map WAN_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map WAN_map interface WAN
- Logging and SNMP settings
logging buffer-size 8192
logging buffered informational
logging trap informational
logging asdm debugging
logging device-id hostname
logging host WAN 10.10.10.1
snmp-server host WAN 10.10.10.2 community COMMUNITY
The Central site is a IOS device. I wont copy paste any configuration of it here since it follows the same lines as the above client side ASA test configuration.
Hope this helps. Please rate if it was helpfull
If you need any more information, please ask.