04-03-2012 04:11 AM
I have two remote sites connected to the main office via Site-to-Site VPNs. The tunnels are up and working fine. The only thing I can not figure out is how to send traffic generated by the ASA through the tunnel. For instance I am trying to get the ASA's at the remote sites to send syslog and SNMP to the servers at the main office, but I have had no luck. I assume it is a routing issue but I can't seem to find the answer. Sylog and snmp traffic generated by devices on the LAN pass through the tunnel to the main office but not traffic generated on the ASA. When I debug the ASA I can see that when it is attempting to send traffic (SYSlog,SNMP) generated by the ASA routing fails.
Routing failed to locate next hop for udp from NP Identity Ifc:192.168.20.1/514 to inside:172.20.5.55/514 |
192.168.20.1 is the inside interface of the ASA.
How to I get traffic that starts on the ASA to route through the VPN tunnel?
04-03-2012 12:22 PM
Hi,
Another thread/post on the these same forums handle the situation you mention.
See if its of any help
https://supportforums.cisco.com/message/3603117#3603117
I havent had to lab the setup yet myself.
- Jouni
04-05-2012 06:59 AM
Thanks, I saw that link earlier but never seen anyone state that it worked so I am hesitant to try. Unfortunately I do not have a lab with ASA's, just the production environment so I am a little cautious.
One think I don't understand is that all the Devices behind the firewall send syslog, and SNMP messages thought the tunnel and can ping through to the main office. The same actions when done on the ASA do not work, the ASA in the remote office can not ping the home office LAN, syslog and SNMP do not got through the tunnel to the Main office. Yet Netflow works fine. How would Netflow, originating on the ASA route through the tunnel but nothing else that is generated on the ASA be able to?
This has got me confused.
04-05-2012 07:08 AM
Hi,
I got to admit I know absolutely nothing about Netflow.
Though regarding the ICMP, syslog and SNMP problems my best guess would be that ASA is indeed using the WAN IP to send the traffic as the destination addresses are on its outside interface side because of the VPN. And as that WAN IP is not included in the encryption domain it will just try to send the traffic through the Internet.
I guess I could try this setup up with my home ASA and our central VPN device and see for example if I can get my ASA to send syslogs to our syslog server.
- Jouni
04-05-2012 08:04 AM
Whew,
So i configured a totally new L2L VPN to our central/core device which connects our Syslog server and whan SNMP monitoring server to my ASA.
Both Syslog and SNMP work great from/to our servers.
I will post a more detailed description about this in abit. Now I need some coffee.
- Jouni
04-05-2012 09:02 AM
Hi,
So here some base info with changed IP addresses instead of the public ones
Central Syslog/SNMP Site
Customer Site
Customer Site VPN configuration
object-group network DM_INLINE_NETWORK_1
network-object host 10.10.10.1
network-object host 10.10.10.2
access-list WAN_cryptomap line 1 extended permit ip host 2.2.2.2 object-group DM_INLINE_NETWORK_1
group-policy GroupPolicy_1.1.1.1 internal
group-policy GroupPolicy_1.1.1.1attributes
vpn-tunnel-protocol ikev1
exit
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
default-group-policy GroupPolicy_1.1.1.1
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key PRESHAREDKEY
isakmp keepalive threshold 10 retry 2
crypto ikev1 enable WAN
crypto map WAN_map 1 match address WAN_cryptomap
crypto map WAN_map 1 set peer 1.1.1.1
crypto map WAN_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map WAN_map interface WAN
- Logging and SNMP settings
logging enable
logging timestamp
logging buffer-size 8192
logging buffered informational
logging trap informational
logging asdm debugging
logging device-id hostname
logging host WAN 10.10.10.1
snmp-server host WAN 10.10.10.2 community COMMUNITY
The Central site is a IOS device. I wont copy paste any configuration of it here since it follows the same lines as the above client side ASA test configuration.
Hope this helps. Please rate if it was helpfull
If you need any more information, please ask.
- Jouni
04-05-2012 09:27 AM
Thanks! I will come in early tomorrow morning and give it a shot. I will let you know how it goes.
04-09-2012 11:30 PM
Hi,
Did you get to test this? Did it work for you?
- Jouni
04-10-2012 05:39 AM
No I haven't, other things came up that I had to deal with and was unable to get to it last week. Additionally I started a new job this week, and passed that issue onto someone else at my previous employer. I will keep in contact with them and hopefully get a resolution for you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide