tunnel snmp through vpn concentrator

joshsprang · ‎02-11-2005

I can't seem to find any documentation on how to monitor a pix through

the pix to vpn concentrator tunnel. I want to send the snmp traffic

from the remote pix through the tunnel through the concentrator to a

local syslog server. I found a document that tells how to send snmp

through a pix to pix tunnel and on the local pix you create an access

list in your access list you use with the vpn that allows the ip of

host syslog to host outside interface of remote pix. I am just not

sure how to do this on a vpn concetrator 3000 series. I have all the

correct routes and devices behind the remote pix can ping the local

syslog servers ip.

I tried logging like this

syslog =192.168.200.50

remote pix:

I tried both

logging host inside 192.168.200.50

and

logging host outside 192.168.200.50

I also tried adding the access-list part of the tunnel access-list in

the remote pix like it says to do in the pix-to-pix snmp tunnel doc

access-list vpn permit ip host 192.168.200.50 host outside interface

None of this worked I even tried pointing the logging host to the

inside interface of the concentrator to see if the concentrator would

pass the syslog msgs with its own and got nothing

thanks

Thanks

scoclayton · ‎02-13-2005

The following is the correct command to enter on the PIX:

logging host outside 192.168.200.50

(though this is not SNMP but rather syslog)

As the sample config you read mentions, you do need to add a line to your crypto access-list on the PIX side like this:

access-list permit ip host host 192.168.200.50

You would also need to midofy your entries on the 3K side to reflect that traffic between the PIX outside interface and the syslog server should also be encrypted. Sounds like the 3K is where you are missing some configuration.

Scott