ASA 5505 remote SNMP monitoring over VPN

Unanswered Question
Apr 3rd, 2012

Hi,  We currently have a few 5505s installed at client sites which are connected via s2s ipsec VPN to our datacenter's 5510.  We are using Nagios to monitor the local datacenter and remote client infrastructure (over the VPNs) which has been working well.

We would like to also monitor the remote 5505s using SNMP over the s2s tunnels but it doesn't seem to be working, the connection is timing out.  We've configured the remote 5505s with the same snmp statement we used on the 5510 (snmp-server host inside <remote datacenter IP> poll community ***** version 2c) yet the Nagios SNMP check cannot connect to the remote 5505s.  We've also tried the command using 'outside' without any luck, not sure how to get SNMP to route over the VPN.  Thanks in advance!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
Jouni Forss Tue, 04/03/2012 - 11:05

Hi,

To my understanding theres always problems when you try to connect/poll some ASA/PIX/FWSM interface behind another of its interfaces

Just to make sure, are the connections between ASA5510 and the ASA5505s Lan to Lan VPNs or are the ASA5505s EasyVPN Clients that automatically connect to the central ASA?

- Jouni

jonathanbruck Tue, 04/03/2012 - 11:48

Hi Jouni,

Yes these are LAN to LAN VPNs giving us permanent connectivity to the LANs of the remote networks (i.e., for example our 172.20.4.0/24 datacenter LAN has access to the 172.21.5.0/24 LAN at the remote site).  From our Nagios server, which for example is 172.20.4.40 we can hit any of the hosts at the remote site (like 172.21.5.2) for monitoring. 

In theory, the command I pasted above should allow SNMP traffic from our Nagios host across the VPN (since we provide the datacenter Nagios server IP) but I'm thinking that specifying 'inside' with the command means the 5505 expects these polls from the local LAN as opposed to the remote VPN LAN?

Any thoughts on this are much appreciated!

--Jon

Jouni Forss Tue, 04/03/2012 - 12:01

Hi,

I havent tried your setup before but first that comes to mind is change the L2L VPN encryption domain configurations abit. I mean defining the interesting traffic for the L2L VPN.

I wonder if you could add the remote ASA 5505 outside interface IP address in the Encryption Domain configurations (and ofcourse do NAT0 for that traffic also from the central site.) Though I dont know if you already had similiar configurations applied.

What I basically mean is adding this line to the central ASA configurations (and mirror to the remote site ofcourse) (Just chose random names for ACLs and interfaces)

access-list L2L-VPN-ENCRYPTIONDOMAIN permit ip 172.20.4.0 255.255.255.0 host x.x.x.x

access-list INSIDE-NAT0 permit ip 172.20.4.0 255.255.255.0 host x.x.x.x

nat (inside) 0 access-list INSIDE-NAT0

Where:

  • L2L-VPN-ENCRYPTIONDOMAIN access-list = the access-list used in your vpn configurations (crypto map match address )
  • INSIDE-NAT0 = NAT0 configuration access-list
  • x.x.x.x = remote ASA 5505 outside interface IP

And if this works out just add the SNMP configuration line with the correct host IP and the interface as outside.

snmp-server host outside 172.20.4.40 poll community ***** version 2c

I still like to point out that I haven't tried this myself but this is what came to my mind as an option.

Please rate if you find this information helpful

EDIT: Edited a typo on one configuration

EDIT2: I guess this setup might alter your current remote management connections to the Remote ASA 5505a depending what the source address at your central site for the management connections is. Also you can narrow down the source addresses on the configuration above.

EDIT3: Regarding the NAT. The format ofcourse depends are you running ASA software 8.2 and earlier or 8.3 and forward.

- Jouni

jonathanbruck Wed, 04/04/2012 - 09:42

Hi Jouni,

Thanks for this, we will try these changes during out next maintenance window (end of this week) and let you know how it goes!

--Jon

Jouni Forss Thu, 04/05/2012 - 08:05

Whew,

So i configured a totally new L2L VPN to our  central/core device which connects our Syslog server and whan SNMP  monitoring server to my ASA.

Both Syslog and SNMP work great from/to our servers.

I will post a more detailed description about this in abit. Now I need some coffee.

- Jouni

PS. Also discussing this very same thing in another topic https://supportforums.cisco.com/thread/2141385?tstart=0

Jouni Forss Thu, 04/05/2012 - 09:03

Hi,

So here some base info with changed IP addresses instead of the public ones

Central Syslog/SNMP Site

  • VPN Device IP 1.1.1.1
  • Syslog Server IP 10.10.10.1
  • SNMP server IP 10.10.10.2

Customer Site

  • VPN Device IP 2.2.2.2
  • This IP address is also used Syslog/SNMP source

Customer Site VPN configuration

  • ASA running version 8.4(3)
  • Done quickly with the L2L VPN Wizard through ASDM (Below is from the ADSM CLI format preview)

     object-group network DM_INLINE_NETWORK_1

        network-object host 10.10.10.1

        network-object host 10.10.10.2

      access-list WAN_cryptomap line 1 extended permit ip host 2.2.2.2 object-group DM_INLINE_NETWORK_1

      group-policy GroupPolicy_1.1.1.1 internal

      group-policy GroupPolicy_1.1.1.1attributes

        vpn-tunnel-protocol ikev1

      exit

      tunnel-group 1.1.1.1 type ipsec-l2l

      tunnel-group 1.1.1.1 general-attributes

        default-group-policy GroupPolicy_1.1.1.1

      tunnel-group 1.1.1.1 ipsec-attributes

        ikev1 pre-shared-key PRESHAREDKEY

        isakmp keepalive threshold 10 retry 2

      crypto ikev1 enable  WAN

      crypto map WAN_map 1 match address WAN_cryptomap

      crypto map WAN_map 1 set  peer 1.1.1.1

      crypto map WAN_map 1 set  ikev1 transform-set   ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5  ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA  ESP-DES-MD5

      crypto map WAN_map interface  WAN

- Logging and SNMP settings

logging enable

logging timestamp

logging buffer-size 8192

logging buffered informational

logging trap informational

logging asdm debugging

logging device-id hostname

logging host WAN 10.10.10.1

snmp-server host WAN 10.10.10.2 community COMMUNITY

The  Central site is a IOS device. I wont copy paste any configuration of it  here since it follows the same lines as the above client side ASA test  configuration.

Hope this helps. Please rate if it was helpfull

If you need any more information, please ask.

- Jouni

jonathanbruck Thu, 04/05/2012 - 09:16

This is all awesome Jouni!  We will try tomorrow and let you know how it goes.

--Jon

jonathanbruck Thu, 04/12/2012 - 07:12

Hi Jouni,

Unfortunately we had a production outage this weekend thus all our time went towards dealing with that.  Will try again this weekend and let you know.  Thanks again!

--Jon

zyontrific Tue, 04/02/2013 - 05:46

Jouni,

Hi, me again I have this issue and have tried all sorts of things seen on the cisco support forums but still can't get our NMS system to see the firewalls at the end of the VPNs which terminate on them but we can see all the devices (including other firewalls) behind the VPN termination points. I have the management-access interface configured and the correct encryption domains and when I log the traffic on the firewall I am tring to manage with SNMP/ICMP I see the traffic coming from our NMS system to the IP address we are managing the firewall on but it just builds and tearsdown the connection but it doesn't explain why or where. I have the correct ACL's as we manage devices on the IP address range the management interface on the ASA is on. So I am now stuck...

the NMS pings the host first then sends SNMP poll on UDP 161

Apr 02 2013 10:16:36: %ASA-6-302020: Built inbound ICMP connection for faddr 10.sn.sn.nh/1 gaddr 10.sn.ms.mh/0 laddr 10.sn.ms.mh/0

Apr 02 2013 10:16:38: %ASA-6-302021: Teardown ICMP connection for faddr  10.sn.sn.nh/1 gaddr 10.sn.ms.mh/0 laddr 10.sn.ss.hm/0

Apr 02 2013 10:16:42: %ASA-6-302015: Built inbound UDP connection 9934943 for outside:10.sn.sn.nh/56481 (10.sn.sn.nh/56481) to MGMT:10.sn.ms.mh/161 (10.sn.ms.mh/161)

Where sn=subnet, ms=management subnet, nh=NMS host and mh=Management host (on ASA MGMT interface)

So I can see the traffic i am expecting on the firewall but it doesn't respond to the UDP 161 request. I had SNMP debug on but that didn't show me anything extra.

Regards,

Z

Jouni Forss Tue, 04/02/2013 - 05:59

Hi,

I have only tried this with using the "outside" interface on the ASA and in that case it seemed to work just fine.

Are you saying that you cant even use ICMP to the interface configured with the "management-access"? The ASA command reference seems to suggest that this command should enable ICMP and Management connections from behind the interface which builds the actual L2L VPN connection.

Though it doesnt say anything about SNMP so it might even be that you cant use any other interface on the ASA for SNMP other than the one building the L2L VPN (outside). Though this is not something I have tested and could say with 100% certainty.

But it would seem to me that the ICMP should still work to the "management" interface which is configured with the "management-access" configuration.

I guess you still have the option to use the ASA "outside" IP address for Management, ICMP and SNMP if you configure it to be a part of the L2L VPN.

- Jouni

zyontrific Tue, 04/02/2013 - 06:12

Jouni,

Many thanks for your quick reply - I did try using the outside interface (internet facing) but that is being used to NAT all sources behind this firewall when it uses the internet so when I tried using it other services stopped working so I had to revert. The ICMP does look like it replies but I never see it again on the other end of the VPN. I can however ping any other device on the MGMT interface. I think some of the old NAt set-up on this firewall can be removed now I have a site 2 site VPN and we can connect to all internal devices with their real IP addresses as I think the NAt has caused me many issues while configuring this site. I will then be able to try the outside interface without causing issues to other sevrices.

Many thanks again for your quick response.

Z

Jouni Forss Tue, 04/02/2013 - 06:17

Hi,

You should be able to use the public IP address for the L2L VPN. I did it with a setup with only 1 public IP on the ASA.

If it has caused problems then there has probably been some missconfiguration on the L2L VPN rules. Perhaps they have been too wide (using "any" in the crypto ACL perhaps) and that way caused traffic from LAN to Internet to break.

If you only define the "outside" IP address and one destination IP address (the management server) on the L2L VPN then it shouldnt have any effect on traffic from LAN to hosts on the Internet.

- Jouni

zyontrific Tue, 04/02/2013 - 06:32

Jouni,

Thanks again. I configured the VPN ACL which is specific to each sites IP range - it was the preconfigured (before I started here a month ago) NAT that has the any on it when it can be more specific (that was the NAT I moved to after-auto command you told me about before) Trying to work through tidying up someone elses configuration on a live system and keep everything running a nice challenge for sure. I will go through our Change Request system and try this out with a more specific NAT rule and using the external IP address instead of an internal one for the ASA. Thanks for the direction it is very much appreciated. I need to get a job on a greenfield site for a change. Reverse engineering something that has never been documented and nobody on site who knows why anything was done the way it has been

Regards,

Z

Actions

Login or Register to take actions

This Discussion

Posted April 3, 2012 at 8:44 AM
Stats:
Replies:15 Avg. Rating:5
Views:3777 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard