Hi, We currently have a few 5505s installed at client sites which are connected via s2s ipsec VPN to our datacenter's 5510. We are using Nagios to monitor the local datacenter and remote client infrastructure (over the VPNs) which has been working well.
We would like to also monitor the remote 5505s using SNMP over the s2s tunnels but it doesn't seem to be working, the connection is timing out. We've configured the remote 5505s with the same snmp statement we used on the 5510 (snmp-server host inside <remote datacenter IP> poll community ***** version 2c) yet the Nagios SNMP check cannot connect to the remote 5505s. We've also tried the command using 'outside' without any luck, not sure how to get SNMP to route over the VPN. Thanks in advance!
To my understanding theres always problems when you try to connect/poll some ASA/PIX/FWSM interface behind another of its interfaces
Just to make sure, are the connections between ASA5510 and the ASA5505s Lan to Lan VPNs or are the ASA5505s EasyVPN Clients that automatically connect to the central ASA?
Yes these are LAN to LAN VPNs giving us permanent connectivity to the LANs of the remote networks (i.e., for example our 172.20.4.0/24 datacenter LAN has access to the 172.21.5.0/24 LAN at the remote site). From our Nagios server, which for example is 172.20.4.40 we can hit any of the hosts at the remote site (like 172.21.5.2) for monitoring.
In theory, the command I pasted above should allow SNMP traffic from our Nagios host across the VPN (since we provide the datacenter Nagios server IP) but I'm thinking that specifying 'inside' with the command means the 5505 expects these polls from the local LAN as opposed to the remote VPN LAN?
Any thoughts on this are much appreciated!
I havent tried your setup before but first that comes to mind is change the L2L VPN encryption domain configurations abit. I mean defining the interesting traffic for the L2L VPN.
I wonder if you could add the remote ASA 5505 outside interface IP address in the Encryption Domain configurations (and ofcourse do NAT0 for that traffic also from the central site.) Though I dont know if you already had similiar configurations applied.
What I basically mean is adding this line to the central ASA configurations (and mirror to the remote site ofcourse) (Just chose random names for ACLs and interfaces)
access-list L2L-VPN-ENCRYPTIONDOMAIN permit ip 172.20.4.0 255.255.255.0 host x.x.x.x
access-list INSIDE-NAT0 permit ip 172.20.4.0 255.255.255.0 host x.x.x.x
nat (inside) 0 access-list INSIDE-NAT0
And if this works out just add the SNMP configuration line with the correct host IP and the interface as outside.
snmp-server host outside 172.20.4.40 poll community ***** version 2c
I still like to point out that I haven't tried this myself but this is what came to my mind as an option.
Please rate if you find this information helpful
EDIT: Edited a typo on one configuration
EDIT2: I guess this setup might alter your current remote management connections to the Remote ASA 5505a depending what the source address at your central site for the management connections is. Also you can narrow down the source addresses on the configuration above.
EDIT3: Regarding the NAT. The format ofcourse depends are you running ASA software 8.2 and earlier or 8.3 and forward.
Thanks for this, we will try these changes during out next maintenance window (end of this week) and let you know how it goes!
So i configured a totally new L2L VPN to our central/core device which connects our Syslog server and whan SNMP monitoring server to my ASA.
Both Syslog and SNMP work great from/to our servers.
I will post a more detailed description about this in abit. Now I need some coffee.
PS. Also discussing this very same thing in another topic https://supportforums.cisco.com/thread/2141385?tstart=0
So here some base info with changed IP addresses instead of the public ones
Central Syslog/SNMP Site
Customer Site VPN configuration
object-group network DM_INLINE_NETWORK_1
network-object host 10.10.10.1
network-object host 10.10.10.2
access-list WAN_cryptomap line 1 extended permit ip host 126.96.36.199 object-group DM_INLINE_NETWORK_1
group-policy GroupPolicy_188.8.131.52 internal
tunnel-group 184.108.40.206 type ipsec-l2l
tunnel-group 220.127.116.11 general-attributes
tunnel-group 18.104.22.168 ipsec-attributes
ikev1 pre-shared-key PRESHAREDKEY
isakmp keepalive threshold 10 retry 2
crypto ikev1 enable WAN
crypto map WAN_map 1 match address WAN_cryptomap
crypto map WAN_map 1 set peer 22.214.171.124
crypto map WAN_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map WAN_map interface WAN
- Logging and SNMP settings
logging buffer-size 8192
logging buffered informational
logging trap informational
logging asdm debugging
logging device-id hostname
logging host WAN 10.10.10.1
snmp-server host WAN 10.10.10.2 community COMMUNITY
The Central site is a IOS device. I wont copy paste any configuration of it here since it follows the same lines as the above client side ASA test configuration.
Hope this helps. Please rate if it was helpfull
If you need any more information, please ask.
Unfortunately we had a production outage this weekend thus all our time went towards dealing with that. Will try again this weekend and let you know. Thanks again!
Hi, me again I have this issue and have tried all sorts of things seen on the cisco support forums but still can't get our NMS system to see the firewalls at the end of the VPNs which terminate on them but we can see all the devices (including other firewalls) behind the VPN termination points. I have the management-access interface configured and the correct encryption domains and when I log the traffic on the firewall I am tring to manage with SNMP/ICMP I see the traffic coming from our NMS system to the IP address we are managing the firewall on but it just builds and tearsdown the connection but it doesn't explain why or where. I have the correct ACL's as we manage devices on the IP address range the management interface on the ASA is on. So I am now stuck...
the NMS pings the host first then sends SNMP poll on UDP 161
Apr 02 2013 10:16:36: %ASA-6-302020: Built inbound ICMP connection for faddr 10.sn.sn.nh/1 gaddr 10.sn.ms.mh/0 laddr 10.sn.ms.mh/0
Apr 02 2013 10:16:38: %ASA-6-302021: Teardown ICMP connection for faddr 10.sn.sn.nh/1 gaddr 10.sn.ms.mh/0 laddr 10.sn.ss.hm/0
Apr 02 2013 10:16:42: %ASA-6-302015: Built inbound UDP connection 9934943 for outside:10.sn.sn.nh/56481 (10.sn.sn.nh/56481) to MGMT:10.sn.ms.mh/161 (10.sn.ms.mh/161)
Where sn=subnet, ms=management subnet, nh=NMS host and mh=Management host (on ASA MGMT interface)
So I can see the traffic i am expecting on the firewall but it doesn't respond to the UDP 161 request. I had SNMP debug on but that didn't show me anything extra.
I have only tried this with using the "outside" interface on the ASA and in that case it seemed to work just fine.
Are you saying that you cant even use ICMP to the interface configured with the "management-access"? The ASA command reference seems to suggest that this command should enable ICMP and Management connections from behind the interface which builds the actual L2L VPN connection.
Though it doesnt say anything about SNMP so it might even be that you cant use any other interface on the ASA for SNMP other than the one building the L2L VPN (outside). Though this is not something I have tested and could say with 100% certainty.
But it would seem to me that the ICMP should still work to the "management" interface which is configured with the "management-access" configuration.
I guess you still have the option to use the ASA "outside" IP address for Management, ICMP and SNMP if you configure it to be a part of the L2L VPN.
Many thanks for your quick reply - I did try using the outside interface (internet facing) but that is being used to NAT all sources behind this firewall when it uses the internet so when I tried using it other services stopped working so I had to revert. The ICMP does look like it replies but I never see it again on the other end of the VPN. I can however ping any other device on the MGMT interface. I think some of the old NAt set-up on this firewall can be removed now I have a site 2 site VPN and we can connect to all internal devices with their real IP addresses as I think the NAt has caused me many issues while configuring this site. I will then be able to try the outside interface without causing issues to other sevrices.
Many thanks again for your quick response.
You should be able to use the public IP address for the L2L VPN. I did it with a setup with only 1 public IP on the ASA.
If it has caused problems then there has probably been some missconfiguration on the L2L VPN rules. Perhaps they have been too wide (using "any" in the crypto ACL perhaps) and that way caused traffic from LAN to Internet to break.
If you only define the "outside" IP address and one destination IP address (the management server) on the L2L VPN then it shouldnt have any effect on traffic from LAN to hosts on the Internet.
Thanks again. I configured the VPN ACL which is specific to each sites IP range - it was the preconfigured (before I started here a month ago) NAT that has the any on it when it can be more specific (that was the NAT I moved to after-auto command you told me about before) Trying to work through tidying up someone elses configuration on a live system and keep everything running a nice challenge for sure. I will go through our Change Request system and try this out with a more specific NAT rule and using the external IP address instead of an internal one for the ASA. Thanks for the direction it is very much appreciated. I need to get a job on a greenfield site for a change. Reverse engineering something that has never been documented and nobody on site who knows why anything was done the way it has been