Cisco ASA SNMP Polling Via VPN Site-to-Site Tunnel

How CAN you monitor your remote ASA over Ipsec Lan-to-Lan tunnel? Here in this article we will show the way to monitor your remote ASA over Ipsec Lan-to-Lan tunnel.

Scenario:

In our case we will try to use a common scenario, where you have HQ ASA and branch ASA which should be monitored/polled over VPN tunnel (which is in between). SNMP/NMS server will be behind the HQ ASA. In our test we will try to monitor/poll interface fastEthernet 0/0 on Branch ASA from SNMP/NMS Server.

NMS/SNMP server: 192.168.1.3/24

Branch ASA FastEthernet 0/0: 5.5.5.1/24

Topology:

ASA SNMP Polling Via VPN Site-to-Site Tunnel

Solution:

VPN configuration part:

On Branch ASA:

crypto ipsec ikev1 transform-set TRANS esp-3des esp-sha-hmac

crypto map MAP 10 match address ACL

crypto map MAP 10 set peer $peer ip address$

crypto map MAP 10 set ikev1 transform-set TRANS

crypto map MAP interface outside

crypto ikev1 enable outside

tunnel-group $peer ip address$ type ipsec-l2l

tunnel-group $peer ip address$ ipsec-attributes

ikev1 pre-shared-key cisco

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

In ACL for encryption you should have ip address/subnet of fastethernet interface 0/0 (or whatever)

# access-list ACL extended permit ip 5.5.5.0 255.255.255.0 192.168.1.0 255.255.255.0

On HQ ASA:

crypto ipsec ikev1 transform-set TRANS esp-3des esp-sha-hmac

crypto map MAP 10 match address ACL

crypto map MAP 10 set peer $peer ip address$

crypto map MAP 10 set ikev1 transform-set TRANS

crypto map MAP interface outside

crypto ikev1 enable outside

crypto ikev1 policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 28800

tunnel-group $peer ip address$ type ipsec-l2l

tunnel-group $peer ip address$ ipsec-attributes

ikev1 pre-shared-key cisco

In ACL for encryption should be defined ip address/subnet of NMS/SNMP server.

# access-list ACL extended permit ip 192.168.1.0 255.255.255.0 5.5.5.0 255.255.255.0

SNMP part:

On Branch ASA:

1. You need to configure SNMP server and define interface behind which server is located, and this is a tricky part, since you need to define “inside” interface in order to push snmp traffic over the tunnel:

# snmp-server host inside 192.168.1.3 community test version 2c

2. You need to configure your “inside” interface as “management-access”.

# management-access inside

Verification:

We’ve done verification with “snmpwalk” command from snmp server:

[email protected]:~# snmpwalk -v 2c -c test 5.5.5.1

iso.3.6.1.2.1.1.1.0 = STRING: “Cisco Adaptive Security Appliance Version 8.4(2)”

iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.9.1.227

iso.3.6.1.2.1.1.3.0 = Timeticks: (134200) 0:22:22.00

iso.3.6.1.2.1.1.4.0 = “”

iso.3.6.1.2.1.1.6.0 = “”

iso.3.6.1.2.1.1.7.0 = INTEGER: 4

iso.3.6.1.2.1.2.1.0 = INTEGER: 8

iso.3.6.1.2.1.2.2.1.1.2 = INTEGER: 2

iso.3.6.1.2.1.2.2.1.1.3 = INTEGER: 3

iso.3.6.1.2.1.2.2.1.1.4 = INTEGER: 4

Reference links:

1. http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

2. http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094a13.shtml

3. http://www.cisco.com/en/US/docs/security/pix/pix72/quick/guide/sitvpn_p.html

Reference from https://supportforums.cisco.com/docs/DOC-34759

More Related:

Secure SNMP in Cisco Switches and Routers

How to Configure SNMP on Cisco IOS-based Router/Switch?

Create IPv6 LAN-to-LAN VPN Tunnel on Cisco ASAs

Share This Post

Post Comment