Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

SNMP 2c over site to site VPN Cisco ASA 5505

Posted on 2014-04-16
4
Medium Priority
?
3,160 Views
Last Modified: 2014-04-17
Hello,

Have Cisco ASA 5505 running IOS  9.1.3.  Have site to site VPN between that ASA and main office.  At main office have Solar Winds Device Tracker server  which monitors network equipment via SNMP.  SNMP server is on 192.168.0.0 /24 network.  Remote ASA is on 192.168.113.0 /24 network.  Have crypto maps and Before Nat rules to allow the two inside networks to communicate.  That works fine.  Different devices can ping and communicate.  But if I try to get the SNMP server to talk to the remote ASA 192.168.113.1, I get this in the remote ASA log:

"Failed to locate egress interface for UDP from outside 192.168.0.77/51777 to 192.168.113.1/161"

I have set up management rules to allow SNMP traffic from 192.168.0.77, but no dice.

I want the SNMP traffic to go across the encrypted VPN tunnel.  Is this possible?  If so what do I need to add to allow this communication?
0
Comment
Question by:ckangas7
  • 2
4 Comments
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 40005399
I don't see why SNMP traffic should be any different than others unless you have it encrypted perhaps.  For example, some of the devices/software expect you to be able to access the information and controls from the outside.  In that case you'd want it secured.
If that's not the case then you should be able to do what you describe.
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 2000 total points
ID: 40006504
Under your inside interface policy map, do you have "inspect snmp"? Did you define a management interface via the command "management-access inside" ?
Also, the nat exemption statement may need to have the "route-lookup" option applied/selected.

I have this same situation where an SNMP server is pulling stats from an ASA on a site to site tunnel, and it works fine so I know this is doable.
0
 

Author Comment

by:ckangas7
ID: 40007159
You are correct.  I had to enable management-access inside and use the route-lookup option on the NAT rule.  Of course had to add my SNMP server to the SNMP host access list as well.  Seemed to work fine with SNMP inspect disabled, but probably a good idea to turn it on for security.  

Thanks much!!!
0
 

Author Closing Comment

by:ckangas7
ID: 40007160
Thank you.
0

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
Considering cloud tradeoffs and determining the right mix for your organization.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

927 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question