Solved

SNMP 2c over site to site VPN Cisco ASA 5505

Posted on 2014-04-16
4
2,910 Views
Last Modified: 2014-04-17
Hello,

Have Cisco ASA 5505 running IOS  9.1.3.  Have site to site VPN between that ASA and main office.  At main office have Solar Winds Device Tracker server  which monitors network equipment via SNMP.  SNMP server is on 192.168.0.0 /24 network.  Remote ASA is on 192.168.113.0 /24 network.  Have crypto maps and Before Nat rules to allow the two inside networks to communicate.  That works fine.  Different devices can ping and communicate.  But if I try to get the SNMP server to talk to the remote ASA 192.168.113.1, I get this in the remote ASA log:

"Failed to locate egress interface for UDP from outside 192.168.0.77/51777 to 192.168.113.1/161"

I have set up management rules to allow SNMP traffic from 192.168.0.77, but no dice.

I want the SNMP traffic to go across the encrypted VPN tunnel.  Is this possible?  If so what do I need to add to allow this communication?
0
Comment
Question by:ckangas7
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 26

Expert Comment

by:Fred Marshall
ID: 40005399
I don't see why SNMP traffic should be any different than others unless you have it encrypted perhaps.  For example, some of the devices/software expect you to be able to access the information and controls from the outside.  In that case you'd want it secured.
If that's not the case then you should be able to do what you describe.
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 500 total points
ID: 40006504
Under your inside interface policy map, do you have "inspect snmp"? Did you define a management interface via the command "management-access inside" ?
Also, the nat exemption statement may need to have the "route-lookup" option applied/selected.

I have this same situation where an SNMP server is pulling stats from an ASA on a site to site tunnel, and it works fine so I know this is doable.
0
 

Author Comment

by:ckangas7
ID: 40007159
You are correct.  I had to enable management-access inside and use the route-lookup option on the NAT rule.  Of course had to add my SNMP server to the SNMP host access list as well.  Seemed to work fine with SNMP inspect disabled, but probably a good idea to turn it on for security.  

Thanks much!!!
0
 

Author Closing Comment

by:ckangas7
ID: 40007160
Thank you.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ASA 5506 blocks telnet 11 66
GBIC "Gi0/25 notconnect 1auto auto unknown" 3 79
VPN Tunnel Stops Working Cisco RV130W 18 77
vpn through Cisco ASA appliance 3 31
Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question