SNMP 2c over site to site VPN Cisco ASA 5505

Posted on 2014-04-16
Medium Priority
Last Modified: 2014-04-17

Have Cisco ASA 5505 running IOS  9.1.3.  Have site to site VPN between that ASA and main office.  At main office have Solar Winds Device Tracker server  which monitors network equipment via SNMP.  SNMP server is on /24 network.  Remote ASA is on /24 network.  Have crypto maps and Before Nat rules to allow the two inside networks to communicate.  That works fine.  Different devices can ping and communicate.  But if I try to get the SNMP server to talk to the remote ASA, I get this in the remote ASA log:

"Failed to locate egress interface for UDP from outside to"

I have set up management rules to allow SNMP traffic from, but no dice.

I want the SNMP traffic to go across the encrypted VPN tunnel.  Is this possible?  If so what do I need to add to allow this communication?
Question by:ckangas7
  • 2
LVL 27

Expert Comment

by:Fred Marshall
ID: 40005399
I don't see why SNMP traffic should be any different than others unless you have it encrypted perhaps.  For example, some of the devices/software expect you to be able to access the information and controls from the outside.  In that case you'd want it secured.
If that's not the case then you should be able to do what you describe.
LVL 20

Accepted Solution

rauenpc earned 2000 total points
ID: 40006504
Under your inside interface policy map, do you have "inspect snmp"? Did you define a management interface via the command "management-access inside" ?
Also, the nat exemption statement may need to have the "route-lookup" option applied/selected.

I have this same situation where an SNMP server is pulling stats from an ASA on a site to site tunnel, and it works fine so I know this is doable.

Author Comment

ID: 40007159
You are correct.  I had to enable management-access inside and use the route-lookup option on the NAT rule.  Of course had to add my SNMP server to the SNMP host access list as well.  Seemed to work fine with SNMP inspect disabled, but probably a good idea to turn it on for security.  

Thanks much!!!

Author Closing Comment

ID: 40007160
Thank you.

Featured Post

Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Considering cloud tradeoffs and determining the right mix for your organization.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question