RE: Management Traffic for ASA5505

It's basically a firewall that is to be managed over an internet IPSEC
tunnel. I have it in a lab and for some reason I cannot get it to send
traps over the IPSEC tunnel using the inside interface. I'm specifically
trying to send syslog, ntp, tacacs, and snmp-traps to a server reachable
through the tunnel. The problem is that "logging host inside" only works
if the logging server is reachable via the inside interface. It pretty
much seems to take the IP address of whatever interface the traffic
egresses.

From:
Ryan West <rwest_at_zyedge.com>
To:
"'Keegan.Holley_at_sungard.com'" <Keegan.Holley_at_sungard.com>
Cc:
"ccielab_at_groupstudy.com" <ccielab_at_groupstudy.com>
Date:
11/18/2009 10:19 PM
Subject:
RE: Management Traffic for ASA5505
Sent by:
<nobody_at_groupstudy.com>

Keegan,

Can you explain a little more about the topology? I capture syslog
traffic
remotely using both the inside or outside address, depending on which is
being
more temperamental or if there is already some RFC1918 overlap issues and
I
don't feel like doing yet another policy NAT. Are you intending on
sending
all the traffic through a tunnel to a hub site that offers all these
services?
I will have to check on the snmp-trapping tomorrow. The ASA is lacking in
a
lot of area, like not supporting VRF's for examples. Worst case, you can
still tunnel all the management traffic that you need to another location
using the outside address. Or I could have read wrong into everything you
said :)

-ryan

From: Keegan.Holley_at_sungard.com [mailto:Keegan.Holley_at_sungard.com]
Sent: Wednesday, November 18, 2009 7:38 PM
To: Ryan West
Cc: ccielab_at_groupstudy.com
Subject: Re: Management Traffic for ASA5505

What do you mean by an interesting traffic ace? Also, does this cover
snmp
traps? The problem is with traffic generated by the firewall such as
syslog
and snmp-trap, ntp and tacacs requests.

From:

Ryan West <rwest_at_zyedge.com>

To:

"Keegan.Holley_at_sungard.com" <Keegan.Holley_at_sungard.com>

Cc:

"ccielab_at_groupstudy.com" <ccielab_at_groupstudy.com>

Date:

11/18/2009 06:52 PM

Subject:

Re: Management Traffic for ASA5505

________________________________

Management-access inside, then you can use the inside ip address for
your polling target. You can also set your logging host inside and
use an interesting traffic ace as your target. If you need more
detailed examples, let me know.

Sent from handheld.

On Nov 18, 2009, at 6:46 PM,
"Keegan.Holley_at_sungard.com<mailto:Keegan.Holley_at_sungard.com>"
<Keegan.Holley_at_sungard.com
<mailto:Keegan.Holley_at_sungard.com%20%0b>> wrote:

> I have been trying to configure an ASA5505 to source syslog and snmp
> traffic from an interface other than the outside. Does anyone know
> how to
> do this?
>
>
> Blogs and organic groups at http://www.ccie.net<http://www.ccie.net/>
>
> _______________________________________________________________________

> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu Nov 19 2009 - 10:55:11 ART