RE: Management Traffic for ASA5505

Keegan,

From: Keegan.Holley_at_sungard.com [mailto:Keegan.Holley_at_sungard.com]
Sent: Thursday, November 19, 2009 10:55 AM
To: Ryan West
Cc: ccielab_at_groupstudy.com; nobody_at_groupstudy.com
Subject: RE: Management Traffic for ASA5505

It's basically a firewall that is to be managed over an internet IPSEC tunnel.
I have it in a lab and for some reason I cannot get it to send traps over the
IPSEC tunnel using the inside interface. I'm specifically trying to send
syslog, ntp, tacacs, and snmp-traps to a server reachable through the tunnel.
The problem is that "logging host inside" only works if the logging server is
reachable via the inside interface. It pretty much seems to take the IP
address of whatever interface the traffic egresses.

My experience with it is you can send whatever data you want through the
tunnel using the outside address as your interesting traffic destination on
the remote end and just specify the ports in question. I'm also able to
source (not with complete consistency) syslog, NTP, SNMP query and trap
traffic through the tunnel using the follow snippets and the firewall will use
its inside address as the source. The funny thing is, I can't find anything
in the way of useful documentation. The trapping worked as well.

Cisco Adaptive Security Appliance Software Version 7.2(4)33
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz

logging host inside 192.168.131.8
aaa-server TACACS (inside) host 192.168.131.20
snmp-server host inside 192.168.131.9 poll community <supersecurecommunity>
version 2c
ntp server 192.168.131.254 source inside
management-access inside

    Crypto map tag: vpnmap, seq num: 10, local addr: x.x.x.x

      access-list vpn_imsosecureicantevensharemyaclsovertheinternet permit ip
192.168.98.0 255.255.255.192 192.168.131.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.199.0/255.255.255.192/0/0)
      remote ident (addr/mask/prot/port): (192.168.131.0/255.255.255.0/0/0)
      current_peer: x.x.x.x

      #pkts encaps: 8281827, #pkts encrypt: 8281827, #pkts digest: 8281827
      #pkts decaps: 2537459, #pkts decrypt: 2537459, #pkts verify: 2537459
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 8281827, #pkts comp failed: 0, #pkts decomp
failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly:
0
      #send errors: 3, #recv errors: 0

      local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x

 The 131 range is fictitious, but our management network operates in this same
manner. I typically use local NTP sources, but I configured this just
illustrate that it works.

show ntp ass
      address ref clock st when poll reach delay offset
disp
*~192.168.131.254 192.5.41.41 2 408 1024 17 7.6 0.76
1892.5

HTH

-ryan

Blogs and organic groups at http://www.ccie.net
Received on Thu Nov 19 2009 - 16:55:16 ART