Can you post a sh ip? I am not able to do this unless the traffic goes
through the inside interface.
From:
Ryan West <rwest_at_zyedge.com>
To:
"Keegan.Holley_at_sungard.com" <Keegan.Holley_at_sungard.com>
Cc:
"ccielab_at_groupstudy.com" <ccielab_at_groupstudy.com>, "nobody_at_groupstudy.com"
<nobody_at_groupstudy.com>
Date:
11/19/2009 04:56 PM
Subject:
RE: Management Traffic for ASA5505
Keegan,
From: Keegan.Holley_at_sungard.com [mailto:Keegan.Holley_at_sungard.com]
Sent: Thursday, November 19, 2009 10:55 AM
To: Ryan West
Cc: ccielab_at_groupstudy.com; nobody_at_groupstudy.com
Subject: RE: Management Traffic for ASA5505
It's basically a firewall that is to be managed over an internet IPSEC
tunnel. I have it in a lab and for some reason I cannot get it to send
traps over the IPSEC tunnel using the inside interface. I'm specifically
trying to send syslog, ntp, tacacs, and snmp-traps to a server reachable
through the tunnel. The problem is that "logging host inside" only works
if the logging server is reachable via the inside interface. It pretty
much seems to take the IP address of whatever interface the traffic
egresses.
My experience with it is you can send whatever data you want through the
tunnel using the outside address as your interesting traffic destination
on the remote end and just specify the ports in question. Ib�m also able
to source (not with complete consistency) syslog, NTP, SNMP query and trap
traffic through the tunnel using the follow snippets and the firewall will
use its inside address as the source. The funny thing is, I canb�t find
anything in the way of useful documentation. The trapping worked as well.
Cisco Adaptive Security Appliance Software Version 7.2(4)33
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
logging host inside 192.168.131.8
aaa-server TACACS (inside) host 192.168.131.20
snmp-server host inside 192.168.131.9 poll community
<supersecurecommunity> version 2c
ntp server 192.168.131.254 source inside
management-access inside
Crypto map tag: vpnmap, seq num: 10, local addr: x.x.x.x
access-list vpn_imsosecureicantevensharemyaclsovertheinternet permit
ip 192.168.98.0 255.255.255.192 192.168.131.0 255.255.255.0
local ident (addr/mask/prot/port):
(192.168.199.0/255.255.255.192/0/0)
remote ident (addr/mask/prot/port):
(192.168.131.0/255.255.255.0/0/0)
current_peer: x.x.x.x
#pkts encaps: 8281827, #pkts encrypt: 8281827, #pkts digest: 8281827
#pkts decaps: 2537459, #pkts decrypt: 2537459, #pkts verify: 2537459
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 8281827, #pkts comp failed: 0, #pkts decomp
failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing
reassembly: 0
#send errors: 3, #recv errors: 0
local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x
The 131 range is fictitious, but our management network operates in this
same manner. I typically use local NTP sources, but I configured this
just illustrate that it works.
show ntp ass
address ref clock st when poll reach delay offset
disp
*~192.168.131.254 192.5.41.41 2 408 1024 17 7.6 0.76
1892.5
HTH
-ryan
Blogs and organic groups at http://www.ccie.net
Received on Thu Nov 19 2009 - 22:09:45 ART