RE: Management Traffic for ASA5505

Keegan,

Management side:

show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Ethernet0/0 outside x.x.x.x 255.255.255.240 CONFIG
Ethernet0/1 inside 192.168.131.1 255.255.255.0 CONFIG

Remote side:

show ip
System IP Addresses:
Interface Name IP address Subnet mask Method
Ethernet0/0 outside x.x.x.x 255.255.255.248 CONFIG
Ethernet0/1 inside 192.168.199.2 255.255.255.192 CONFIG

-ryan

From: Keegan.Holley_at_sungard.com [mailto:Keegan.Holley_at_sungard.com]
Sent: Thursday, November 19, 2009 10:10 PM
To: Ryan West
Cc: ccielab_at_groupstudy.com; nobody_at_groupstudy.com
Subject: RE: Management Traffic for ASA5505

Can you post a sh ip? I am not able to do this unless the traffic goes through the inside interface.

From:

Ryan West <rwest_at_zyedge.com>

To:

"Keegan.Holley_at_sungard.com" <Keegan.Holley_at_sungard.com>

Cc:

"ccielab_at_groupstudy.com" <ccielab_at_groupstudy.com>, "nobody_at_groupstudy.com" <nobody_at_groupstudy.com>

Date:

11/19/2009 04:56 PM

Subject:

RE: Management Traffic for ASA5505

________________________________

Keegan,

From: Keegan.Holley_at_sungard.com [mailto:Keegan.Holley_at_sungard.com]
Sent: Thursday, November 19, 2009 10:55 AM
To: Ryan West
Cc: ccielab_at_groupstudy.com; nobody_at_groupstudy.com
Subject: RE: Management Traffic for ASA5505

It's basically a firewall that is to be managed over an internet IPSEC tunnel. I have it in a lab and for some reason I cannot get it to send traps over the IPSEC tunnel using the inside interface. I'm specifically trying to send syslog, ntp, tacacs, and snmp-traps to a server reachable through the tunnel. The problem is that "logging host inside" only works if the logging server is reachable via the inside interface. It pretty much seems to take the IP address of whatever interface the traffic egresses.

My experience with it is you can send whatever data you want through the tunnel using the outside address as your interesting traffic destination on the remote end and just specify the ports in question. Ibm also able to source (not with complete consistency) syslog, NTP, SNMP query and trap traffic through the tunnel using the follow snippets and the firewall will use its inside address as the source. The funny thing is, I canbt find anything in the way of useful documentation. The trapping worked as well.

Cisco Adaptive Security Appliance Software Version 7.2(4)33
Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz

logging host inside 192.168.131.8
aaa-server TACACS (inside) host 192.168.131.20
snmp-server host inside 192.168.131.9 poll community <supersecurecommunity> version 2c
ntp server 192.168.131.254 source inside
management-access inside

    Crypto map tag: vpnmap, seq num: 10, local addr: x.x.x.x

      access-list vpn_imsosecureicantevensharemyaclsovertheinternet permit ip 192.168.98.0 255.255.255.192 192.168.131.0 255.255.255.0
      local ident (addr/mask/prot/port): (192.168.199.0/255.255.255.192/0/0)
      remote ident (addr/mask/prot/port): (192.168.131.0/255.255.255.0/0/0)
      current_peer: x.x.x.x

      #pkts encaps: 8281827, #pkts encrypt: 8281827, #pkts digest: 8281827
      #pkts decaps: 2537459, #pkts decrypt: 2537459, #pkts verify: 2537459
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 8281827, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 3, #recv errors: 0

      local crypto endpt.: x.x.x.x, remote crypto endpt.: x.x.x.x

The 131 range is fictitious, but our management network operates in this same manner. I typically use local NTP sources, but I configured this just illustrate that it works.

show ntp ass
      address ref clock st when poll reach delay offset disp
*~192.168.131.254 192.5.41.41 2 408 1024 17 7.6 0.76 1892.5

HTH

-ryan

Blogs and organic groups at http://www.ccie.net
Received on Fri Nov 20 2009 - 08:52:41 ART