How can we help?

How to Enable SNMP on a Cisco ASA when the Collector is Across a VPN

Follow

Note: The Cisco ASA must be version 9.17 or later

When an SNMP poller is on the other side of a site to site tunnel with Management Access, it polls the Remote-ASA inside interface and gets no response, you can configure the device to resolve this issue with these steps.

mini-network.jpeg

Note: User configurable blocks are indicated in bolded text between {...} brackets

  1. Extend the ASA 1 Access List on the first (inside) side of the tunnel to include the first IP of the IP block on both sides of the tunnel
    ASA1 crypto access-list
    access-list |2| extended permit ip {inside 1 ip block}{inside 1 ip subnet mask}
    {inside 2 ip info block}{inside 2 ip subnet mask}
  2. Extend the ASA 1 Access List for UDP to the IP of the SNMP poller and the IP of the outside (outside 2) IP
    access-list |2| extend permit udp host {SNMP Poller IP} host {outside 2 IP} 
    eq snmp
  3. Extend the ASA 2 Access List on the second (inside) side of the tunnel to include the first IP of the IP block on both sides of the tunnel
    ASA2 crypto access-list
    access-list |2| extended permit ip {inside 2 ip block}{inside 2 ip subnet mask}
    {inside 1 ip info block}{inside 1 ip subnet mask}
  4. Extend the ASA 2 Access List for UDP to the IP of the outside (outside 2) IP and the SNMP poller
    access-list |2| extend permit udp host {outside 2 IP} host {SNMP Poller IP} 
    eq snmp
  5. Create SNMP community/rules for the device
    1. SNMP v3
      snmp-server group {group name} v3 priv
      snmp-server user {user name} {group name} v3 auth sha priv aes 128
      snmp-server host outside {SNMP Poller IP} version 3 {user name}
    2. SNMP v2c
      snmp-server host outside {SNMP Poller IP} community {community name} version 2c
Was this article helpful?
0 out of 2 found this helpful
Have more questions? Submit a request