Note: The Cisco ASA must be version 9.17 or later
When an SNMP poller is on the other side of a site to site tunnel with Management Access, it polls the Remote-ASA inside interface and gets no response, you can configure the device to resolve this issue with these steps.
Note: User configurable blocks are indicated in bolded text between {...} brackets
-
Extend the ASA 1 Access List on the first (inside) side of the tunnel to include the first IP of the IP block on both sides of the tunnel
ASA1 crypto access-list
access-list |2| extended permit ip {inside 1 ip block}{inside 1 ip subnet mask}
{inside 2 ip info block}{inside 2 ip subnet mask} -
Extend the ASA 1 Access List for UDP to the IP of the SNMP poller and the IP of the outside (outside 2) IP
access-list |2| extend permit udp host {SNMP Poller IP} host {outside 2 IP}
eq snmp -
Extend the ASA 2 Access List on the second (inside) side of the tunnel to include the first IP of the IP block on both sides of the tunnel
ASA2 crypto access-list
access-list |2| extended permit ip {inside 2 ip block}{inside 2 ip subnet mask}
{inside 1 ip info block}{inside 1 ip subnet mask} -
Extend the ASA 2 Access List for UDP to the IP of the outside (outside 2) IP and the SNMP poller
access-list |2| extend permit udp host {outside 2 IP} host {SNMP Poller IP}
eq snmp - Create SNMP community/rules for the device
-
SNMP v3
snmp-server group {group name} v3 priv
snmp-server user {user name} {group name} v3 auth sha priv aes 128
snmp-server host outside {SNMP Poller IP} version 3 {user name} - SNMP v2c
snmp-server host outside {SNMP Poller IP} community {community name} version 2c