Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 1 subscriber
  • Views 8994 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SNMP through IpSec Tunnel

dcorsel
Hi,

Currently we have many tunnels (VPN) pointed to our customers. We use this tunnels to perform monitor tasks. Because all our customers use ASL, we do like to monitor their firewalls also. Lucky us, ASL supports SNMP. But unfortunately it doesn't work through VPN tunnels.

Example:
[Our Mon LAN] ---StS VPN---->[FW-Customer]-->[CUST LAN]

We are able to monitor all Srv from the customers LAN, but are unable to recieve SNMP traffic from the firewall to our Mon LAN. 

Anybody an idea?

D.


This thread was automatically locked due to age.
Parents
  • 0
    We've run across the same problem, in trying to use the ARM product.. we ended up installing the syslog service on an internal machine to the site, and created our tunnel to the internal machine running syslog server.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent
    As mentioned, it sounds like you're trying to ding the interface of the end point of the VPN.  ASL itself isn't part of the VPN normally.  An easy way to make the internal interface part of the VPN is an SNAT rule.  When talking to the internal IP of ASL from a VPN net the return channel tries to come via the public IP.
    SNAT rule:: Public_IP->remote_lan  (SRC Translation)Internal_IP.

    This make an ASL attempt to talk to the remote lan to change source IP to the internal IP.
  • 0 in reply to pablito
    When talking to the internal IP of ASL from a VPN net the return channel tries to come via the public IP.
    SNAT rule:: Public_IP->remote_lan  (SRC Translation)Internal_IP.

    This make an ASL attempt to talk to the remote lan to change source IP to the internal IP.


    This is exactly what happens. I'll try this rule and see if it work....

    Everyone many thanks for all the help so far!
  • 0 in reply to dcorsel
    SNAT rule added, but the packet filter shows that it's blocking traffic from:

    externalIP->port:161-2477->Remote NOC LAN

    Weird ....

    Correction:
    Forgot to add a PF rule to allow this traffic :-) Works like a charm ...
Reply
  • 0 in reply to dcorsel
    SNAT rule added, but the packet filter shows that it's blocking traffic from:

    externalIP->port:161-2477->Remote NOC LAN

    Weird ....

    Correction:
    Forgot to add a PF rule to allow this traffic :-) Works like a charm ...
Children
No Data
Cookie Information Banner