Search This Blog
Showing posts with label management access. Show all posts
Showing posts with label management access. Show all posts

Wednesday, November 25, 2015

Cisco ASA syslog through IPsec tunnel

In this scenario we have a Cisco ASA which connected to remote branch using IPsec tunnel and we want to send all syslog messages to a remote syslog server through the IPsec tunnel.
Network diagram:


For this we will have to use the management interface (and no I don’t mean the dedicated management interface) which can be found under Device Management -> Management Access -> Management Interface:



This feature instructs the ASA which interface to use for management purposes such SNMP, Syslog, icmp replay and more.

When you try to ping the ASA interface you will get an answer only if you reside on the same interface which you tried to ping (and of course allow icmp under Device Management -> Management Access -> icmp).

So back to remote syslog configuration, first configure the interface which you want the ASA will use to send syslog messages, here I select the INTERNAL interface (as in the image above).

Then configure the syslog server as follow:


Note that I choose interface INTERNAL rather than EXTERNAL.

In CLI you may see the following message:

ASA-1(config)# logging host INTERNAL 10.2.0.100
WARNING:  configured logging host interface conflicts with route table entry

Just ignore it, this is a cosmetic issue following bug CSCur60060.

Using Management interface will allow also remote access client to connect to the ASA using ASDM or SSH.
Posted by at No comments:
Labels: , , , ,

Sunday, March 8, 2015

VRF-Lite for management interface

How to configure management interface for WAN edge router

Create VRF-Lite for management purpose:

ip vrf MGMT
rd 1:1

Configure the required interface for this VRF:

interface GigabitEthernet0/2
description MGMT-INTF
ip vrf forwarding MGMT
ip address 10.1.0.10 255.255.255.0
load-interval 30
speed auto
duplex auto

Configure default route for this VRF:

ip route vrf MGMT 0.0.0.0 0.0.0.0 10.1.0.1

FTP for download/upload files to the router:

ip ftp source-interface GigabitEthernet0/2
ip ftp username cisco
ip ftp password cisco

Management access for VTY access:

ip access-list standard ACL_MGMT_ACCESS
permit 10.1.0.0 0.0.0.255
deny   any log
!
line vty 0 15
access-class ACL_MGMT_ACCESS in vrf-also
exec-timeout 5 0
logging synchronous
transport input ssh

Note the vrf-also keyword for allowing this ACL from all VRF’s

NTP configuration:

ntp authentication-key 1 md5 013C10578F020123890C 7
ntp authenticate
ntp trusted-key 1
ntp source GigabitEthernet0/2
ntp server vrf MGMT 10.1.0.1 maxpoll 6 minpoll 4 version 2

And RADIUS configuration:

radius server RADIUS
address ipv4 10.5.0.45 auth-port 1812 acct-port 1813
timeout 2
retransmit 2
key 7 013C10578F0201238
!
ip radius source-interface GigabitEthernet0/2 vrf MANAGEMENT


Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)