Cisco FTD: Syslog/SNMP/AAA connectivity from remote FTD

Once you complete your FTD remote site deployment there may come up a need to monitor Syslog or SNMP messages from FTD or if you want to turn on AnyConnect RA VPN with AAA authentication. With ASA there is a command management-access <interface> to designate source interface for ASA management and monitoring but FTD at this point is lacking this feature. Adding command with FlexConfig has no effect. Designating any internal interface will not work either.

With AAA under Radius Server configuration you can try choosing the Routing option but it did not work for me and in that case, you can not use redirect ACL (posture). Setting specific interface seems to be the best option in the long run.

So what’s left is to leverage the Outside interface. In that case, we need to include FTD public IP in the no-NAT rule and VPN tunnel to the hub site.

Under Devices > Platform Settings > System Policy set Syslog and SNMP destinations with source interface Outside.

Under Devices > NAT > NAT Policy add new no-NAT rule. The source and destination will be Outside.  The original and translated source will be FTD public IP. Original and translated destinations are Syslog, SNMP, AAA server IPs.

Apply similar no-NAT change on the Hub device to allow public IP to traverse unchanged through the tunnel. In addition, if you do not want to route public IP through your network you can apply source NAT. In the example below public IP will be replaced with OG_FTD_PrivateNAT_IP and Syslog and SNMP stations will use that IP to monitor FTD.

nat (outside,inside) source static OG_FTD_Public OG_FTD_PrivateNAT_IP destination static OG_MgmtIPs OG_MgmtIPs

One interesting find is this will only work with static VPN tunnels. With version 6.7 supporting Route Based (VTI) interface this configuration will not work as we can not advertise public IP through VTI complicating VPN Primary/Backup fail-over configuration. I’ll talk about it in the Remote FTD HA setup post.

Under Devices > VPN > VPN Policy under FTD Node add FTD public IP to Protected Networks. Do the same on the Hub site.

Once all changes applied you should see Syslog messages from remote FTD on your Syslog server

appearing as public IP or source NATed IP.

 

Leave a reply:

Your email address will not be published.

Site Footer

Sliding Sidebar