ASA5505: SNMP inspection

ASA/PIX, Network Maintenance, Security 1 Minute

Requirement
Your customer requested that only SNMPv3 is allowed for network monitoring. Note:ASA version 8.4 supports SNMPv3, version 8.0 may not support SNMPv3.

Default snmp-server command

cyruslab# sh run snmp-server
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart

The above is the default snmp command, to configure snmpv3 more commands have to be configured.

SNMPv3 configuration: Create SNMPv3 group
SNMPv3 has three modes: auth, noauth and authpriv.

auth: packet authentication only. No encryption.
noauth: no packet authentication and no encryption.
authpriv: packet authentication and packet encryption.

cyruslab(config)# snmp-server group snmpv3-group1 v3 priv

SNMPv3 configuration: SNMPv3 credential

Add username to the created group. There is no password recovery for snmpv3 user configuration, if you forget the password you need to re-create the snmpv3 user.

snmp-server user cyruslab snmpv3-group1 v3 auth sha cisco-example priv aes 128 cisco-encrypted-example

the auth keyword specifies the user authentication password. The password after the AES specifies the encryption password. To remove the snmpv3 user use the clear configure snmp-server user command.

Specifies SNMPv3 recipient
This configuration block specifies which interface is receiving the snmpv3 trap.

snmp-server host management 10.0.0.2 version 3 cyruslab

You can specify the interface to receive trap only or allow polling only by specifying the keyword trap or poll after the IP address.

Ensure only snmpv3 traffic is allowed

Create access-list of the interesting snmp ports

object-group service snmp-service udp
 port-object range snmp snmptrap
access-list snmp-ports-acl extended permit udp any any object-group snmp-service

Create class map with the SNMP ACL

class-map snmp-v3-class
 match access-list snmp-ports-acl

Create snmp-map

snmp-map snmpv3-only-map
 deny version 1
 deny version 2c
 deny version 2

Apply SNMP inspection in the global_policy

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
 class snmp-v3-class
  inspect snmp snmpv3-only-map
service-policy global_policy global

Just add on the class snmp-v3-class portion into the created global_policy.

Advertisement

Published by cyruslab

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s