blocking snmp v1 & 2c but allow snmp version 3 on ASA

Unanswered Question
Apr 2nd, 2008

I have a customer, due to cost saving, recently migrated from

a checkpoint NGx firewall over to Cisco ASA 5510

firewall with 8.0(3).


There is a Linux host on the internal network that supports

snmp version 1, 2c and 3. I want host Linux_internal to querry

host SNMP_Server with snmp version 1 or 2c; however, Linux_vendors

has to use snmp version 3 to querry the SNMP_Server host because

they are going across the Internet and that I want the snmp

traffic to be encrypted.


I want to know how it can be done with ASA5510. Prior to the

migration over to the ASA5510, I used Checkpoint firewall

integrated SmartDefense to make this work.


Is it possible with ASA to block access snmp version 1 and 2c

over the Internet and allow only snmp version 3?


Thanks.





Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pengfang Thu, 04/03/2008 - 12:02

Yes,you can do this by "SNMP Inspection". The software later than 7.01 can support the feature,I wrote an example as followed:


access-list snmp-acl permit udp any any eq 161

access-list snmp-acl permit udp any any eq 162

class-map snmp-port

--> match access-list snmp-acl

snmp-map inbound_snmp

--> deny version 1

--> deny version 2

policy-map inbound_policy

--> class snmp-port

------> inspect snmp inbound_snmp

service-policy inbound_policy interface outside


Verify:

show service-policy inspect snmp


Of course you can use default "global_policy" which applies to all interfaces.


Hope it helps.


cisco24x7 Fri, 04/04/2008 - 05:52

thanks. I will give it a try today.


One more question. Can ASA have the ability

to block ssh verison 1 through, NOT to, the

firewall with the same scenario?



pengfang Fri, 04/04/2008 - 09:51

I don't think you can do that.ASA only supports very limited Application Layer Protocol Inspection, SSH is not in the list.

Actions

This Discussion