02-22-2010 11:36 AM - edited 03-11-2019 10:13 AM
I am on a bit of a hotseat right now. I have a Cisco ASA5510 used for b2b vpn connections. Some one from my sales departmet has offered to allow a customer to monitor our vpn device via snmp (with nagios).
I have a major proble with this. Unfortunatly it is gettign stuffed down my throat. I am worried about compromising by gear. We have other customers on this device.
Can someone tell if there is a safe way to do this.
Solved! Go to Solution.
02-22-2010 11:50 AM
Make sure you use a password for snmp authentication and only read is allowed for the MIBS.
Then the monitoring software will only be able to pull information/monitor from the ASA, but not change anything etc.
I hope it helps.
PK
02-22-2010 12:36 PM
ASAs are not susceptible to the snmp vulnerabilities that existed in IOS
http://www.cisco.com/warp/public/707/cisco-sa-20010227-ios-snmp-ilmi.shtml#summary
http://www.cisco.com/warp/public/707/cisco-sa-20010228-ios-snmp-community.shtml#summary
I hope it helps.
PK
02-22-2010 11:50 AM
Make sure you use a password for snmp authentication and only read is allowed for the MIBS.
Then the monitoring software will only be able to pull information/monitor from the ASA, but not change anything etc.
I hope it helps.
PK
02-22-2010 11:53 AM
I was worried that they would be able to read my configs (similar to a router). Do you know if this is possible ?
02-22-2010 11:55 AM
Stupid marketing Department. Anything for a sale.
02-22-2010 12:36 PM
ASAs are not susceptible to the snmp vulnerabilities that existed in IOS
http://www.cisco.com/warp/public/707/cisco-sa-20010227-ios-snmp-ilmi.shtml#summary
http://www.cisco.com/warp/public/707/cisco-sa-20010228-ios-snmp-community.shtml#summary
I hope it helps.
PK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide