cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1824
Views
0
Helpful
4
Replies

snmp-map ASA 8.2 not blocking as should or I get it wrong

Hello everyone,

I am trying to use snmp-map feature to block specific snmp version and somehow it doesn' t work . Am I missing something , or got it wrong ?

My only thought is that command snmp-server host xxxxx overrides the snmp-map but then - waht is the sense of snmp map ?

Info:

ASA 5510,  image asa821-11-k8.bin

My snmp station from which I query the ASA is 2.2.2.2

snmp-map no-v3-here
deny version 3

# sh run access-list no-v3
access-list no-v3 extended permit udp any any eq snmptrap
access-list no-v3 extended permit udp any any eq snmp

class-map snmp-block-v3
match access-list no-v3

policy-map no-snmp-v3
class snmp-block-v3
  inspect snmp no-v3-here

service-policy no-snmp-v3 interface outside

I tried specifying version 2c of snmp, applying to global service policy - no help .

I can still query this ASA by all snmp versions that are enabled on it.

SNMP configs:

nmp-server group V3-auth v3 auth
snmp-server group v3-priv v3 priv
snmp-server group v3-noauth v3 noauth
snmp-server user AUTH V3-auth v3 encrypted auth md5 xxxxxxxxxxxxxxxxxxx
snmp-server user Mambo v3-noauth v3
snmp-server user very_secure v3-priv v3 encrypted auth md5 xxxxxxxxxxxxxxxxxxxxx
snmp-server host outside 1.1.1.1 community ***** version 1 udp-port 162
snmp-server host outside 2.2.2.2 version 3 very_secure udp-port 162
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
no snmp-server enable traps ipsec start stop
no snmp-server enable traps entity config-change fru-insert fru-remove
no snmp-server enable traps remote-access session-threshold-exceeded
snmp-server enable
snmp-server listen-port 161

Thanks.

2 Accepted Solutions

Accepted Solutions

mirober2
Cisco Employee
Cisco Employee

Hi Yuri,

The snmp-map/inspection is only applied for SNMP traffic passing *through* the ASA (i.e. the client and server are on opposite sides of the ASA). To disable SNMPv3 support for traffic *to* the ASA, you can adjust the snmp-server host and snmp-server group commands to not include v3.

Hope that helps.

-Mike

View solution in original post

Jia Liu
Cisco Employee
Cisco Employee

Are you trying to deny snmp version 3 for query to the ASA or through the ASA?  Please note that the snmp-map command is only for traffic through the box.  If you want to disable snmp query to the box, then you need to disable the snmp-server by 'no snmp-server enable'.

View solution in original post

4 Replies 4

mirober2
Cisco Employee
Cisco Employee

Hi Yuri,

The snmp-map/inspection is only applied for SNMP traffic passing *through* the ASA (i.e. the client and server are on opposite sides of the ASA). To disable SNMPv3 support for traffic *to* the ASA, you can adjust the snmp-server host and snmp-server group commands to not include v3.

Hope that helps.

-Mike

Jia Liu
Cisco Employee
Cisco Employee

Are you trying to deny snmp version 3 for query to the ASA or through the ASA?  Please note that the snmp-map command is only for traffic through the box.  If you want to disable snmp query to the box, then you need to disable the snmp-server by 'no snmp-server enable'.

THanks a lot , as I suspected I got it wrong. I was trying to block snmp v3 queries TO the ASA itself .

THanks a lot , as I suspected I got it wrong. I was trying to block snmp v3 queries TO the ASA itself .

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: