snmp-map ASA 8.2 not blocking as should or I get it wrong

Answered Question
Aug 25th, 2010
User Badges:

Hello everyone,

I am trying to use snmp-map feature to block specific snmp version and somehow it doesn' t work . Am I missing something , or got it wrong ?

My only thought is that command snmp-server host xxxxx overrides the snmp-map but then - waht is the sense of snmp map ?

Info:

ASA 5510,  image asa821-11-k8.bin

My snmp station from which I query the ASA is 2.2.2.2


snmp-map no-v3-here
deny version 3


# sh run access-list no-v3
access-list no-v3 extended permit udp any any eq snmptrap
access-list no-v3 extended permit udp any any eq snmp


class-map snmp-block-v3
match access-list no-v3

policy-map no-snmp-v3
class snmp-block-v3
  inspect snmp no-v3-here

service-policy no-snmp-v3 interface outside


I tried specifying version 2c of snmp, applying to global service policy - no help .

I can still query this ASA by all snmp versions that are enabled on it.

SNMP configs:

nmp-server group V3-auth v3 auth
snmp-server group v3-priv v3 priv
snmp-server group v3-noauth v3 noauth
snmp-server user AUTH V3-auth v3 encrypted auth md5 xxxxxxxxxxxxxxxxxxx
snmp-server user Mambo v3-noauth v3
snmp-server user very_secure v3-priv v3 encrypted auth md5 xxxxxxxxxxxxxxxxxxxxx
snmp-server host outside 1.1.1.1 community ***** version 1 udp-port 162
snmp-server host outside 2.2.2.2 version 3 very_secure udp-port 162
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
no snmp-server enable traps ipsec start stop
no snmp-server enable traps entity config-change fru-insert fru-remove
no snmp-server enable traps remote-access session-threshold-exceeded
snmp-server enable
snmp-server listen-port 161


Thanks.

Correct Answer by Jia Liu about 6 years 8 months ago

Are you trying to deny snmp version 3 for query to the ASA or through the ASA?  Please note that the snmp-map command is only for traffic through the box.  If you want to disable snmp query to the box, then you need to disable the snmp-server by 'no snmp-server enable'.

Correct Answer by mirober2 about 6 years 8 months ago

Hi Yuri,


The snmp-map/inspection is only applied for SNMP traffic passing *through* the ASA (i.e. the client and server are on opposite sides of the ASA). To disable SNMPv3 support for traffic *to* the ASA, you can adjust the snmp-server host and snmp-server group commands to not include v3.


Hope that helps.


-Mike

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
mirober2 Thu, 08/26/2010 - 09:13
User Badges:
  • Cisco Employee,

Hi Yuri,


The snmp-map/inspection is only applied for SNMP traffic passing *through* the ASA (i.e. the client and server are on opposite sides of the ASA). To disable SNMPv3 support for traffic *to* the ASA, you can adjust the snmp-server host and snmp-server group commands to not include v3.


Hope that helps.


-Mike

Correct Answer
Jia Liu Thu, 08/26/2010 - 09:23
User Badges:
  • Cisco Employee,

Are you trying to deny snmp version 3 for query to the ASA or through the ASA?  Please note that the snmp-map command is only for traffic through the box.  If you want to disable snmp query to the box, then you need to disable the snmp-server by 'no snmp-server enable'.

yuri_slobodyanyuk Thu, 08/26/2010 - 12:28
User Badges:

THanks a lot , as I suspected I got it wrong. I was trying to block snmp v3 queries TO the ASA itself .

yuri_slobodyanyuk Thu, 08/26/2010 - 12:28
User Badges:

THanks a lot , as I suspected I got it wrong. I was trying to block snmp v3 queries TO the ASA itself .

Actions

This Discussion

Related Content