blocking snmp v1 & 2c but allow snmp version 3 on ASA

cisco24x7 · ‎04-02-2008

I have a customer, due to cost saving, recently migrated from

a checkpoint NGx firewall over to Cisco ASA 5510

firewall with 8.0(3).

There is a Linux host on the internal network that supports

snmp version 1, 2c and 3. I want host Linux_internal to querry

host SNMP_Server with snmp version 1 or 2c; however, Linux_vendors

has to use snmp version 3 to querry the SNMP_Server host because

they are going across the Internet and that I want the snmp

traffic to be encrypted.

I want to know how it can be done with ASA5510. Prior to the

migration over to the ASA5510, I used Checkpoint firewall

integrated SmartDefense to make this work.

Is it possible with ASA to block access snmp version 1 and 2c

over the Internet and allow only snmp version 3?

Thanks.

pengfang · ‎04-03-2008

Yes,you can do this by "SNMP Inspection". The software later than 7.01 can support the feature,I wrote an example as followed:

access-list snmp-acl permit udp any any eq 161

access-list snmp-acl permit udp any any eq 162

class-map snmp-port

--> match access-list snmp-acl

snmp-map inbound_snmp

--> deny version 1

--> deny version 2

policy-map inbound_policy

--> class snmp-port

------> inspect snmp inbound_snmp

service-policy inbound_policy interface outside

Verify:

show service-policy inspect snmp

Of course you can use default "global_policy" which applies to all interfaces.

Hope it helps.

cisco24x7 · ‎04-04-2008

thanks. I will give it a try today.

One more question. Can ASA have the ability

to block ssh verison 1 through, NOT to, the

firewall with the same scenario?

pengfang · ‎04-04-2008

I don't think you can do that.ASA only supports very limited Application Layer Protocol Inspection, SSH is not in the list.