04-02-2008 08:13 AM - edited 03-11-2019 05:26 AM
I have a customer, due to cost saving, recently migrated from
a checkpoint NGx firewall over to Cisco ASA 5510
firewall with 8.0(3).
There is a Linux host on the internal network that supports
snmp version 1, 2c and 3. I want host Linux_internal to querry
host SNMP_Server with snmp version 1 or 2c; however, Linux_vendors
has to use snmp version 3 to querry the SNMP_Server host because
they are going across the Internet and that I want the snmp
traffic to be encrypted.
I want to know how it can be done with ASA5510. Prior to the
migration over to the ASA5510, I used Checkpoint firewall
integrated SmartDefense to make this work.
Is it possible with ASA to block access snmp version 1 and 2c
over the Internet and allow only snmp version 3?
Thanks.
04-03-2008 12:02 PM
Yes,you can do this by "SNMP Inspection". The software later than 7.01 can support the feature,I wrote an example as followed:
access-list snmp-acl permit udp any any eq 161
access-list snmp-acl permit udp any any eq 162
class-map snmp-port
--> match access-list snmp-acl
snmp-map inbound_snmp
--> deny version 1
--> deny version 2
policy-map inbound_policy
--> class snmp-port
------> inspect snmp inbound_snmp
service-policy inbound_policy interface outside
Verify:
show service-policy inspect snmp
Of course you can use default "global_policy" which applies to all interfaces.
Hope it helps.
04-04-2008 05:52 AM
thanks. I will give it a try today.
One more question. Can ASA have the ability
to block ssh verison 1 through, NOT to, the
firewall with the same scenario?
04-04-2008 09:51 AM
I don't think you can do that.ASA only supports very limited Application Layer Protocol Inspection, SSH is not in the list.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide