Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Silver

blocking snmp v1 & 2c but allow snmp version 3 on ASA

I have a customer, due to cost saving, recently migrated from

a checkpoint NGx firewall over to Cisco ASA 5510

firewall with 8.0(3).

There is a Linux host on the internal network that supports

snmp version 1, 2c and 3. I want host Linux_internal to querry

host SNMP_Server with snmp version 1 or 2c; however, Linux_vendors

has to use snmp version 3 to querry the SNMP_Server host because

they are going across the Internet and that I want the snmp

traffic to be encrypted.

I want to know how it can be done with ASA5510. Prior to the

migration over to the ASA5510, I used Checkpoint firewall

integrated SmartDefense to make this work.

Is it possible with ASA to block access snmp version 1 and 2c

over the Internet and allow only snmp version 3?

Thanks.

3 REPLIES
New Member

Re: blocking snmp v1 & 2c but allow snmp version 3 on ASA

Yes,you can do this by "SNMP Inspection". The software later than 7.01 can support the feature,I wrote an example as followed:

access-list snmp-acl permit udp any any eq 161

access-list snmp-acl permit udp any any eq 162

class-map snmp-port

--> match access-list snmp-acl

snmp-map inbound_snmp

--> deny version 1

--> deny version 2

policy-map inbound_policy

--> class snmp-port

------> inspect snmp inbound_snmp

service-policy inbound_policy interface outside

Verify:

show service-policy inspect snmp

Of course you can use default "global_policy" which applies to all interfaces.

Hope it helps.

Silver

Re: blocking snmp v1 & 2c but allow snmp version 3 on ASA

thanks. I will give it a try today.

One more question. Can ASA have the ability

to block ssh verison 1 through, NOT to, the

firewall with the same scenario?

New Member

Re: blocking snmp v1 & 2c but allow snmp version 3 on ASA

I don't think you can do that.ASA only supports very limited Application Layer Protocol Inspection, SSH is not in the list.

687
Views
0
Helpful
3
Replies