Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Is it possible to restrict SNMP access through firewall

My appoligies if there is already an answered discussion about this, that I didn't find.

In addition to just limiting the IP addresses allowed to have access and TCP/UDP port and direction of access, is it possible to further restrict SNMP traffic through an ASA firewall.  Example 1:  Can IP address IP_A on network A be forcibly limited to have only readonly SNMP polling access to IP_B on network B on the other side of an ASA firewall regardless of the community string it issues(or the configuration of device IB_B )?

     IP_A   ------- FW -------- IP_B

Example 2:  Can IP address IP_A on network A be forcibly limited to have only readonly access to specific OID via SNMP polling access to IP_B on network B on the other side of an ASA firewall regardless of the community string it issues (or the configuration of device IP_B)?

     IP_A ------>  FW ------> IP_B

It looks like IOS 10.3 and above allow devices to have such access limiting.  I was wondering if this could also be done via ASA for any end device.

Thanks

Jim

Everyone's tags (2)
2 REPLIES
Hall of Fame Super Silver

Is it possible to restrict SNMP access through firewall

No.

An ASA can, as you noted, restrict source and destination IP and port. To do what you are asking, one would need to prevent a string within the payload from being transmitted (or only accept certain strings).

You should just put the access-list on the destination device(s) restricting what host(s) are allowed snmp rw (as you alluded to). That's a very common implementation straight out of the textbook.

New Member

Is it possible to restrict SNMP access through firewall

Thank you.  This is what I expected.  I was hoping the ASA could inspect the SNMP protocol and provide further restriction to the access so not to have to rely on what the end device could do (or not do) in this regard.

Jim

464
Views
0
Helpful
2
Replies
CreatePlease to create content