Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

snmp-map ASA 8.2 not blocking as should or I get it wrong

Hello everyone,

I am trying to use snmp-map feature to block specific snmp version and somehow it doesn' t work . Am I missing something , or got it wrong ?

My only thought is that command snmp-server host xxxxx overrides the snmp-map but then - waht is the sense of snmp map ?

Info:

ASA 5510,  image asa821-11-k8.bin

My snmp station from which I query the ASA is 2.2.2.2

snmp-map no-v3-here
deny version 3

# sh run access-list no-v3
access-list no-v3 extended permit udp any any eq snmptrap
access-list no-v3 extended permit udp any any eq snmp

class-map snmp-block-v3
match access-list no-v3

policy-map no-snmp-v3
class snmp-block-v3
  inspect snmp no-v3-here

service-policy no-snmp-v3 interface outside

I tried specifying version 2c of snmp, applying to global service policy - no help .

I can still query this ASA by all snmp versions that are enabled on it.

SNMP configs:

nmp-server group V3-auth v3 auth
snmp-server group v3-priv v3 priv
snmp-server group v3-noauth v3 noauth
snmp-server user AUTH V3-auth v3 encrypted auth md5 xxxxxxxxxxxxxxxxxxx
snmp-server user Mambo v3-noauth v3
snmp-server user very_secure v3-priv v3 encrypted auth md5 xxxxxxxxxxxxxxxxxxxxx
snmp-server host outside 1.1.1.1 community ***** version 1 udp-port 162
snmp-server host outside 2.2.2.2 version 3 very_secure udp-port 162
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
no snmp-server enable traps ipsec start stop
no snmp-server enable traps entity config-change fru-insert fru-remove
no snmp-server enable traps remote-access session-threshold-exceeded
snmp-server enable
snmp-server listen-port 161

Thanks.

  • Firewalling
Everyone's tags (1)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: snmp-map ASA 8.2 not blocking as should or I get it wrong

Hi Yuri,

The snmp-map/inspection is only applied for SNMP traffic passing *through* the ASA (i.e. the client and server are on opposite sides of the ASA). To disable SNMPv3 support for traffic *to* the ASA, you can adjust the snmp-server host and snmp-server group commands to not include v3.

Hope that helps.

-Mike

Cisco Employee

Re: snmp-map ASA 8.2 not blocking as should or I get it wrong

Are you trying to deny snmp version 3 for query to the ASA or through the ASA?  Please note that the snmp-map command is only for traffic through the box.  If you want to disable snmp query to the box, then you need to disable the snmp-server by 'no snmp-server enable'.

4 REPLIES
Cisco Employee

Re: snmp-map ASA 8.2 not blocking as should or I get it wrong

Hi Yuri,

The snmp-map/inspection is only applied for SNMP traffic passing *through* the ASA (i.e. the client and server are on opposite sides of the ASA). To disable SNMPv3 support for traffic *to* the ASA, you can adjust the snmp-server host and snmp-server group commands to not include v3.

Hope that helps.

-Mike

Cisco Employee

Re: snmp-map ASA 8.2 not blocking as should or I get it wrong

Are you trying to deny snmp version 3 for query to the ASA or through the ASA?  Please note that the snmp-map command is only for traffic through the box.  If you want to disable snmp query to the box, then you need to disable the snmp-server by 'no snmp-server enable'.

New Member

Re: snmp-map ASA 8.2 not blocking as should or I get it wrong

THanks a lot , as I suspected I got it wrong. I was trying to block snmp v3 queries TO the ASA itself .

New Member

Re: snmp-map ASA 8.2 not blocking as should or I get it wrong

THanks a lot , as I suspected I got it wrong. I was trying to block snmp v3 queries TO the ASA itself .

1104
Views
0
Helpful
4
Replies