SNMP stands for Simple Network Management Protocol. Up to ASA software 8.1, the SNMP version supported was v1 and v2c. The newest ASA software 8.2 supports also SNMP v3 which is the most secure snmp protocol version.
The ASA works as an SNMP server (or agent), so you need also a Network Management System (NMS) which will act as the SNMP manager in order to provide network monitoring and management functionality.
The NMS is basically a management server such as the CiscoWorks product. With the NMS you can either poll the ASA appliance to collect information, or the ASA appliance can send snmp traps (event notifications) to the NMS server.
SNMP Traps are sent on UDP port 162 and SNMP poll uses UDP port 161. So, the ASA will listen on udp 161 and the NMS will listen on udp 162 and 161.
Configuring SNMP on ASA
Step1: Enable the snmp server on the ASA
ASA(config)# snmp-server enable
Step2: Identify the NMS host that can connect to the ASA for SNMP management
ASA(config)# snmp-server host [interface_name][ ip_address] community [community string]
Where “interface name” is the ASA interface through which the NMS can be reached, and “ip address” is the NMS address. “community string” is like a preshared password which must be configured on both the ASA and the NMS in order for the two elements to communicate.
Step3: Specify the ASA community string
ASA(config)# snmp-server community [community string]
Step4: Enable the ASA to send snmp traps to the NMS
ASA(config)# snmp-server enable traps [all | snmp [trap] [trap] ]
The default configuration has all snmp traps enabled (snmp-server enable traps snmp authentication linkup linkdown coldstart). It is recommended to leave all traps enabled as the default setting.
Configuration Example:
ASA(config)# snmp-server enable
ASA(config)# snmp-server host inside 10.1.1.100 community somesecretword
ASA(config)# snmp-server community somesecretword
ASA(config)# snmp-server enable traps snmp authentication linkup linkdown coldstart
Configuration Example of SNMP v3
Currently the most secure SNMP version is v3. To configure this version you need first to create an SNMP group, then an SNMP server and lastly a host (NMS) which will communicate with the firewall for management purposes.
Let’s configure SNMP v3 with the example below:
ASA(config)# snmp-server enable
ASA(config)# snmp-server group snmpgroup v3 auth <- create v3 group with authentication
ASA(config)# snmp-server user administrator snmpgroup v3 auth sha strongpass <- create user “administrator” belonging to group “snmpgroup”
ASA(config)#snmp-server host inside 10.1.1.1 version 3 administrator <- specify the NMS host
Related Posts
- Prevent Spoofing Attacks on Cisco ASA using RPF
- Configuring Connection Limits on Cisco ASA Firewalls – Protect from DoS
- Configuring AAA Authentication-Authorization-Accounting on Cisco ASA Firewall (TACACS+, RADIUS)
- Cisco ASA Firewall Management Interface Configuration (with Example)
- How to Configure Access Control Lists on a Cisco ASA 5500/5500-X Firewall (with Examples)