?
Solved

snmp on cisco firewalls

Posted on 2014-03-18
7
Medium Priority
?
473 Views
Last Modified: 2014-04-18
experts,

I was looking through an asa firewall for a company I contract for. I've noticed these two snmp commands.


snmp-server host inside 10.161.254.2 poll community froggy66
snmp-server community froggy66
snmp-server enable traps snmp authentication linkup linkdown

Questions:
1) Are lines 1 and 2 redundant? The 2nd line should permit anyone to be able to poll the firewall via snmp as long as they know the community string.

2)The 2nd line does not specify ro or rw. By the default is it taking ro?
0
Comment
Question by:trojan81
  • 4
  • 3
7 Comments
 
LVL 26

Expert Comment

by:pony10us
ID: 39937183
1) Are lines 1 and 2 redundant? The 2nd line should permit anyone to be able to poll the firewall via snmp as long as they know the community string.
 
No. The first line sets the SNMP Trap. The second line actually establishes the community string.

2)The 2nd line does not specify ro or rw. By the default is it taking ro?

No. Again, the second line only establishes the community string.

Please refer to:  http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/monitor_snmp.html
0
 

Author Comment

by:trojan81
ID: 39937642
Pony,

the 1st line is specifying "poll", not trap.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 39937986
My mistake.  I meant poll

The poll keyword limits the NMS to sending requests (polling) only

Refer to step 4 on the site I mentioned.

Step 5 then sets the community string. The second line you have.
0
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

 

Author Comment

by:trojan81
ID: 39946839
Pony10us,

I'm still unclear.

Let's revisit this again:

snmp-server host inside 10.161.254.2 poll community froggy66
snmp-server community froggy66
snmp-server enable traps snmp authentication linkup linkdown


Line 1 allows 10.161.254.2 to poll the firewall. It also specifies the community string.

So why is line 2 needed?
0
 
LVL 26

Expert Comment

by:pony10us
ID: 39950787
Set the RO community string:

snmp-server community froggy66



Polling set on 10.161.254.2 USING the RO string that was set previously:

snmp-server host inside 10.161.254.2 poll community froggy66


In other words, the second line above simply tells it which community string to use. You could have both a private (RW) and a public (RO) community string.
0
 

Author Comment

by:trojan81
ID: 39955038
Pony,

Am I correct to say that, If this line doesn't exist "snmp-server community froggy66"

then 10.161.254.2 can still poll this device using community string froggy66?
0
 
LVL 26

Accepted Solution

by:
pony10us earned 2000 total points
ID: 39956427
It is my understanding (and the way I was always taught) that you need to set the community string with the "snmp-server community froggy66" command. The default public (RO) community is "public".  You can have multiple community strings although I can't say that it is common.

When entering the "snmp-server host..." command you tell it what community string to use and it ignores all other snmp traffic.  

I may be incorrect, and if so some one can jump in here, but I believe that you need both lines. That is how all of our Cisco devices are configured.

EDIT:  Having said all of that this is quoted from Cisco

Note You can set this string using the snmp-server host command by itself, but Cisco recommends that you define the string using the snmp-server community command prior to using the snmp-server host command.

http://www.cisco.com/c/en/us/td/docs/ios/netmgmt/command/reference/nm_book/nm_20.html#wp1094451
0

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
OnPage has always empowered IT teams but also amplify alerting capabilities. In the following slides you will see 5 features of OnPage that act as important tools for any IT team to resolve incidents faster
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

589 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question