Solved

snmp on cisco firewalls

Posted on 2014-03-18
7
427 Views
Last Modified: 2014-04-18
experts,

I was looking through an asa firewall for a company I contract for. I've noticed these two snmp commands.


snmp-server host inside 10.161.254.2 poll community froggy66
snmp-server community froggy66
snmp-server enable traps snmp authentication linkup linkdown

Questions:
1) Are lines 1 and 2 redundant? The 2nd line should permit anyone to be able to poll the firewall via snmp as long as they know the community string.

2)The 2nd line does not specify ro or rw. By the default is it taking ro?
0
Comment
Question by:trojan81
  • 4
  • 3
7 Comments
 
LVL 26

Expert Comment

by:pony10us
ID: 39937183
1) Are lines 1 and 2 redundant? The 2nd line should permit anyone to be able to poll the firewall via snmp as long as they know the community string.
 
No. The first line sets the SNMP Trap. The second line actually establishes the community string.

2)The 2nd line does not specify ro or rw. By the default is it taking ro?

No. Again, the second line only establishes the community string.

Please refer to:  http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/monitor_snmp.html
0
 

Author Comment

by:trojan81
ID: 39937642
Pony,

the 1st line is specifying "poll", not trap.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 39937986
My mistake.  I meant poll

The poll keyword limits the NMS to sending requests (polling) only

Refer to step 4 on the site I mentioned.

Step 5 then sets the community string. The second line you have.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 

Author Comment

by:trojan81
ID: 39946839
Pony10us,

I'm still unclear.

Let's revisit this again:

snmp-server host inside 10.161.254.2 poll community froggy66
snmp-server community froggy66
snmp-server enable traps snmp authentication linkup linkdown


Line 1 allows 10.161.254.2 to poll the firewall. It also specifies the community string.

So why is line 2 needed?
0
 
LVL 26

Expert Comment

by:pony10us
ID: 39950787
Set the RO community string:

snmp-server community froggy66



Polling set on 10.161.254.2 USING the RO string that was set previously:

snmp-server host inside 10.161.254.2 poll community froggy66


In other words, the second line above simply tells it which community string to use. You could have both a private (RW) and a public (RO) community string.
0
 

Author Comment

by:trojan81
ID: 39955038
Pony,

Am I correct to say that, If this line doesn't exist "snmp-server community froggy66"

then 10.161.254.2 can still poll this device using community string froggy66?
0
 
LVL 26

Accepted Solution

by:
pony10us earned 500 total points
ID: 39956427
It is my understanding (and the way I was always taught) that you need to set the community string with the "snmp-server community froggy66" command. The default public (RO) community is "public".  You can have multiple community strings although I can't say that it is common.

When entering the "snmp-server host..." command you tell it what community string to use and it ignores all other snmp traffic.  

I may be incorrect, and if so some one can jump in here, but I believe that you need both lines. That is how all of our Cisco devices are configured.

EDIT:  Having said all of that this is quoted from Cisco

Note You can set this string using the snmp-server host command by itself, but Cisco recommends that you define the string using the snmp-server community command prior to using the snmp-server host command.

http://www.cisco.com/c/en/us/td/docs/ios/netmgmt/command/reference/nm_book/nm_20.html#wp1094451
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question