Solved

snmp on cisco firewalls

Posted on 2014-03-18
7
441 Views
Last Modified: 2014-04-18
experts,

I was looking through an asa firewall for a company I contract for. I've noticed these two snmp commands.


snmp-server host inside 10.161.254.2 poll community froggy66
snmp-server community froggy66
snmp-server enable traps snmp authentication linkup linkdown

Questions:
1) Are lines 1 and 2 redundant? The 2nd line should permit anyone to be able to poll the firewall via snmp as long as they know the community string.

2)The 2nd line does not specify ro or rw. By the default is it taking ro?
0
Comment
Question by:trojan81
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 26

Expert Comment

by:pony10us
ID: 39937183
1) Are lines 1 and 2 redundant? The 2nd line should permit anyone to be able to poll the firewall via snmp as long as they know the community string.
 
No. The first line sets the SNMP Trap. The second line actually establishes the community string.

2)The 2nd line does not specify ro or rw. By the default is it taking ro?

No. Again, the second line only establishes the community string.

Please refer to:  http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/monitor_snmp.html
0
 

Author Comment

by:trojan81
ID: 39937642
Pony,

the 1st line is specifying "poll", not trap.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 39937986
My mistake.  I meant poll

The poll keyword limits the NMS to sending requests (polling) only

Refer to step 4 on the site I mentioned.

Step 5 then sets the community string. The second line you have.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:trojan81
ID: 39946839
Pony10us,

I'm still unclear.

Let's revisit this again:

snmp-server host inside 10.161.254.2 poll community froggy66
snmp-server community froggy66
snmp-server enable traps snmp authentication linkup linkdown


Line 1 allows 10.161.254.2 to poll the firewall. It also specifies the community string.

So why is line 2 needed?
0
 
LVL 26

Expert Comment

by:pony10us
ID: 39950787
Set the RO community string:

snmp-server community froggy66



Polling set on 10.161.254.2 USING the RO string that was set previously:

snmp-server host inside 10.161.254.2 poll community froggy66


In other words, the second line above simply tells it which community string to use. You could have both a private (RW) and a public (RO) community string.
0
 

Author Comment

by:trojan81
ID: 39955038
Pony,

Am I correct to say that, If this line doesn't exist "snmp-server community froggy66"

then 10.161.254.2 can still poll this device using community string froggy66?
0
 
LVL 26

Accepted Solution

by:
pony10us earned 500 total points
ID: 39956427
It is my understanding (and the way I was always taught) that you need to set the community string with the "snmp-server community froggy66" command. The default public (RO) community is "public".  You can have multiple community strings although I can't say that it is common.

When entering the "snmp-server host..." command you tell it what community string to use and it ignores all other snmp traffic.  

I may be incorrect, and if so some one can jump in here, but I believe that you need both lines. That is how all of our Cisco devices are configured.

EDIT:  Having said all of that this is quoted from Cisco

Note You can set this string using the snmp-server host command by itself, but Cisco recommends that you define the string using the snmp-server community command prior to using the snmp-server host command.

http://www.cisco.com/c/en/us/td/docs/ios/netmgmt/command/reference/nm_book/nm_20.html#wp1094451
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question