• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 468
  • Last Modified:

snmp on cisco firewalls

experts,

I was looking through an asa firewall for a company I contract for. I've noticed these two snmp commands.


snmp-server host inside 10.161.254.2 poll community froggy66
snmp-server community froggy66
snmp-server enable traps snmp authentication linkup linkdown

Questions:
1) Are lines 1 and 2 redundant? The 2nd line should permit anyone to be able to poll the firewall via snmp as long as they know the community string.

2)The 2nd line does not specify ro or rw. By the default is it taking ro?
0
trojan81
Asked:
trojan81
  • 4
  • 3
1 Solution
 
pony10usCommented:
1) Are lines 1 and 2 redundant? The 2nd line should permit anyone to be able to poll the firewall via snmp as long as they know the community string.
 
No. The first line sets the SNMP Trap. The second line actually establishes the community string.

2)The 2nd line does not specify ro or rw. By the default is it taking ro?

No. Again, the second line only establishes the community string.

Please refer to:  http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/monitor_snmp.html
0
 
trojan81Author Commented:
Pony,

the 1st line is specifying "poll", not trap.
0
 
pony10usCommented:
My mistake.  I meant poll

The poll keyword limits the NMS to sending requests (polling) only

Refer to step 4 on the site I mentioned.

Step 5 then sets the community string. The second line you have.
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
trojan81Author Commented:
Pony10us,

I'm still unclear.

Let's revisit this again:

snmp-server host inside 10.161.254.2 poll community froggy66
snmp-server community froggy66
snmp-server enable traps snmp authentication linkup linkdown


Line 1 allows 10.161.254.2 to poll the firewall. It also specifies the community string.

So why is line 2 needed?
0
 
pony10usCommented:
Set the RO community string:

snmp-server community froggy66



Polling set on 10.161.254.2 USING the RO string that was set previously:

snmp-server host inside 10.161.254.2 poll community froggy66


In other words, the second line above simply tells it which community string to use. You could have both a private (RW) and a public (RO) community string.
0
 
trojan81Author Commented:
Pony,

Am I correct to say that, If this line doesn't exist "snmp-server community froggy66"

then 10.161.254.2 can still poll this device using community string froggy66?
0
 
pony10usCommented:
It is my understanding (and the way I was always taught) that you need to set the community string with the "snmp-server community froggy66" command. The default public (RO) community is "public".  You can have multiple community strings although I can't say that it is common.

When entering the "snmp-server host..." command you tell it what community string to use and it ignores all other snmp traffic.  

I may be incorrect, and if so some one can jump in here, but I believe that you need both lines. That is how all of our Cisco devices are configured.

EDIT:  Having said all of that this is quoted from Cisco

Note You can set this string using the snmp-server host command by itself, but Cisco recommends that you define the string using the snmp-server community command prior to using the snmp-server host command.

http://www.cisco.com/c/en/us/td/docs/ios/netmgmt/command/reference/nm_book/nm_20.html#wp1094451
0

Featured Post

Big Data Means Big Business

In data-dependent industries like IT, finance, and healthcare, there’s a growing demand for qualified analysts to fill leadership roles. WGU’s MS in Data Analytics has IT certifications from Oracle and SAS built into its curriculum at a flat fee that could save you money.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now