trojan81
asked on
snmp on cisco firewalls
experts,
I was looking through an asa firewall for a company I contract for. I've noticed these two snmp commands.
snmp-server host inside 10.161.254.2 poll community froggy66
snmp-server community froggy66
snmp-server enable traps snmp authentication linkup linkdown
Questions:
1) Are lines 1 and 2 redundant? The 2nd line should permit anyone to be able to poll the firewall via snmp as long as they know the community string.
2)The 2nd line does not specify ro or rw. By the default is it taking ro?
I was looking through an asa firewall for a company I contract for. I've noticed these two snmp commands.
snmp-server host inside 10.161.254.2 poll community froggy66
snmp-server community froggy66
snmp-server enable traps snmp authentication linkup linkdown
Questions:
1) Are lines 1 and 2 redundant? The 2nd line should permit anyone to be able to poll the firewall via snmp as long as they know the community string.
2)The 2nd line does not specify ro or rw. By the default is it taking ro?
ASKER
Pony,
the 1st line is specifying "poll", not trap.
the 1st line is specifying "poll", not trap.
My mistake. I meant poll
Refer to step 4 on the site I mentioned.
Step 5 then sets the community string. The second line you have.
The poll keyword limits the NMS to sending requests (polling) only
Refer to step 4 on the site I mentioned.
Step 5 then sets the community string. The second line you have.
ASKER
Pony10us,
I'm still unclear.
Let's revisit this again:
snmp-server host inside 10.161.254.2 poll community froggy66
snmp-server community froggy66
snmp-server enable traps snmp authentication linkup linkdown
Line 1 allows 10.161.254.2 to poll the firewall. It also specifies the community string.
So why is line 2 needed?
I'm still unclear.
Let's revisit this again:
snmp-server host inside 10.161.254.2 poll community froggy66
snmp-server community froggy66
snmp-server enable traps snmp authentication linkup linkdown
Line 1 allows 10.161.254.2 to poll the firewall. It also specifies the community string.
So why is line 2 needed?
Set the RO community string:
snmp-server community froggy66
Polling set on 10.161.254.2 USING the RO string that was set previously:
snmp-server host inside 10.161.254.2 poll community froggy66
In other words, the second line above simply tells it which community string to use. You could have both a private (RW) and a public (RO) community string.
snmp-server community froggy66
Polling set on 10.161.254.2 USING the RO string that was set previously:
snmp-server host inside 10.161.254.2 poll community froggy66
In other words, the second line above simply tells it which community string to use. You could have both a private (RW) and a public (RO) community string.
ASKER
Pony,
Am I correct to say that, If this line doesn't exist "snmp-server community froggy66"
then 10.161.254.2 can still poll this device using community string froggy66?
Am I correct to say that, If this line doesn't exist "snmp-server community froggy66"
then 10.161.254.2 can still poll this device using community string froggy66?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
No. The first line sets the SNMP Trap. The second line actually establishes the community string.
No. Again, the second line only establishes the community string.
Please refer to: http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/monitor_snmp.html