Solved

snmp on cisco firewalls

Posted on 2014-03-18
7
435 Views
Last Modified: 2014-04-18
experts,

I was looking through an asa firewall for a company I contract for. I've noticed these two snmp commands.


snmp-server host inside 10.161.254.2 poll community froggy66
snmp-server community froggy66
snmp-server enable traps snmp authentication linkup linkdown

Questions:
1) Are lines 1 and 2 redundant? The 2nd line should permit anyone to be able to poll the firewall via snmp as long as they know the community string.

2)The 2nd line does not specify ro or rw. By the default is it taking ro?
0
Comment
Question by:trojan81
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 26

Expert Comment

by:pony10us
ID: 39937183
1) Are lines 1 and 2 redundant? The 2nd line should permit anyone to be able to poll the firewall via snmp as long as they know the community string.
 
No. The first line sets the SNMP Trap. The second line actually establishes the community string.

2)The 2nd line does not specify ro or rw. By the default is it taking ro?

No. Again, the second line only establishes the community string.

Please refer to:  http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/monitor_snmp.html
0
 

Author Comment

by:trojan81
ID: 39937642
Pony,

the 1st line is specifying "poll", not trap.
0
 
LVL 26

Expert Comment

by:pony10us
ID: 39937986
My mistake.  I meant poll

The poll keyword limits the NMS to sending requests (polling) only

Refer to step 4 on the site I mentioned.

Step 5 then sets the community string. The second line you have.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 

Author Comment

by:trojan81
ID: 39946839
Pony10us,

I'm still unclear.

Let's revisit this again:

snmp-server host inside 10.161.254.2 poll community froggy66
snmp-server community froggy66
snmp-server enable traps snmp authentication linkup linkdown


Line 1 allows 10.161.254.2 to poll the firewall. It also specifies the community string.

So why is line 2 needed?
0
 
LVL 26

Expert Comment

by:pony10us
ID: 39950787
Set the RO community string:

snmp-server community froggy66



Polling set on 10.161.254.2 USING the RO string that was set previously:

snmp-server host inside 10.161.254.2 poll community froggy66


In other words, the second line above simply tells it which community string to use. You could have both a private (RW) and a public (RO) community string.
0
 

Author Comment

by:trojan81
ID: 39955038
Pony,

Am I correct to say that, If this line doesn't exist "snmp-server community froggy66"

then 10.161.254.2 can still poll this device using community string froggy66?
0
 
LVL 26

Accepted Solution

by:
pony10us earned 500 total points
ID: 39956427
It is my understanding (and the way I was always taught) that you need to set the community string with the "snmp-server community froggy66" command. The default public (RO) community is "public".  You can have multiple community strings although I can't say that it is common.

When entering the "snmp-server host..." command you tell it what community string to use and it ignores all other snmp traffic.  

I may be incorrect, and if so some one can jump in here, but I believe that you need both lines. That is how all of our Cisco devices are configured.

EDIT:  Having said all of that this is quoted from Cisco

Note You can set this string using the snmp-server host command by itself, but Cisco recommends that you define the string using the snmp-server community command prior to using the snmp-server host command.

http://www.cisco.com/c/en/us/td/docs/ios/netmgmt/command/reference/nm_book/nm_20.html#wp1094451
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco IOS upgrade c3560_backup and deletion of drwx 7 77
Single Number Reach 3 90
port forwarding 2 66
types of VPN 2 50
If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question