Solved

Secure SNMP with ACL on Cisco Router

Posted on 2014-11-28
9
330 Views
Last Modified: 2014-11-28
I am trying to secure SNMP connections to a specific IP address on a cisco 2821 router but am having issues.  I thought the below config would would secure it but i must be missing something.  Any suggestions?

access-list 12 permit 10.x.x.x
access-list 12 deny any

snmp-server community "public" RO 12

Thanks,
0
Comment
Question by:timkrampe1
  • 4
  • 3
  • 2
9 Comments
 
LVL 1

Author Comment

by:timkrampe1
ID: 40470506
I did not apply that to the interface.
0
 
LVL 24

Expert Comment

by:Ken Boone
ID: 40470534
One comment.  You probably used "Public" as an example.  But if you didn't use something other than public.
0
 
LVL 1

Author Comment

by:timkrampe1
ID: 40470539
Public was just an example.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 24

Expert Comment

by:Ken Boone
ID: 40470543
Excellent.. just checking! ;)
0
 
LVL 27

Expert Comment

by:Predrag Jovic
ID: 40470571
Your config should work OK, but in some versions Cisco says that config need to be a little different.
Maybe that's your case.
Go to page 4
0
 
LVL 1

Author Comment

by:timkrampe1
ID: 40470834
Following that guide didn't work either.  If i add the above ACL to an interface could it block all traffic except port 161?
0
 
LVL 27

Accepted Solution

by:
Predrag Jovic earned 500 total points
ID: 40470856
Yes, you can add ACL to interface, but you need to allow traffic to other destinations and forbid just access to router from that network, block all traffic except port 161 will kill traffic completely.
I think some variation on next extended ACL can be used
- permit access to router from host address //host(s) that need to access router - maintenance, network monitoring etc
- deny access to router from rest of network
- permit any any //to allow fraffic to other destinations
0
 
LVL 1

Author Closing Comment

by:timkrampe1
ID: 40470981
Setting the ACL on the interface did the trick.  Thanks.

Basic config is:

access-list 100 deny   udp any any eq 161

access-list 100 permit ip any any

int xx
ip access-group 100 in
ip access-group 100 out
0
 
LVL 27

Expert Comment

by:Predrag Jovic
ID: 40471315
I don't think that you need to apply ACL in both directions, of course that depend on network design, but I guess ip access group 100 in should be enough. That will save a few CPU cycles, that router might need someday.  :)
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question