This article is all about SNMP in ASA. ASA has much less configuration options than IOS does, and this is good. Starting version 8.2 ASA supports version 3 of the SNMP protocol which adds new security model to the whole SNMP stack. But first we will start with old fashioned SNMP v2c (c is for ‘community’) . It takes about 15 secs to do it:
snmp-server location “935 Pennsylvania Avenue, NW” snmp-server contact “Don’t call us we’ll call you” snmp-server community ***** // Note this community will be used if more specific one isn’t given per host snmp-server enable traps snmp authentication linkup linkdown coldstart //specific traps snmp-server enable // you enable server snmp-server listen-port 161 // in case you want to change, who knows … snmp-server host outside 188.8.131.52 community ****** version 1 udp-port 162 // only now SNMP polling is enabled and to the given host , also version 1 and port 162 on SNMP management (184.108.40.206) to send traps no snmp-server enable traps ipsec start stop // To disable specific traps
As you already know this setup will exchange community strings in clear text and also no packet is cryptographically authenticated/verified. What a shame for “Adaptive Security Appliance” . The fix is on the way. It is called SNMP v3 and has 3 security levels to choose from: noAuthNoPriv – packets are neither authenticated nor encrypted . Basically the model used so far by SNMP v1 and v2c – everything clear text.
authNoPriv - packets are authenticated , that is user is sent in clear text but its password is not , (configurable) MD5 or SHA algorithm.
authPriv - the highest level, all SNMP packets are both authenticated using MD5 or SHA and their content is encrypted with DES/3DES/AES (128,196,256) algorithm.
Using the list above let’s configure our ASA for each level . General steps:
- Configure snmp-server group for every security level you want to use ;
- Creatre user for each security level you wan to use and assign it to the snmp-server group of your choice
- Create usual snmp-server host entry but adding version 3 and username to be used by this host. NOTE You can have only one such command per host but no matter which out of 3 security levels you specify in this command it will allow the other 2 to be used in querying as well
snmp-server group v3-noauth v3 noauth snmp-server user Jambo v3-noauth v3 snmp-server host outside 220.127.116.11 version 3 Jambo
Querying the ASA:
snmpwalk -v 3 -u Jambo -l noauthnopriv 18.104.22.168
snmp-server group V3-auth v3 auth snmp-server user AUTH V3-auth v3 auth md5 12345678
Minimum pass length is 8 , and while ASA seems not to care it is a violation and snmpwalk will complain on pass < 8 and bail out .
snmp-server host outside 22.214.171.124 version 3 AUTH
Querying the ASA:
snmpwalk -v 3 -u AUTH -a md5 -A 12345678 -l authnopriv 126.96.36.199
Here everything will be encrypted.
snmp-server group v3-priv v3 priv snmp-server user very_secure v3-priv v3 auth md5 12345678 v3-priv v3 auth md5 12345678 priv aes 128 12345678 snmp-server host outside 188.8.131.52 version 3 very_secure
N.B. To my surprise there is no such thing as debug snmp . Actually it does exist, but entering this command gives no error and produces no debug either. Noticed by the way. In logs you can see all the passwords you entered while configuring SNMP, not very secure I would rather say .
(config)# sh log | grep snmp
%ASA-5-111008: User 'enable_15' executed the 'snmp-server user AUTH V3-auth v3 auth md5 12345678' command.