ASA 8.2 now speaks SNMP v3 decently
This article is all about SNMP in ASA. ASA has much less configuration options than IOS does, and this is good. Starting version 8.2 ASA supports version 3 of the SNMP protocol which adds new security model to the whole SNMP stack. But first we will start with old fashioned SNMP v2c (c is for ‘community’) . It takes about 15 secs to do it:
snmp-server location “935 Pennsylvania Avenue, NW”
snmp-server contact “Don’t call us we’ll call you”
snmp-server community ***** // Note this community will be used if more specific one isn’t given per host
snmp-server enable traps snmp authentication linkup linkdown coldstart //specific traps
snmp-server enable // you enable server
snmp-server listen-port 161 // in case you want to change, who knows …
snmp-server host outside 195.95.193.8 community ****** version 1 udp-port 162 // only now SNMP polling is enabled and to the given host , also version 1 and port 162 on SNMP management (195.95.193.8) to send traps
no snmp-server enable traps ipsec start stop // To disable specific traps
As you already know this setup will exchange community strings in clear text and also no packet is cryptographically authenticated/verified. What a shame for “Adaptive Security Appliance” . The fix is on the way. It is called SNMP v3 and has 3 security levels to choose from: noAuthNoPriv – packets are neither authenticated nor encrypted . Basically the model used so far by SNMP v1 and v2c – everything clear text.
authNoPriv - packets are authenticated , that is user is sent in clear text but its password is not , (configurable) MD5 or SHA algorithm.
authPriv - the highest level, all SNMP packets are both authenticated using MD5 or SHA and their content is encrypted with DES/3DES/AES (128,196,256) algorithm.
Using the list above let’s configure our ASA for each level . General steps:
- Configure snmp-server group for every security level you want to use ;
- Creatre user for each security level you wan to use and assign it to the snmp-server group of your choice
- Create usual snmp-server host entry but adding version 3 and username to be used by this host. NOTE You can have only one such command per host but no matter which out of 3 security levels you specify in this command it will allow the other 2 to be used in querying as well
noAuthNoPriv.
snmp-server group v3-noauth v3 noauth
snmp-server user Jambo v3-noauth v3
snmp-server host outside 199.252.47.11 version 3 Jambo
Querying the ASA:
snmpwalk -v 3 -u Jambo -l noauthnopriv 155.7.145.89
authNoPriv.
snmp-server group V3-auth v3 auth
snmp-server user AUTH V3-auth v3 auth md5 12345678
Minimum pass length is 8 , and while ASA seems not to care it is a violation and snmpwalk will complain on pass < 8 and bail out .
snmp-server host outside 199.252.47.11 version 3 AUTH
Querying the ASA:
snmpwalk -v 3 -u AUTH -a md5 -A 12345678 -l authnopriv 155.7.145.89
authPriv.
Here everything will be encrypted.
snmp-server group v3-priv v3 priv
snmp-server user very_secure v3-priv v3 auth md5 12345678 v3-priv v3 auth md5 12345678 priv aes 128 12345678
snmp-server host outside 199.252.47.11 version 3 very_secure
N.B. To my surprise there is no such thing as debug snmp . Actually it does exist, but entering this command gives no error and produces no debug either. Noticed by the way. In logs you can see all the passwords you entered while configuring SNMP, not very secure I would rather say .
(config)# sh log | grep snmp
%ASA-5-111008: User 'enable_15' executed the 'snmp-server user AUTH V3-auth v3 auth md5 12345678' command.
Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.