snmp-map in ASA is for passing through traffic only


I don’t know who to blame – me for not being attentive or Cisco documentation for being vague, but when I read about snmp-map inspection that allows you to block selectively by SNMP version I decided it was the way to protect ASA itself from such queries. And only with the help of Netpro forum at Cisco.com did I learn that this feature is designed to inspect the SNMP traffic that passes THROUGH the ASA and not destined to the ASA itself. So if you want to limit what version of SNMP ASA will use to answer queries , use usual snmp-server host … For those who do want to block passing through the ASA SNMP of say version 1 and 2c , here is how:

Louvre(config)#snmp-map no-v1or2-here
deny version 1
deny version 2c

Now define with access-list what traffic to inspect, you may use specific IPs or just general SNMP ports – udp 161 and 162:

Louvre# sh run access-list no-v3

access-list no-v1or2-here extended permit udp any any eq snmptrap
access-list no-v1or2-here extended permit udp any any eq snmp

Bind ACL to class-map:

Louvre(config)# class-map snmp-block-v2or1
match access-list no-v1or2-here

Use the class-map in policy map with enabling snmp-map inspection :

Louvre(config)# policy-map no-snmp-v2or1
class snmp-block-v2or1
inspect snmp no-v1or2-here

And finally apply the policy map on some interface

Louvre(config)# service-policy no-snmp-v2or1interface outside