The Simple Network Management Protocol (SNMP) manages and monitors networking devices. Cisco ASA SNMP inspection enables packet traffic monitoring between network devices. The Cisco ASA can be configured to deny traffic based on the SNMP packet version. Early versions of SNMP are less secure. Denying SNMPv1 traffic may be required by your security policy. This is done by configuring an SNMP map with the snmp-map command and then associating it to the inspect snmp command, as shown in Example 8-15.

Example 8-15. SNMP Inspection

snmp-map mysnmpmap

 deny version 1

policy-map asa_global_fw_policy

 class inspection_default

 inspect snmp mysnmpmap

In Example 8-15, the Cisco ASA is setup for an snmp map, called mysnmpmap, which denies any SNMPv1 packets. The following are the deny version subcommand options:

  • 1 = SNMP version 1
  • 2 = SNMP version 2 (party based)
  • 2c = SNMP version 2c (community based)
  • 3 = SNMP version 3

Cisco Asa(c) All-in-one Firewall, IPS, And VPN Adaptive Security Appliance
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
ISBN: 1587052091
EAN: 2147483647
Year: 2006
Pages: 231
Simiral book on Amazon © 2008-2017.
If you may any questions please contact us: