https://community.cisco.com/t5/network-security/blocking-snmp-set/m-p/3853177#M11391 <P>Hi Seb</P><P>&nbsp;</P><P>Thank you once again for prompt response. I wasn't confident if such solution exist on Cisco ASA hence wanted to verify.&nbsp;</P><P>&nbsp;</P><P>Regards</P><P>RT</P> Thu, 09 May 2019 13:07:15 GMT rthakker 2019-05-09T13:07:15Z https://community.cisco.com/t5/network-security/blocking-snmp-set/m-p/3853038#M11387 <P>Hi,</P><P>&nbsp;</P><P>I was wondering if it is possible to block / deny&nbsp; SNMP SET packets passing through Cisco ASA firewalls as well as targeted to Cisco ASA firewall but allow SNMP Get and Trap from specific host within a network?&nbsp;</P><P>&nbsp;</P><P>Thanks</P><P>RT</P> Fri, 21 Feb 2020 17:07:02 GMT https://community.cisco.com/t5/network-security/blocking-snmp-set/m-p/3853038#M11387 rthakker 2020-02-21T17:07:02Z https://community.cisco.com/t5/network-security/blocking-snmp-set/m-p/3853043#M11388 <P>Hi there,</P> <P>The only SNMP inspection that the ASA offers is to permit/deny based on SNMP version.</P> <P>&nbsp;</P> <P>If you want to block SET commands why not just configure the device with SNMP-RO. If you want the SNMP server to be RW for some hosts/ subnets then just apply an ACL to the SNMP community in question.</P> <P>&nbsp;</P> <P>cheers,</P> <P>Seb.</P> Thu, 09 May 2019 10:30:24 GMT https://community.cisco.com/t5/network-security/blocking-snmp-set/m-p/3853043#M11388 Seb Rupik 2019-05-09T10:30:24Z https://community.cisco.com/t5/network-security/blocking-snmp-set/m-p/3853061#M11389 <P>Hi Seb,</P><P>&nbsp;</P><P>Thank you for the prompt response.</P><P>&nbsp;</P><P>As I have no control on the SNMP Server so I am unable to enforce&nbsp;SNMP policy.&nbsp;</P><P>&nbsp;</P><P>As per security requirements I wanted to secure the network where I must only permit SNMP Get and Traps but deny SNMP Set through the Firewall (directed to and from equipment behind the firewall) as well as directed to the Firewall.&nbsp;I am trying to explore few options (either block on Firewall or introduce SNMP Proxy) to protect network.</P><P>&nbsp;</P><P>Regards</P><P>RT</P> Thu, 09 May 2019 10:50:37 GMT https://community.cisco.com/t5/network-security/blocking-snmp-set/m-p/3853061#M11389 rthakker 2019-05-09T10:50:37Z https://community.cisco.com/t5/network-security/blocking-snmp-set/m-p/3853113#M11390 <P>Certainly the ASA is not capable of inspecting and filtering at the level you require.</P> <P>&nbsp;</P> <P>I have never implemented a SNMP proxy and was under the impression they were used to make a SNMP agents on a private network accessible from a single 'master' SNMP host/agent. If that master host can also provide filtering then that is the option to go for.</P> <P>&nbsp;</P> <P>cheers,</P> <P>Seb.</P> Thu, 09 May 2019 11:48:49 GMT https://community.cisco.com/t5/network-security/blocking-snmp-set/m-p/3853113#M11390 Seb Rupik 2019-05-09T11:48:49Z https://community.cisco.com/t5/network-security/blocking-snmp-set/m-p/3853177#M11391 <P>Hi Seb</P><P>&nbsp;</P><P>Thank you once again for prompt response. I wasn't confident if such solution exist on Cisco ASA hence wanted to verify.&nbsp;</P><P>&nbsp;</P><P>Regards</P><P>RT</P> Thu, 09 May 2019 13:07:15 GMT https://community.cisco.com/t5/network-security/blocking-snmp-set/m-p/3853177#M11391 rthakker 2019-05-09T13:07:15Z