cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3674
Views
0
Helpful
3
Replies

Enable SNMP for all hosts on outside interface of ASA

bdf0506
Level 1
Level 1

I am running an ASA in my lab, outside iface is 192.168.100.50, inside iface is 192.168.70.1.

 

I would like to enable snmp polling on the outside interface, and would like any other device in my network to be able poll the ASA for SNMP.

 

It appears that I need to manually whitelist each individual IP that I want to query SNMP, so if I do something like this it will work for the single IP listed:

 

snmp-server host outside 192.168.40.203 community public 

 

But what if i want to allow any host from 192.168.40.0/24 to query SNMP? Is there a way to do this? Or do I need to manually specify each host in my running configuration?

 

As a side note, 192.168.40.0/24 is a range that sits outside the ASA.

3 Replies 3

Ben Walters
Level 4
Level 4

In order to specify a network or range of addresses you need to create an object first for that, something like this should work:

 

object network <NAME>
subnet 192.168.40.0 255.255.255.0
snmp-server host-group outside <NAME> poll community public version 2c

 

 

I figured it was something similar to what you described, but no dice on my ASA 5505. It does not support host-group

 

ASA(config)# snmp-server ?

configure mode commands/options:
  community    Configure the community string
  contact      Text for mib object sysContact
  enable       Enable/Disable snmp-server or particular traps
  group        Define User Security Model Group
  host         Specify hosts to receive SNMP traps and send SNMP polls
  listen-port  Configure the SNMP engine's listening port
  location     Text for mib object sysLocation
  user         Define a user who can access the SNMP engine

Maybe it's because I am running an older version of IOS?

 

ASA# show version 

Cisco Adaptive Security Appliance Software Version 9.1(2) 
Device Manager Version 7.1(3)

Without doing an IOS upgrade, is there any other way to accomplish the ask?

You are correct it is the versioning, it seems 9.1.5 adds the host-group commands. I found that in a feature enhancement document so clearly others like yourself had wanted to use groups/networks/ranges. 

 

Unfortunately at the current code it is impossible without adding individual hosts. 

 

Review Cisco Networking for a $25 gift card