Re: Blocking SNMP SET

rthakker · ‎05-09-2019

Hi,

I was wondering if it is possible to block / deny SNMP SET packets passing through Cisco ASA firewalls as well as targeted to Cisco ASA firewall but allow SNMP Get and Trap from specific host within a network?

Thanks

RT

Seb Rupik · ‎05-09-2019

Hi there,

The only SNMP inspection that the ASA offers is to permit/deny based on SNMP version.

If you want to block SET commands why not just configure the device with SNMP-RO. If you want the SNMP server to be RW for some hosts/ subnets then just apply an ACL to the SNMP community in question.

cheers,

Seb.

rthakker · ‎05-09-2019

Hi Seb,

Thank you for the prompt response.

As I have no control on the SNMP Server so I am unable to enforce SNMP policy.

As per security requirements I wanted to secure the network where I must only permit SNMP Get and Traps but deny SNMP Set through the Firewall (directed to and from equipment behind the firewall) as well as directed to the Firewall. I am trying to explore few options (either block on Firewall or introduce SNMP Proxy) to protect network.

Regards

RT

Seb Rupik · ‎05-09-2019

Certainly the ASA is not capable of inspecting and filtering at the level you require.

I have never implemented a SNMP proxy and was under the impression they were used to make a SNMP agents on a private network accessible from a single 'master' SNMP host/agent. If that master host can also provide filtering then that is the option to go for.

cheers,

Seb.

rthakker · ‎05-09-2019

Hi Seb

Thank you once again for prompt response. I wasn't confident if such solution exist on Cisco ASA hence wanted to verify.

Regards

RT