Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1510
Views
0
Helpful
4
Replies

Blocking SNMP SET

rthakker
Level 1
Level 1

‎05-09-2019 03:24 AM - edited ‎02-21-2020 09:07 AM

Hi,

 

I was wondering if it is possible to block / deny  SNMP SET packets passing through Cisco ASA firewalls as well as targeted to Cisco ASA firewall but allow SNMP Get and Trap from specific host within a network? 

 

Thanks

RT

0 Helpful
4 Replies 4

Seb Rupik
VIP Alumni
VIP Alumni

‎05-09-2019 03:30 AM

Hi there,

The only SNMP inspection that the ASA offers is to permit/deny based on SNMP version.

 

If you want to block SET commands why not just configure the device with SNMP-RO. If you want the SNMP server to be RW for some hosts/ subnets then just apply an ACL to the SNMP community in question.

 

cheers,

Seb.

0 Helpful

rthakker
Level 1
Level 1
In response to Seb Rupik

‎05-09-2019 03:46 AM - edited ‎05-09-2019 03:50 AM

Hi Seb,

 

Thank you for the prompt response.

 

As I have no control on the SNMP Server so I am unable to enforce SNMP policy. 

 

As per security requirements I wanted to secure the network where I must only permit SNMP Get and Traps but deny SNMP Set through the Firewall (directed to and from equipment behind the firewall) as well as directed to the Firewall. I am trying to explore few options (either block on Firewall or introduce SNMP Proxy) to protect network.

 

Regards

RT

0 Helpful

Seb Rupik
VIP Alumni
VIP Alumni
In response to rthakker

‎05-09-2019 04:48 AM

Certainly the ASA is not capable of inspecting and filtering at the level you require.

 

I have never implemented a SNMP proxy and was under the impression they were used to make a SNMP agents on a private network accessible from a single 'master' SNMP host/agent. If that master host can also provide filtering then that is the option to go for.

 

cheers,

Seb.

0 Helpful

rthakker
Level 1
Level 1
In response to Seb Rupik

‎05-09-2019 06:07 AM

Hi Seb

 

Thank you once again for prompt response. I wasn't confident if such solution exist on Cisco ASA hence wanted to verify. 

 

Regards

RT

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card