05-09-2019 03:24 AM - edited 02-21-2020 09:07 AM
Hi,
I was wondering if it is possible to block / deny SNMP SET packets passing through Cisco ASA firewalls as well as targeted to Cisco ASA firewall but allow SNMP Get and Trap from specific host within a network?
Thanks
RT
05-09-2019 03:30 AM
Hi there,
The only SNMP inspection that the ASA offers is to permit/deny based on SNMP version.
If you want to block SET commands why not just configure the device with SNMP-RO. If you want the SNMP server to be RW for some hosts/ subnets then just apply an ACL to the SNMP community in question.
cheers,
Seb.
05-09-2019 03:46 AM - edited 05-09-2019 03:50 AM
Hi Seb,
Thank you for the prompt response.
As I have no control on the SNMP Server so I am unable to enforce SNMP policy.
As per security requirements I wanted to secure the network where I must only permit SNMP Get and Traps but deny SNMP Set through the Firewall (directed to and from equipment behind the firewall) as well as directed to the Firewall. I am trying to explore few options (either block on Firewall or introduce SNMP Proxy) to protect network.
Regards
RT
05-09-2019 04:48 AM
Certainly the ASA is not capable of inspecting and filtering at the level you require.
I have never implemented a SNMP proxy and was under the impression they were used to make a SNMP agents on a private network accessible from a single 'master' SNMP host/agent. If that master host can also provide filtering then that is the option to go for.
cheers,
Seb.
05-09-2019 06:07 AM
Hi Seb
Thank you once again for prompt response. I wasn't confident if such solution exist on Cisco ASA hence wanted to verify.
Regards
RT
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: