Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1094
Views
0
Helpful
2
Replies

Is it possible to restrict SNMP access through firewall

jsimpson99
Level 1
Level 1

‎01-23-2012 04:09 PM - edited ‎03-11-2019 03:18 PM

My appoligies if there is already an answered discussion about this, that I didn't find.

In addition to just limiting the IP addresses allowed to have access and TCP/UDP port and direction of access, is it possible to further restrict SNMP traffic through an ASA firewall.  Example 1:  Can IP address IP_A on network A be forcibly limited to have only readonly SNMP polling access to IP_B on network B on the other side of an ASA firewall regardless of the community string it issues(or the configuration of device IB_B )?

     IP_A   ------- FW -------- IP_B

Example 2:  Can IP address IP_A on network A be forcibly limited to have only readonly access to specific OID via SNMP polling access to IP_B on network B on the other side of an ASA firewall regardless of the community string it issues (or the configuration of device IP_B)?

     IP_A ------>  FW ------> IP_B

It looks like IOS 10.3 and above allow devices to have such access limiting.  I was wondering if this could also be done via ASA for any end device.

Thanks

Jim

Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-23-2012 08:31 PM

No.

An ASA can, as you noted, restrict source and destination IP and port. To do what you are asking, one would need to prevent a string within the payload from being transmitted (or only accept certain strings).

You should just put the access-list on the destination device(s) restricting what host(s) are allowed snmp rw (as you alluded to). That's a very common implementation straight out of the textbook.

0 Helpful

jsimpson99
Level 1
Level 1
In response to Marvin Rhoads

‎01-24-2012 12:16 PM

Thank you.  This is what I expected.  I was hoping the ASA could inspect the SNMP protocol and provide further restriction to the access so not to have to rely on what the end device could do (or not do) in this regard.

Jim

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card