PIX 515 and SNMP

eugenem · ‎10-18-2006

We recently enabled SNMP on our PIX 515 firewall to allow monitoring of the bandwidth by a network monitoring package. All was running fine for 4 weeks until last night. Our PIX was unresponsive to even a console session. This happened serveral times throught the night almost like a DOS attack was occurring.

We called Cisco this morning and they said that there is a hidden password that gets activated when SNMP is enabled that hackers try to expose. I have found no reference to this anywhere. Can anyone confirm this to be true?

Is anyone else out there using SNMP to monitor their PIX box? I know about the prior SNMP vunerability, but that affects 6.1(1) and below...we're running 6.3(5). We were not using access lists to control the SNMP traffic so could this be the cause of the attack? Ever since we have disabled SNMP on the PIX, we no longer have an issue. Any help or advice would be greatly appreciated. Thanks!

Collin Clark · ‎10-18-2006

I've been running SNMP on our PIX's for a couple of years w/no problems. I do use restrictions though.

'snmp-server host inside 10.1.2.3 poll'

I have never heard of a hidden password. Did they tell you what the password is?

eugenem · ‎10-19-2006

Are you using any access list restrictions as well? Cisco is now saying it's a hardware issue and they're sending out a replacement PIX, but I still think we're getting DOS attacks either on our Edge Router (1721) or from some other external facing server. I'm just trying to gather some evidence that the SNMP on the PIX was not the issue were are seeing now.

Collin Clark · ‎10-19-2006

Yes I am using ACL's. You could turn on NBAR on the 1721 and see if it's SNMP. A sniffer might be even better.