Hello everyone,

I am trying to use snmp-map feature to block specific snmp version and somehow it doesn' t work . Am I missing something , or got it wrong ?

My only thought is that command snmp-server host xxxxx overrides the snmp-map but then - waht is the sense of snmp map ?

Info:

ASA 5510,  image asa821-11-k8.bin

My snmp station from which I query the ASA is 2.2.2.2

snmp-map no-v3-here
deny version 3

# sh run access-list no-v3
access-list no-v3 extended permit udp any any eq snmptrap
access-list no-v3 extended permit udp any any eq snmp

class-map snmp-block-v3
match access-list no-v3

policy-map no-snmp-v3
class snmp-block-v3
  inspect snmp no-v3-here

service-policy no-snmp-v3 interface outside

I tried specifying version 2c of snmp, applying to global service policy - no help .

I can still query this ASA by all snmp versions that are enabled on it.

SNMP configs:

nmp-server group V3-auth v3 auth
snmp-server group v3-priv v3 priv
snmp-server group v3-noauth v3 noauth
snmp-server user AUTH V3-auth v3 encrypted auth md5 xxxxxxxxxxxxxxxxxxx
snmp-server user Mambo v3-noauth v3
snmp-server user very_secure v3-priv v3 encrypted auth md5 xxxxxxxxxxxxxxxxxxxxx
snmp-server host outside 1.1.1.1 community ***** version 1 udp-port 162
snmp-server host outside 2.2.2.2 version 3 very_secure udp-port 162
no snmp-server location
no snmp-server contact
snmp-server community *****
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
no snmp-server enable traps ipsec start stop
no snmp-server enable traps entity config-change fru-insert fru-remove
no snmp-server enable traps remote-access session-threshold-exceeded
snmp-server enable
snmp-server listen-port 161

Thanks.