cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4471
Views
0
Helpful
4
Replies

SNMP Trap for ASA

helsayed78
Level 1
Level 1

Hi,

I am trying to generate and SNMP trap for any configuration changes done on a Cisco ASA , however I am not able to achieve that .... Can anyone help me out ?

Regards,

Hesham                  

1 Accepted Solution

Accepted Solutions

ptrynisz
Level 1
Level 1

Hi Hesham,

It depends what kind of information level you want to get.

- If you only want know that configuration was changed, but without details about what exact change was done, you can easily use logging to syslog server.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a2e04.shtml#maintask1

- If you want to know what particular change was done, then you can use TACACS+ accouting on ASA in cooperation with AAA server, e.g. ACS.

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/a1.html#wp1554939

regards,

Pawel

View solution in original post

4 Replies 4

ptrynisz
Level 1
Level 1

Hi Hesham,

It depends what kind of information level you want to get.

- If you only want know that configuration was changed, but without details about what exact change was done, you can easily use logging to syslog server.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a2e04.shtml#maintask1

- If you want to know what particular change was done, then you can use TACACS+ accouting on ASA in cooperation with AAA server, e.g. ACS.

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/a1.html#wp1554939

regards,

Pawel

Hello Pawel,

I actually I followed the first document you send me and I am still not recieving any SNMP traps from the ASA to my NMS server. Can you please send me the exact commands to verfiy it on my end.

Regards,

Hesham

Hi Hesham,

The way I provided to you is using Syslog messages rather than SNMP traps. Most of NMS has built in syslog server. Configuration sample below:

logging enable

logging buffered informational     ! in fact this one was only used to what exactly is being logged - you can omit it

logging trap informational

logging host inside 1.1.1.100

Sample of logs while configuration change is done:

ciscoasa# show logging

(...)

%ASA-5-111008: User 'enable_15' executed the 'configure terminal' command.

%ASA-5-111008: User 'enable_15' executed the 'interface Ethernet 0/1' command.

%ASA-5-111008: User 'enable_15' executed the 'description DDD' command.

%ASA-5-111005: console end configuration: OK

%ASA-6-302015: Built outbound UDP connection 0 for inside:1.1.1.100/514 (1.1.1.100/514) to NP Identity Ifc:1.1.1.1/514 (1.1.1.1/514)

(...)

captures proving syslog has been sent out to syslog server:

ciscoasa# show capture CAPIN

(...)

  19: 00:08:34.199345 1.1.1.1.514 > 1.1.1.100.514:  udp 71

  20: 00:08:34.199345 1.1.1.1.514 > 1.1.1.100.514:  udp 80

   21: 00:08:34.679316 1.1.1.1.514 > 1.1.1.100.514:  udp 50

I hope that helps. If not, just let me know.

regards,

Pawel

Thank you Pawel,

Is it possible to use SNMP traps instead since logs are already sent to a syslog server?

I am also not able to receive the syslog message that defines a change has occured!

Regards,

Hesham

Review Cisco Networking for a $25 gift card