11-28-2012 12:25 PM - edited 03-11-2019 05:29 PM
Hi,
I am trying to generate and SNMP trap for any configuration changes done on a Cisco ASA , however I am not able to achieve that .... Can anyone help me out ?
Regards,
Hesham
Solved! Go to Solution.
11-28-2012 01:08 PM
Hi Hesham,
It depends what kind of information level you want to get.
- If you only want know that configuration was changed, but without details about what exact change was done, you can easily use logging to syslog server.
- If you want to know what particular change was done, then you can use TACACS+ accouting on ASA in cooperation with AAA server, e.g. ACS.
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/a1.html#wp1554939
regards,
Pawel
11-28-2012 01:08 PM
Hi Hesham,
It depends what kind of information level you want to get.
- If you only want know that configuration was changed, but without details about what exact change was done, you can easily use logging to syslog server.
- If you want to know what particular change was done, then you can use TACACS+ accouting on ASA in cooperation with AAA server, e.g. ACS.
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/a1.html#wp1554939
regards,
Pawel
12-11-2012 03:45 AM
Hello Pawel,
I actually I followed the first document you send me and I am still not recieving any SNMP traps from the ASA to my NMS server. Can you please send me the exact commands to verfiy it on my end.
Regards,
Hesham
12-11-2012 10:40 AM
Hi Hesham,
The way I provided to you is using Syslog messages rather than SNMP traps. Most of NMS has built in syslog server. Configuration sample below:
logging enable
logging buffered informational ! in fact this one was only used to what exactly is being logged - you can omit it
logging trap informational
logging host inside 1.1.1.100
Sample of logs while configuration change is done:
ciscoasa# show logging
(...)
%ASA-5-111008: User 'enable_15' executed the 'configure terminal' command.
%ASA-5-111008: User 'enable_15' executed the 'interface Ethernet 0/1' command.
%ASA-5-111008: User 'enable_15' executed the 'description DDD' command.
%ASA-5-111005: console end configuration: OK
%ASA-6-302015: Built outbound UDP connection 0 for inside:1.1.1.100/514 (1.1.1.100/514) to NP Identity Ifc:1.1.1.1/514 (1.1.1.1/514)
(...)
captures proving syslog has been sent out to syslog server:
ciscoasa# show capture CAPIN
(...)
19: 00:08:34.199345 1.1.1.1.514 > 1.1.1.100.514: udp 71
20: 00:08:34.199345 1.1.1.1.514 > 1.1.1.100.514: udp 80
21: 00:08:34.679316 1.1.1.1.514 > 1.1.1.100.514: udp 50
I hope that helps. If not, just let me know.
regards,
Pawel
02-02-2013 11:17 AM
Thank you Pawel,
Is it possible to use SNMP traps instead since logs are already sent to a syslog server?
I am also not able to receive the syslog message that defines a change has occured!
Regards,
Hesham
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: