ANNOUNCEMENT - The community will be down for maintenace this Thursday August 13 from 12:00 AM PT to 02:00 AM PT. As a precaution save your work.
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

2551
Views
0
Helpful
4
Replies
Highlighted
Beginner

SNMP Trap for ASA

Hi,

I am trying to generate and SNMP trap for any configuration changes done on a Cisco ASA , however I am not able to achieve that .... Can anyone help me out ?

Regards,

Hesham                  

Everyone's tags (4)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

Re: SNMP Trap for ASA

Hi Hesham,

It depends what kind of information level you want to get.

- If you only want know that configuration was changed, but without details about what exact change was done, you can easily use logging to syslog server.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a2e04.shtml#maintask1

- If you want to know what particular change was done, then you can use TACACS+ accouting on ASA in cooperation with AAA server, e.g. ACS.

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/a1.html#wp1554939

regards,

Pawel

View solution in original post

4 REPLIES 4
Highlighted
Beginner

Re: SNMP Trap for ASA

Hi Hesham,

It depends what kind of information level you want to get.

- If you only want know that configuration was changed, but without details about what exact change was done, you can easily use logging to syslog server.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00805a2e04.shtml#maintask1

- If you want to know what particular change was done, then you can use TACACS+ accouting on ASA in cooperation with AAA server, e.g. ACS.

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/a1.html#wp1554939

regards,

Pawel

View solution in original post

Highlighted
Beginner

SNMP Trap for ASA

Hello Pawel,

I actually I followed the first document you send me and I am still not recieving any SNMP traps from the ASA to my NMS server. Can you please send me the exact commands to verfiy it on my end.

Regards,

Hesham

Highlighted
Beginner

Re: SNMP Trap for ASA

Hi Hesham,

The way I provided to you is using Syslog messages rather than SNMP traps. Most of NMS has built in syslog server. Configuration sample below:

logging enable

logging buffered informational     ! in fact this one was only used to what exactly is being logged - you can omit it

logging trap informational

logging host inside 1.1.1.100

Sample of logs while configuration change is done:

ciscoasa# show logging

(...)

%ASA-5-111008: User 'enable_15' executed the 'configure terminal' command.

%ASA-5-111008: User 'enable_15' executed the 'interface Ethernet 0/1' command.

%ASA-5-111008: User 'enable_15' executed the 'description DDD' command.

%ASA-5-111005: console end configuration: OK

%ASA-6-302015: Built outbound UDP connection 0 for inside:1.1.1.100/514 (1.1.1.100/514) to NP Identity Ifc:1.1.1.1/514 (1.1.1.1/514)

(...)

captures proving syslog has been sent out to syslog server:

ciscoasa# show capture CAPIN

(...)

  19: 00:08:34.199345 1.1.1.1.514 > 1.1.1.100.514:  udp 71

  20: 00:08:34.199345 1.1.1.1.514 > 1.1.1.100.514:  udp 80

   21: 00:08:34.679316 1.1.1.1.514 > 1.1.1.100.514:  udp 50

I hope that helps. If not, just let me know.

regards,

Pawel

Highlighted
Beginner

SNMP Trap for ASA

Thank you Pawel,

Is it possible to use SNMP traps instead since logs are already sent to a syslog server?

I am also not able to receive the syslog message that defines a change has occured!

Regards,

Hesham