In the ASA configuration displays SNMP communities are obfuscated, like this:

ASA# show conf | i community
snmp-server host outside NMS-SERVER community *****
snmp-server community *****

As near back as 9.2 you could still display those communities using this command:

ASA# more system:running-config | i community
snmp-server host outside NMS-SERVER community public
snmp-server community public

I do not know when it changed, but in version 9.4 the more system:running-config command now also obfuscates the SNMP communites.  In version 9.4 is there any way to recover these community strings?

Release notes do not show any change in behavior on 9.4.

However, I feel it depends on the "snmp-server community" command.

Please check :

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s15.html#pgfId-1559085

And confirm if you have used :

snmp-server community 0 cisco

or

snmp-server community 8 cisco

Since, as per command reference, it is clearly written :

"After you have used an encrypted community string, only the encrypted form is visible to all systems (for example, CLI, ASDM, CSM, and so on). The clear text password is not visible."

Regards,

Pulkit Saxena

This doesn't work in multi-context mode:

plccdtfw/sec/act# more disk0:/plcfw2.cfg | i community
snmp-server host outside 10.18.58.232 community ***** version 2c
snmp-server host outside 10.16.47.244 community ***** version 2c
snmp-server host outside 10.16.16.91 community ***** version 2c

For ASA 9.4 version, do:

FW-ASA-01/act# more disk0:/ASA.cfg | i community
snmp-server host MGMT-NOC 192.168.10.100 community P@$$w0rd version 2c udp-port 161
snmp-server community P@$$w0rd

You must ensure that you're in system context.

PS: After type "more disk0:" put the "/" and type "?" to show all context configuration files

Best Regards,

Luis Claudio Bruno Piacesi

Works .! Thanks

excellent answer @jedavis 

this command should 

more system:running-config | i community

more system:running-config | i community

Does not work in multi-context. Try it on an actual firewall, don't just depend on the admin guide.

changeto management

changeto system 

then try the command 

more system:running-config | i community

Maestro,

The community strings are defined within each context, not in the system context. Because each context is its own totally separate virtual firewall they are monitored directly via snmp not through the system context, it doesn't work that way.

Within the context itself the command doesn't work.

#changeto context fw-1

CORFW/pri/act/fw-1# more system:running-config | i community
                                   ^
                                   ERROR: % Invalid input detected at '^' marker

That worked, thank you!

Thanks Maestro.  I was unaware of that command.  This solution works in single context as well as multi-context