Solved: Viewing SNMP communities on ASA

jedavis · ‎02-23-2016

Is there any way to retrieve the configured SNMP communities from an ASA now that this information has been obfuscated in system:running-config?

-Jeff

Maestro · ‎04-03-2019

in your case you need the following commands

#changeto context fw-1

CORFW/pri/act/fw-1# show snmp-server group

let me know, this should show your community strings/key

View solution in original post

Aditya Ganjoo · ‎02-23-2016

Hi,

So do we want to know what communities have been configured on the ASA ?

Have we removed them ?

Regards,

Aditya

jedavis · ‎03-02-2016

In the ASA configuration displays SNMP communities are obfuscated, like this:

ASA# show conf | i community
snmp-server host outside NMS-SERVER community *****
snmp-server community *****

As near back as 9.2 you could still display those communities using this command:

ASA# more system:running-config | i community
snmp-server host outside NMS-SERVER community public
snmp-server community public

I do not know when it changed, but in version 9.4 the more system:running-config command now also obfuscates the SNMP communites. In version 9.4 is there any way to recover these community strings?

Pulkit Saxena · ‎03-03-2016

Release notes do not show any change in behavior on 9.4.

However, I feel it depends on the "snmp-server community" command.

Please check :

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s15.html#pgfId-1559085

And confirm if you have used :

snmp-server community 0 cisco

or

snmp-server community 8 cisco

Since, as per command reference, it is clearly written :

"After you have used an encrypted community string, only the encrypted form is visible to all systems (for example, CLI, ASDM, CSM, and so on). The clear text password is not visible."

Regards,

Pulkit Saxena

nate_newman · ‎09-26-2018

This doesn't work in multi-context mode:

plccdtfw/sec/act# more disk0:/plcfw2.cfg | i community
snmp-server host outside 10.18.58.232 community ***** version 2c
snmp-server host outside 10.16.47.244 community ***** version 2c
snmp-server host outside 10.16.16.91 community ***** version 2c

Luis Piacesi · ‎03-09-2019

For ASA 9.4 version, do:

FW-ASA-01/act# more disk0:/ASA.cfg | i community
snmp-server host MGMT-NOC 192.168.10.100 community P@$$w0rd version 2c udp-port 161
snmp-server community P@$$w0rd

You must ensure that you're in system context.

PS: After type "more disk0:" put the "/" and type "?" to show all context configuration files

Best Regards,

Luis Claudio Bruno Piacesi

Best Regards,
Luis Claudio Bruno Piacesi

mg.dev@tcs.com · ‎10-06-2021

Works .! Thanks

Maestro · ‎04-03-2019

excellent answer @jedavis

this command should

more system:running-config | i community

nate_newman · ‎04-03-2019

more system:running-config | i community

Does not work in multi-context. Try it on an actual firewall, don't just depend on the admin guide.

Maestro · ‎04-03-2019

changeto management

changeto system

then try the command

more system:running-config | i community

nate_newman · ‎04-03-2019

Maestro,

The community strings are defined within each context, not in the system context. Because each context is its own totally separate virtual firewall they are monitored directly via snmp not through the system context, it doesn't work that way.

Within the context itself the command doesn't work.

#changeto context fw-1

CORFW/pri/act/fw-1# more system:running-config | i community
^
ERROR: % Invalid input detected at '^' marker

Maestro · ‎04-03-2019

in your case you need the following commands

#changeto context fw-1

CORFW/pri/act/fw-1# show snmp-server group

let me know, this should show your community strings/key

nate_newman · ‎04-03-2019

That worked, thank you!

shurufade · ‎04-03-2019

It worked for me, thank you Maestro

jedavis · ‎07-01-2019

Thanks Maestro. I was unaware of that command. This solution works in single context as well as multi-context