cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

11157
Views
25
Helpful
16
Replies
jedavis
Enthusiast

Viewing SNMP communities on ASA

Is there any way to retrieve the configured SNMP communities from an ASA now that this information has been obfuscated in system:running-config?

-Jeff

1 ACCEPTED SOLUTION

Accepted Solutions

in your case you need the following commands 

#changeto context fw-1

CORFW/pri/act/fw-1# show snmp-server group

 

let me know, this should show your community strings/key

View solution in original post

16 REPLIES 16
Aditya Ganjoo
Cisco Employee

Hi,

So do we want to know what communities have been configured on the ASA ?

Have we removed them ?

Regards,

Aditya

In the ASA configuration displays SNMP communities are obfuscated, like this:

ASA# show conf | i community
snmp-server host outside NMS-SERVER community *****
snmp-server community *****

As near back as 9.2 you could still display those communities using this command:

ASA# more system:running-config | i community
snmp-server host outside NMS-SERVER community public
snmp-server community public

I do not know when it changed, but in version 9.4 the more system:running-config command now also obfuscates the SNMP communites.  In version 9.4 is there any way to recover these community strings?

Release notes do not show any change in behavior on 9.4.

However, I feel it depends on the "snmp-server community" command.

Please check :

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s15.html#pgfId-1559085

And confirm if you have used :

snmp-server community 0 cisco

or

snmp-server community 8 cisco

Since, as per command reference, it is clearly written :

"After you have used an encrypted community string, only the encrypted form is visible to all systems (for example, CLI, ASDM, CSM, and so on). The clear text password is not visible."

Regards,

Pulkit Saxena

This doesn't work in multi-context mode:

 

plccdtfw/sec/act# more disk0:/plcfw2.cfg | i community
snmp-server host outside 10.18.58.232 community ***** version 2c
snmp-server host outside 10.16.47.244 community ***** version 2c
snmp-server host outside 10.16.16.91 community ***** version 2c

For ASA 9.4 version, do:

FW-ASA-01/act# more disk0:/ASA.cfg | i community
snmp-server host MGMT-NOC 192.168.10.100 community P@$$w0rd version 2c udp-port 161
snmp-server community P@$$w0rd

You must ensure that you're in system context.

PS: After type "more disk0:" put the "/" and type "?" to show all context configuration files

Best Regards,

Luis Claudio Bruno Piacesi

Best Regards,
Luis Claudio Bruno Piacesi

excellent answer @jedavis 

 

this command should 

more system:running-config | i community

more system:running-config | i community

Does not work in multi-context. Try it on an actual firewall, don't just depend on the admin guide.

changeto management

changeto system 

then try the command 

more system:running-config | i community

 

Maestro,

 

The community strings are defined within each context, not in the system context. Because each context is its own totally separate virtual firewall they are monitored directly via snmp not through the system context, it doesn't work that way.

Within the context itself the command doesn't work.

 

#changeto context fw-1

CORFW/pri/act/fw-1# more system:running-config | i community
                                   ^
                                   ERROR: % Invalid input detected at '^' marker

in your case you need the following commands 

#changeto context fw-1

CORFW/pri/act/fw-1# show snmp-server group

 

let me know, this should show your community strings/key

View solution in original post

That worked, thank you!

It worked for me, thank you Maestro

Thanks Maestro.  I was unaware of that command.  This solution works in single context as well as multi-context

 

That works!

Content for Community-Ad