cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11364
Views
6
Helpful
4
Replies

How to disable SNMP or udp port 161 on my Internet gateway router

Hi Everyone,

 

We have an Internet gateway router(#CiscoASR) on which we have snmp configuration for monitoring purpose and we have secured it with ACL as well. But now our infosec team is saying that they are able to see the router as vulnerable for SNMP threats when they have done a vulnerability scan from internet, though we have secured it by using ACL's. Please suggest how to fix this.

 

Thanks,

Babjani.

2 Accepted Solutions

Accepted Solutions

Hi,

You need to use both snmp access-list and interface access-list. The snmp access-list specifies which devices can access snmp using the specified string. Therefore, the router will process snmp and reject or accept based on access-list and string. You, therefore, will need an access-list on the outside interface to block all snmp packets from the Internet.

There should be no impact on the router from having an access-list on the outside interface as long as you do not have excessive logging enabled on the access-list.

 

Thanks

John

**Please rate posts you find helpful**

View solution in original post

Hi John/Everyone,

 

Thanks John for your time over this discussion.

We have applied an extended ACL over the Internet link interface deny snmp, snmptraps ntp traffic and permitting rest of the traffic. Hence the issue resolved.

 

 

Thanks,

Babjani.

View solution in original post

4 Replies 4

johnd2310
Level 8
Level 8

Hi,

What type of access-list are you using? Interface access-list, SNMP access-list.

 

Thanks

John

**Please rate posts you find helpful**

Hi John,

 

We are using only standard ACL for SNMP as of now. In case if we use can use interface ACL, if we used interface ACL and it is the entry point to our organization and it is a 1Gig link. Will their be toll on cpu ? Please let me know.

 

 

Thanks,

Babjani.

Hi,

You need to use both snmp access-list and interface access-list. The snmp access-list specifies which devices can access snmp using the specified string. Therefore, the router will process snmp and reject or accept based on access-list and string. You, therefore, will need an access-list on the outside interface to block all snmp packets from the Internet.

There should be no impact on the router from having an access-list on the outside interface as long as you do not have excessive logging enabled on the access-list.

 

Thanks

John

**Please rate posts you find helpful**

Hi John/Everyone,

 

Thanks John for your time over this discussion.

We have applied an extended ACL over the Internet link interface deny snmp, snmptraps ntp traffic and permitting rest of the traffic. Hence the issue resolved.

 

 

Thanks,

Babjani.

Review Cisco Networking for a $25 gift card