Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1360
Views
0
Helpful
6
Replies

SNMP ACL match the rules but port scan result OPEN

Go to solution
M.Fly
Level 1
Level 1

‎03-18-2022 11:14 AM - last edited on ‎03-28-2022 06:40 PM by Community Manager

Hello guys,

i have setup an SNMP ACL to secure SNMP polling only from specific subnet.

The router is an ASR1002-X with IOS-XE 16.12.04

 

Here the config:

ip access-list standard 30
10 permit 1.2.3.4 0.0.0.15
20 deny any

 

snmp-server community public RO 30

 

I wonderig when i run a port scan on 1.2.3.4

PORT STATE SERVICE VERSION
161/udp open snmp Cisco SNMP service
|_snmp-hh3c-logins: TIMEOUT
|_snmp-win32-shares: TIMEOUT

 

When i scan, the counter match and the number growth, but the port result OPEN.

 

Where is the error???

Many thanks to all of you.

Regards.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to M.Fly

‎03-21-2022 01:07 AM

In this case you need ACL to block from out side interface.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful
6 Replies 6

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-18-2022 01:07 PM - last edited on ‎03-28-2022 06:41 PM by Community Manager

Not sure where you applied this as per my understand you want to allow only 1.2.3.4 0.0.0.15  and rest deny, if you scan from 1.2.3.4 0.0.0.15, then sure it show open, since it is allowed right ? you need to scan none 12.3.4 network

 

you can also below example :

 

access-list 30 permit 1.2.3.4 0.0.0.15
access-list 30 deny any 
snmp-server group MySNMP v2 access 30

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
M.Fly
Level 1
Level 1
In response to balaji.bandi

‎03-18-2022 01:28 PM - last edited on ‎03-28-2022 06:42 PM by Community Manager

I scan from an other class IP address, i would expect that the 161 UDP port of SNMP is closed from other IP prefix.

But, if i scan with nmap, the port result open.

I try with:

snmp-server group SNMP v1 access 30
snmp-server group SNMP v2c access 30
snmp-server community public RO 30
!

this config not resolve the issue.

 

th sh run of ACL:

ip access-list standard 30
10 permit 1.2.3.4 0.0.0.15
20 deny any

 

the nmap output:

Host is up (0.010s latency).
PORT STATE SERVICE VERSION
161/udp open snmp Cisco SNMP service
|_snmp-hh3c-logins: TIMEOUT
|_snmp-win32-shares: TIMEOUT
0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to M.Fly

‎03-18-2022 07:20 PM

what is the source of the IP using nmap here, what destination IP you scanning 

 

can you give us syntax please ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
M.Fly
Level 1
Level 1
In response to balaji.bandi

‎03-20-2022 03:44 PM

I have masqueraded the public IP with 1.2.3.4, i scan my public IP addres from another public IP address in Frankfurt.

I scan with nmap -A -Pn -sU -p 161 x.x.x.x

The result is port open with ACL applied.

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to M.Fly

‎03-21-2022 01:07 AM

In this case you need ACL to block from out side interface.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
M.Fly
Level 1
Level 1
In response to balaji.bandi

‎03-28-2022 12:42 AM

I confirm that in the specific case the SNMP ACL is not enough but the one on the outside interface is also needed, I don't understand why

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card