03-18-2022 11:14 AM - last edited on 03-28-2022 06:40 PM by Translator
Hello guys,
i have setup an SNMP ACL to secure SNMP polling only from specific subnet.
The router is an ASR1002-X with IOS-XE 16.12.04
Here the config:
ip access-list standard 30
10 permit 1.2.3.4 0.0.0.15
20 deny any
snmp-server community public RO 30
I wonderig when i run a port scan on 1.2.3.4
PORT STATE SERVICE VERSION
161/udp open snmp Cisco SNMP service
|_snmp-hh3c-logins: TIMEOUT
|_snmp-win32-shares: TIMEOUT
When i scan, the counter match and the number growth, but the port result OPEN.
Where is the error???
Many thanks to all of you.
Regards.
Solved! Go to Solution.
03-21-2022 01:07 AM
In this case you need ACL to block from out side interface.
03-18-2022 01:07 PM - last edited on 03-28-2022 06:41 PM by Translator
Not sure where you applied this as per my understand you want to allow only 1.2.3.4 0.0.0.15 and rest deny, if you scan from 1.2.3.4 0.0.0.15, then sure it show open, since it is allowed right ? you need to scan none 12.3.4 network
you can also below example :
access-list 30 permit 1.2.3.4 0.0.0.15
access-list 30 deny any
snmp-server group MySNMP v2 access 30
03-18-2022 01:28 PM - last edited on 03-28-2022 06:42 PM by Translator
I scan from an other class IP address, i would expect that the 161 UDP port of SNMP is closed from other IP prefix.
But, if i scan with nmap, the port result open.
I try with:
snmp-server group SNMP v1 access 30
snmp-server group SNMP v2c access 30
snmp-server community public RO 30
!
this config not resolve the issue.
th sh run of ACL:
ip access-list standard 30
10 permit 1.2.3.4 0.0.0.15
20 deny any
the nmap output:
Host is up (0.010s latency).
PORT STATE SERVICE VERSION
161/udp open snmp Cisco SNMP service
|_snmp-hh3c-logins: TIMEOUT
|_snmp-win32-shares: TIMEOUT
03-18-2022 07:20 PM
what is the source of the IP using nmap here, what destination IP you scanning
can you give us syntax please ?
03-20-2022 03:44 PM
I have masqueraded the public IP with 1.2.3.4, i scan my public IP addres from another public IP address in Frankfurt.
I scan with nmap -A -Pn -sU -p 161 x.x.x.x
The result is port open with ACL applied.
03-21-2022 01:07 AM
In this case you need ACL to block from out side interface.
03-28-2022 12:42 AM
I confirm that in the specific case the SNMP ACL is not enough but the one on the outside interface is also needed, I don't understand why
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide