Blocking SNMP from Internet

Toothless · ‎12-05-2023

I have a Cisco border router (CAT9K_IOSXE) that connects to the Internet and inside the network. Per Shodoan.io, I have hits on SNMP which are SVI IPs on the border router. So basically, anyone from the internet can snmp scan using SVI IP. I would like to block that. There is a Firewall on the inside that takes care of SNMP but my main goal is to prevent the border router from responding to SNMP scans from the Internet.

The easier solution would be ACL on the outside interface but we have a lot of servers that are doing SNMP to the outside system, which goes through the border router. ACL will complicate things as I will have to audit and maintain ACL for any new or removed server.

The second option is to block SVI IPs using SNMP on ACL and permit all else on the outside interface. The issue is we have a lot of SVIs and it also adds overhead on the outside interface.

The third option which I am not sure will work is to apply ACL on SVI (L3 Vlans, inbound) and block all SNMP. This should block SVIs from responding to SNMP requests.

The last option is what Cisco TAC suggested but did not provide a great deal of details. The config is:

(config)#snmp-server drop unknown-user
(config)#snmp-server drop report access ACL# (This ACL has IPs of legit monitoring SNMP hosts and denies all at the end)

I checked online and I am not sure if this will work. The first line seems to be blocking SNMP traffic with an unknown snmpv3 user name. The issue here is, per my research, the border router would need all user names/SNMP strings that all hosts on my inside network are using to talk to the outside system. I will then need to add all these into the border router's config. If I miss one, that legit traffic will be affected.

Is anyone more familiar with these configs and know if they will work for this case? Any other suggestions or feedback?

MHM Cisco World · ‎12-05-2023

Snmp use specific port

Use acl in outside allow or deny these port. You dont need to specify server IP.

Why this not work?

MHM

Toothless · ‎12-05-2023

@MHM Cisco World

Yes, SNMP port 161.

I can not deny 161 as we have some legitimate traffic going outside using SNMP port 161. I need to make sure I do not affect that traffic.

MHM Cisco World · ‎12-05-2023

Can I see the acl you use for outside interface

MHM

Toothless · ‎12-05-2023

@MHM Cisco World

It would look something like this:

ip access-list extended SNMP_BLOCK_ACL

remark Block incoming SNMP traffic from ISP

deny udp any any eq 161

permit ip any any

interface GigabitEthernet1/1

ip access-group SNMP_BLOCK_ACL in

As you can see this would block all SNMP traffic including legitimate traffic.

MHM Cisco World · ‎12-05-2023

Can you share snmp config

MHM

Toothless · ‎12-05-2023

@MHM Cisco World

Sure. Here is SNMP:

snmp-server group default v3 priv
snmp-server group CoSNMPv3User v3 priv
snmp-server group CoSNMPv3View v3 priv
snmp-server group CoSNMPv3Group v3 priv read CoSNMPv3View write CoSNMPv3View access 101
snmp-server host 10.10.10.50 version 3 priv CoSNMPv3User
snmp-server host 10.10.10.50 version 3 priv CoSNMPv3View

snmp-server trap-source Loopback0

10.10.10.50 is the monitoring server. ACL 101 has a permit statement for our internal SNMP polling server and has a deny-all at the end.

MHM Cisco World · ‎12-05-2023

Hi friend

You have multi group' (there is no user attached to these groups!!)

And you have group view which ypu use acl for it.

For other groups except viewers why you dont use acl (standard acl allow host server IP)?

MHM

Toothless · ‎12-06-2023

@MHM Cisco World

These are the standard SNMP commands that the org is using. Maybe I can look into fine tunning SNMP but currently I am focusing on blocking the SNMP traffic from Internet that are able to scan SVI IPs.

MHM Cisco World · ‎12-07-2023

We use standard acl in snmp' this acl specify only the server snmp can talk to.

No need extended acl

MHM

Toothless · ‎12-12-2023

ACL 101 is a standard ACL. It has permit statements on legit IPs and deny any at the end. it is applied to SNMP only.

gnijs · ‎12-07-2023

You are blocking on any any. Why don't you just block on the IP destination of the SVI ? all the rest will go through...

Toothless · ‎12-12-2023

On the outside Interface? If so, that is an option, however I was hoping for avoiding that overhead. Currently there is no ACL on the out interface and adding just this ACl with 40+ SVI IPs will add un necessary overhead.

What are your thoughts on below commands:

(config)#snmp-server drop unknown-user
(config)#snmp-server drop report access ACL#

Per TAC, this should fix this but again I am not sure what effect it will have on the legit traffic. Unfortunately, neither do TAC.

Elliot Dierksen · ‎12-06-2023

My preferred method for managing routers outside the security perimeter is to use the base VRF only for management and put ACL's on the vty ports. All the untrusted traffic goes in a different VRF, it doesn't have access to management ports. I would put the management network in a DMZ(ish) network meaning outside a firewall, and add Null0 routes for the RFC1918 addresses in the untrusted VRF.

Toothless · ‎12-12-2023

Unfortunately, redesign is not an option for this situation.