I don’t know who to blame – me for not being attentive or Cisco documentation for being vague, but when I read about snmp-map inspection that allows you to block selectively by SNMP version I decided it was the way to protect ASA itself from such queries. And only with the help of Netpro forum at Cisco.com did I learn that this feature is designed to inspect the SNMP traffic that passes THROUGH the ASA and not destined to the ASA itself.
So if you want to limit what version of SNMP ASA will use to answer queries , use usual snmp-server host …
For those who do want to block passing through the ASA SNMP of say version 1 and 2c , here is how:
deny version 1
deny version 2c
Now define with access-list what traffic to inspect, you may use specific IPs or just general SNMP ports – udp 161 and 162:
access-list no-v1or2-here extended permit udp any any eq snmptrap
access-list no-v1or2-here extended permit udp any any eq snmp
Bind ACL to class-map:
match access-list no-v1or2-here
Use the class-map in policy map with enabling snmp-map inspection :
class snmp-block-v2or1
inspect snmp no-v1or2-here
And finally apply the policy map on some interface
Post a Comment