Thursday 2 May 2013

SNMP and ASA:
SNMP stands for Simple Network Management Protocol. Up to ASA software 8.1, the SNMP version supported was v1 and v2c. The newest ASA software 8.2 and latter,  also supports SNMP v3 which is the most secure snmp protocol version.
The ASA works as an SNMP server (or agent), So you need  a Network Management System (NMS) which will act as the SNMP manager in order to provide network monitoring and management functionality. The NMS is basically a management server such as the CiscoWorks product or Firewall Analyzer. With the NMS you can either poll the ASA appliance to collect information, or the ASA appliance can send snmp traps (event notifications) to the NMS server. SNMP Traps are sent on UDP port 162 and SNMP poll uses UDP port 161. So, the ASA will listen on udp 161 and the NMS will listen on udp 162 and 161.
Configuring SNMP
 Step1: Enable the snmp server on the ASA.
ASA(config)# snmp-server enable
 Step2: Identify the NMS host that can connect to the ASA for SNMP management.
ASA(config)# snmp-server host [interface_name][ ip_address] community [community string]
Where “interface name” is the ASA interface through which the NMS can be reached, and “ip address” is the NMS address. “community string” is like a preshared password which must be configured on both the ASA and the NMS in order for the two elements to communicate.
Step3: Specify the ASA community string
 ASA(config)# snmp-server community [community string] 
Step4: Enable the ASA to send snmp traps to the NMS
 ASA(config)# snmp-server enable traps [all | snmp [trap] [trap] ]
The default configuration has all snmp traps enabled (snmp-server enable traps snmp authentication linkup linkdown coldstart). It is recommended to leave all traps enabled as the default setting.
Configuration Example:
ASA(config)# snmp-server enable
ASA(config)# snmp-server host inside 10.1.1.100 community secret_Key
ASA(config)# snmp-server community secret_Key
ASA(config)# snmp-server enable traps snmp authentication linkup linkdown coldstart

Note: before configuring SNMP host, make sure that your can reach the NMS via specified Interface.
ASA#ping "interface_name" "IP of NMS"















No comments:

Post a Comment