Information About SNMP
SNMP is an application-layer protocol that facilitates the exchange of management information between network devices and is part of the TCP/IP protocol suite. This section describes SNMP and includes the following topics:
The ASA and ASASM provide support for network monitoring using SNMP Versions 1, 2c, and 3, and supports the use of all three versions simultaneously. The SNMP agent running on the ASA interface lets you monitor the ASA and ASASM through network management systems (NMSs), such as HP OpenView. The ASA and ASASM support SNMP read-only access through issuance of a GET request. SNMP write access is not allowed, so you cannot make changes with SNMP. In addition, the SNMP SET request is not supported.
You can configure the ASA and ASASM to send traps, which are unsolicited messages from the managed device to the management station for certain events (event notifications) to an NMS, or you can use the NMS to browse the MIBs on the ASA. MIBs are a collection of definitions, and the ASA and ASASM maintain a database of values for each definition. Browsing a MIB means issuing a series of GET-NEXT or GET-BULK requests of the MIB tree from the NMS to determine values.
The ASA and ASASM have an SNMP agent that notifies designated management stations if events occur that are predefined to require a notification, for example, when a link in the network goes up or down. The notification it sends includes an SNMP OID, which identifies itself to the management stations. The ASA or ASASM SNMP agent also replies when a management station asks for information.
Information About SNMP Terminology
Table 42-1 lists the terms that are commonly used when working with SNMP:
Table 42-1 SNMP Terminology
|
|
Agent |
The SNMP server running on the ASA. The SNMP agent has the following features:
- Responds to requests for information and actions from the network management station.
- Controls access to its Management Information Base, the collection of objects that the SNMP manager can view or change.
- Does not allow set operations.
|
Browsing |
Monitoring the health of a device from the network management station by polling required information from the SNMP agent on the device. This activity may include issuing a series of GET-NEXT or GET-BULK requests of the MIB tree from the network management station to determine values. |
Management Information Bases (MIBs) |
Standardized data structures for collecting information about packets, connections, buffers, failovers, and so on. MIBs are defined by the product, protocols, and hardware standards used by most network devices. SNMP network management stations can browse MIBs and request specific data or events be sent as they occur. |
Network management stations (NMSs) |
The PCs or workstations set up to monitor SNMP events and manage devices, such as the ASA and ASASM. |
Object identifier (OID) |
The system that identifies a device to its NMS and indicates to users the source of information monitored and displayed. |
Trap |
Predefined events that generate a message from the SNMP agent to the NMS. Events include alarm conditions such as linkup, linkdown, coldstart, warmstart, authentication, or syslog messages. |
SNMP Version 3
This section describes SNMP Version 3 and includes the following topics:
SNMP Version 3 Overview
SNMP Version 3 provides security enhancements that are not available in SNMP Version 1 or SNMP Version 2c. SNMP Versions 1 and 2c transmit data between the SNMP server and SNMP agent in clear text. SNMP Version 3 adds authentication and privacy options to secure protocol operations. In addition, this version controls access to the SNMP agent and MIB objects through the User-based Security Model (USM) and View-based Access Control Model (VACM). The ASA and ASASM also support the creation of SNMP groups and users, as well as hosts, which is required to enable transport authentication and encryption for secure SNMP communications.
Security Models
For configuration purposes, the authentication and privacy options are grouped together into security models. Security models apply to users and groups, which are divided into the following three types:
- NoAuthPriv—No Authentication and No Privacy, which means that no security is applied to messages.
- AuthNoPriv—Authentication but No Privacy, which means that messages are authenticated.
- AuthPriv—Authentication and Privacy, which means that messages are authenticated and encrypted.
SNMP Groups
An SNMP group is an access control policy to which users can be added. Each SNMP group is configured with a security model, and is associated with an SNMP view. A user within an SNMP group must match the security model of the SNMP group. These parameters specify what type of authentication and privacy a user within an SNMP group uses. Each SNMP group name and security model pair must be unique.
SNMP Users
SNMP users have a specified username, a group to which the user belongs, authentication password, encryption password, and authentication and encryption algorithms to use. The authentication algorithm options are MD5 and SHA. The encryption algorithm options are DES, 3DES, and AES (which is available in 128, 192, and 256 versions). When you create a user, you must associate it with an SNMP group. The user then inherits the security model of the group.
SNMP Hosts
An SNMP host is an IP address to which SNMP notifications and traps are sent. To configure SNMP Version 3 hosts, along with the target IP address, you must configure a username, because traps are only sent to a configured user. SNMP target IP addresses and target parameter names must be unique on the ASA and ASA Services Module. Each SNMP host can have only one username associated with it. To receive SNMP traps, configure the SNMP NMS, and make sure that you configure the user credentials on the NMS to match the credentials for the ASA and ASASM.
Implementation Differences Between the ASA, ASA Services Module, and the Cisco IOS Software
The SNMP Version 3 implementation in the ASA and ASASM differs from the SNMP Version 3 implementation in the Cisco IOS software in the following ways:
- The local-engine and remote-engine IDs are not configurable. The local engine ID is generated when the ASA or ASASM starts or when a context is created.
- No support exists for view-based access control, which results in unrestricted MIB browsing.
- Support is restricted to the following MIBs: USM, VACM, FRAMEWORK, and TARGET.
- You must create users and groups with the correct security model.
- You must remove users, groups, and hosts in the correct sequence.
- Use of the snmp-server host command creates an ASA or ASASM rule to allow incoming SNMP traffic.
Configuring SNMP
This section describes how to configure SNMP and includes the following topics:
Enabling SNMP
The SNMP agent that runs on the ASA performs two functions:
- Replies to SNMP requests from NMSs.
- Sends traps (event notifications) to NMSs.
To enable the SNMP agent and identify an NMS that can connect to the SNMP server, see the following pane:
|
|
Configuration > Device Management > Management Access > SNMP |
Ensures that the SNMP server on the ASA or ASASM is enabled. By default, the SNMP server is enabled. |
Configuring an SNMP Management Station
To receive requests from the ASA. you must configure an SNMP management station in ASDM.
To configure an SNMP management station, perform the following steps:
Step 1 Choose Configuration > Device Management > Management Access > SNMP .
Step 2 In the SNMP Management Stations pane, click Add .
The Add SNMP Host Access Entry dialog box appears.
Step 3 From the Interface Name drop-down list, choose the interface on which the SNMP host resides.
Step 4 In the IP Address field, enter the SNMP host IP address.
Step 5 In the UDP Port field, enter the SNMP host UDP port, or keep the default, port 162.
Step 6 In the Community String field, add the SNMP host community string. If no community string is specified for a management station, the value set in the Community String (default) field on the SNMP Management Stations pane is used.
Step 7 From the SNMP Version drop-down list, choose the SNMP version used by the SNMP host.
Step 8 If you have selected SNMP Version 3 in the previous step, from the Username drop-down list, choose the name of a configured user.
Step 9 To specify the method for communicating with this NMS, check either the Poll or Trap check box.
Step 10 Click OK .
The Add SNMP Host Access Entry dialog box closes.
Step 11 Click Apply .
The NMS is configured and changes are saved to the running configuration. For more information about SNMP Version 3 NMS tools, see the following URL:
http://www.cisco.com/en/US/docs/security/asa/asa82/snmp/snmpv3_tools.html
Configuring SNMP Traps
To designate which traps that the SNMP agent generates and how they are collected and sent to NMSs, perform the following steps:
Step 1 Choose Configuration > Device Management > Management Access > SNMP .
Step 2 Click Configure Traps .
The SNMP Trap Configuration dialog box appears.
Step 3 The traps are divided into the following categories: standard, IKEv2, entity MIB, IPsec, remote access, resource, NAT, syslog, CPU utilization, CPU utilization and monitoring interval, and SNMP interface threshold. Check the applicable check boxes for the SNMP events to notify through SNMP traps. The default configuration has all SNMP standard traps enabled. If you do not specify a trap type, the default is the syslog trap. The default SNMP traps continue to be enabled with the syslog trap. All other traps are disabled by default. To disable a trap, uncheck the applicable check box. To configure the syslog trap severity level, choose Configuration > Device Management > Logging > Logging Filters .
Step 4 Click OK .
The SNMP Trap Configuration dialog box closes.
Step 5 Click Apply .
The SNMP traps are configured and the changes are saved to the running configuration.
What to Do Next
Choose one of the following:
Using SNMP Version 1 or 2c
To configure parameters for SNMP Version 1 or 2c, perform the following steps:
Step 1 Choose Configuration > Device Management > Management Access > SNMP.
Step 2 (Optional) Enter a default community string in the Community String (default) field.
Enter the password used by the SNMP NMSs when sending requests to the ASA. The SNMP community string is a shared secret among the SNMP NMSs and the network nodes being managed. The ASA uses the password to determine if the incoming SNMP request is valid. The password is a case-sensitive value up to 32 alphanumeric characters. Spaces are not permitted. The default is public. SNMP Version 2c allows separate community strings to be set for each NMS. If no community string is configured for any NMS, the value set here is used by default.
Step 3 In the Contact field, enter the name of the ASA system administrator. The text is case-sensitive and can be up to 127 alphabetic characters. Spaces are accepted, but multiple spaces are shortened to a single space.
Step 4 In the ASA Location field, enter the location of the ASA being managed by SNMP. The text is case-sensitive and can be up to 127 characters. Spaces are accepted, but multiple spaces are shortened to a single space.
Step 5 In the Listening Port field, enter the number of the ASA port that listens for SNMP requests from NMSs; or keep the default, port number 161.
Step 6 Click Apply .
SNMP parameters for Versions 1 and 2c are configured and the changes are saved to the running configuration.
Using SNMP Version 3
To configure parameters for SNMP Version 3, perform the following steps:
Step 1 Choose Configuration > Device Management > Management Access > SNMP.
Step 2 In the SNMPv3 Users pane, to add a configured user or a new user to a group, on the SNMPv3 User/Group tab, click Add > SNMP User . To change user parameters, click Edit > SNMP User . To remove a configured user from a group, select the user, then click Delete > SNMP User . When you remove the last user in a group, ASDM deletes the group.
Note After a user has been created, you cannot change the group to which the user belongs.
The Add SNMP User Entry dialog box appears.
Step 3 From the Group Name drop-down list, choose the group to which the SNMP user belongs. The available groups are as follows:
- Auth&Encryption, in which users have authentication and encryption configured
- Authentication_Only, in which users have only authentication configured
- No_Authentication, in which users have neither authentication nor encryption configured
Step 4 In the Username field, enter the name of a configured user or a new user. The username must be unique for the SNMP server group selected.
Step 5 Indicate the type of password you want to use by clicking one of the two radio buttons: Encrypted or Clear Text .
Step 6 Indicate the type of authentication you want to use by clicking one of the two radio buttons: MD5 or SHA .
Step 7 In the Authentication Password field, type the password to use for authentication.
Step 8 Indicate the type of encryption you want to use by clicking one of these three radio buttons: DES , 3DES , or AES .
Step 9 If you chose AES encryption, then from the AES Size drop-down list, choose the level of AES encryption to use: 128 , 192 , or 256 .
Step 10 In the Encryption Password field, type the password to use for encryption. The maximum number of alphanumeric characters allowed for this password is 64.
Step 11 Click OK to create a group (if this is the first user in that group), display this group in the Group Name drop-down list, and create a user for that group.
The Add SNMP User Entry dialog box closes.
Step 12 Click Apply .
SNMP parameters for Version 3 are configured, and the changes are saved to the running configuration.
Configuring a Group of Users
To configure an SNMP user list with a group of specified users in it, perform the following steps:
Step 1 Choose Configuration > Device Management > Management Access > SNMP.
Step 2 In the SNMPv3 Users pane, to add a configured user group or a new user group, on the SNMPv3 User/Group tab, click Add > SNMP User Group . To change group parameters, click Edit > SNMP Group . To remove a configured user group, select it, then click Delete > SNMP Group . When you remove the last user in a group, ASDM deletes the group.
The Add SNMP User Group dialog box appears.
Step 3 Enter the user group name.
Step 4 To select an existing user or user group, click the Existing User/User Group radio button.
Step 5 To create a new user, click the Create new user radio button.
Step 6 From the Group Name drop-down list, choose the group to which the SNMP user belongs. The available groups are as follows:
- Auth&Encryption, in which users have authentication and encryption configured
- Authentication_Only, in which users have only authentication configured
- No_Authentication, in which users have neither authentication nor encryption configured
Step 7 In the Username field, enter the name of a configured user or a new user. The username must be unique for the SNMP server group selected.
Step 8 Indicate the type of password you want to use by clicking one of the two radio buttons: Encrypted or Clear Text .
Step 9 Indicate the type of authentication you want to use by clicking one of the two radio buttons: MD5 or SHA .
Step 10 In the Authentication Password field, type the password to use for authentication.
Step 11 Retype the password to use for authentication.
Step 12 Indicate the type of encryption you want to use by clicking one of these three radio buttons: DES , 3DES , or AES .
Step 13 In the Encryption Password field, type the password to use for encryption. The maximum number of alphanumeric characters allowed for this password is 64.
Step 14 Retype the password to use for encryption.
Step 15 Click Add to add the new user to the specified user group in the Members in Group pane. Click Remove to remove the new user from the Members in Group pane.
Step 16 Click OK to create a new user for the specified user group.
The Add SNMP User Group dialog box closes.
Step 17 Click Apply .
SNMP parameters for Version 3 are configured, and the changes are saved to the running configuration.