The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter describes how to configure Simple Network Management Protocol (SNMP) to monitor the ASA.
SNMP is an application-layer protocol that facilitates the exchange of management information between network devices and is part of the TCP/IP protocol suite.
The ASA, ASAv, and ASASM provide support for network monitoring using SNMP Versions 1, 2c, and 3, and supports the use of all three versions simultaneously. The SNMP agent running on the ASA interface lets you monitor the ASA and ASASM through network management systems (NMSs), such as HP OpenView. The ASA, ASAv, and ASASM support SNMP read-only access through issuance of a GET request. SNMP write access is not allowed, so you cannot make changes with SNMP. In addition, the SNMP SET request is not supported.
You can configure the ASA, ASAv, and ASASM to send traps, which are unsolicited messages from the managed device to the management station for certain events (event notifications) to an NMS, or you can use the NMS to browse the MIBs on the ASA. MIBs are a collection of definitions, and the ASA, ASAv, and ASASM maintain a database of values for each definition. Browsing a MIB means issuing a series of GET-NEXT or GET-BULK requests of the MIB tree from the NMS to determine values.
The ASA, ASAv, and ASASM have an SNMP agent that notifies designated management stations if events occur that are predefined to require a notification, for example, when a link in the network goes up or down. The notification it sends includes an SNMP OID, which identifies itself to the management stations. The ASA, ASAv, or ASASM SNMP agent also replies when a management station asks for information.
Table 46-1 lists the terms that are commonly used when working with SNMP:
SNMP Version 3 provides security enhancements that are not available in SNMP Version 1 or SNMP Version 2c. SNMP Versions 1 and 2c transmit data between the SNMP server and SNMP agent in clear text. SNMP Version 3 adds authentication and privacy options to secure protocol operations. In addition, this version controls access to the SNMP agent and MIB objects through the User-based Security Model (USM) and View-based Access Control Model (VACM). The ASA and ASASM also support the creation of SNMP groups and users, as well as hosts, which is required to enable transport authentication and encryption for secure SNMP communications.
For configuration purposes, the authentication and privacy options are grouped together into security models. Security models apply to users and groups, which are divided into the following three types:
An SNMP group is an access control policy to which users can be added. Each SNMP group is configured with a security model, and is associated with an SNMP view. A user within an SNMP group must match the security model of the SNMP group. These parameters specify what type of authentication and privacy a user within an SNMP group uses. Each SNMP group name and security model pair must be unique.
SNMP users have a specified username, a group to which the user belongs, authentication password, encryption password, and authentication and encryption algorithms to use. The authentication algorithm options are MD5 and SHA. The encryption algorithm options are DES, 3DES, and AES (which is available in 128, 192, and 256 versions). When you create a user, you must associate it with an SNMP group. The user then inherits the security model of the group.
An SNMP host is an IP address to which SNMP notifications and traps are sent. To configure SNMP Version 3 hosts, along with the target IP address, you must configure a username, because traps are only sent to a configured user. SNMP target IP addresses and target parameter names must be unique on the ASA and ASA Services Module. Each SNMP host can have only one username associated with it. To receive SNMP traps, configure the SNMP NMS, and make sure that you configure the user credentials on the NMS to match the credentials for the ASA and ASASM.
The SNMP Version 3 implementation in the ASA and ASASM differs from the SNMP Version 3 implementation in the Cisco IOS software in the following ways:
|
|
---|---|
SNMP has the following prerequisite:
You must have Cisco Works for Windows or another SNMP MIB-II compliant browser to receive SNMP traps or browse a MIB.
This section includes the guidelines and limitations for this feature.
Supported in single and multiple context mode.
Supported in routed and transparent firewall mode.
– Remove the users from that group.
– Change the group security level.
– Add users that belong to the new group.
This section describes how to configure SNMP.
The SNMP agent that runs on the ASA performs two functions:
To enable the SNMP agent and identify an NMS that can connect to the SNMP server, see the following pane:
|
|
---|---|
Configuration > Device Management > Management Access > SNMP |
Ensures that the SNMP server on the ASA, ASAv, or ASASM is enabled. By default, the SNMP server is enabled. |
To receive requests from the ASA. you must configure an SNMP management station in ASDM.
To configure an SNMP management station, perform the following steps:
Step 1 Choose Configuration > Device Management > Management Access > SNMP.
Step 2 In the SNMP Management Stations pane, click Add.
The Add SNMP Host Access Entry dialog box appears.
Step 3 From the Interface Name drop-down list, choose the interface on which the SNMP host resides.
Step 4 In the IP Address field, enter the SNMP host IP address.
Step 5 In the UDP Port field, enter the SNMP host UDP port, or keep the default, port 162.
Step 6 In the Community String field, add the SNMP host community string. If no community string is specified for a management station, the value set in the Community String (default) field on the SNMP Management Stations pane is used.
Step 7 From the SNMP Version drop-down list, choose the SNMP version used by the SNMP host.
Step 8 If you have selected SNMP Version 3 in the previous step, from the Username drop-down list, choose the name of a configured user.
Step 9 To specify the method for communicating with this NMS, check either the Poll or Trap check box.
The Add SNMP Host Access Entry dialog box closes.
The NMS is configured and changes are saved to the running configuration. For more information about SNMP Version 3 NMS tools, see the following URL:
http://www.cisco.com/en/US/docs/security/asa/asa82/snmp/snmpv3_tools.html
To designate which traps that the SNMP agent generates and how they are collected and sent to NMSs, perform the following steps:
Step 1 Choose Configuration > Device Management > Management Access > SNMP.
The SNMP Trap Configuration dialog box appears.
Step 3 The traps are divided into the following categories: standard, IKEv2, entity MIB, IPsec, remote access, resource, NAT, syslog, CPU utilization, CPU utilization and monitoring interval, and SNMP interface threshold. Check the applicable check boxes for the SNMP events to notify through SNMP traps. The default configuration has all SNMP standard traps enabled. If you do not specify a trap type, the default is the syslog trap. The default SNMP traps continue to be enabled with the syslog trap. All other traps are disabled by default. To disable a trap, uncheck the applicable check box. To configure the syslog trap severity level, choose Configuration > Device Management > Logging > Logging Filters.
Step 4 Click OK to close the SNMP Trap Configuration dialog box.
The SNMP traps are configured and the changes are saved to the running configuration.
To configure parameters for SNMP Version 1 or 2c, perform the following steps:
Step 1 Choose Configuration > Device Management > Management Access > SNMP.
Step 2 Enter a default community string in the Community String (default) field if you are using SNMP Version 1 or 2c. Enter the password used by the SNMP NMSs when they send requests to the ASA. The SNMP community string is a shared secret among the SNMP NMSs and the network nodes being managed. The ASA uses the password to determine if the incoming SNMP request is valid. The password is a case-sensitive value up to 32 alphanumeric characters long. Spaces are not permitted. The default is public. SNMP Version 2c allows separate community strings to be set for each NMS. If no community string is configured for any NMS, the value set here is used by default.
Step 3 In the Contact field, enter the name of the ASA system administrator. The text is case-sensitive and can be up to 127 alphabetic characters. Spaces are accepted, but multiple spaces are shortened to a single space.
Step 4 In the ASA Location field, enter the location of the ASA being managed by SNMP. The text is case-sensitive and can be up to 127 characters. Spaces are accepted, but multiple spaces are shortened to a single space.
Step 5 In the Listening Port field, enter the number of the ASA port that listens for SNMP requests from NMSs; or keep the default, port number 161.
Step 6 In the SNMP Host Access List pane, click Add to display the Add SNMP Host Access Entry dialog box.
Step 7 Choose the interface name from which traps are sent from the drop-down list.
Step 8 Enter the IP address of the NMS or SNMP manager that can connect to the ASA.
Step 9 Enter the UDP port number. The default is 162.
Step 10 Choose the SNMP version that you are using from the drop-down list. If you choose Version 1 or Version 2c, you must enter the community string. If you choose Version 3, you must choose the username from the drop-down list.
Step 11 In the Server Poll/Trap Specification area, check the Poll check box to limit the NMS to sending requests (polling) only. Check the Trap check box to limit the NMS to receiving traps only. You may check both check boxes to perform both functions of the SNMP host.
Step 12 Click OK to close the Add SNMP Host Access Entry dialog box.
The new host appears in the SNMP Host Access List pane.
SNMP parameters for Versions 1, 2c, or 3 are configured and the changes are saved to the running configuration.
See Monitoring SNMP.
To configure parameters for SNMP Version 3, perform the following steps:
Step 1 Choose Configuration > Device Management > Management Access > SNMP.
Step 2 In the SNMPv3 Users pane, to add a configured user or a new user to a group, on the SNMPv3 User/Group tab, click Add > SNMP User. To change user parameters, click Edit > SNMP User. To remove a configured user from a group, select the user, then click Delete > SNMP User. When you remove the last user in a group, ASDM deletes the group.
Note After a user has been created, you cannot change the group to which the user belongs.
The Add SNMP User Entry dialog box appears.
Step 3 From the Group Name drop-down list, choose the group to which the SNMP user belongs. The available groups are as follows:
Note You cannot change the group names.
Step 4 To use the user security model (USM) groups, click the USM Model tab.
Step 5 To add a USM group, click Add. To modify an existing USM group, select it, then click Edit. To remove an existing USM group, select it, then click Delete.
The Add or Edit SNMP USM Entry dialog box appears.
Step 6 In the Group Name field, enter the group name.
Step 7 Choose the security level from the drop-down list. This setting allows you to assign a configured USM group as a security level to SNMPv3 users.
Step 8 In the Username field, enter the name of a configured user or a new user. The username must be unique for the SNMP server group selected.
Step 9 Indicate the type of password you want to use by clicking one of the two radio buttons: Encrypted or Clear Text.
Step 10 Indicate the type of authentication you want to use by clicking one of the two radio buttons: MD5 or SHA.
Step 11 In the Authentication Password field, type the password to use for authentication.
Step 12 Indicate the type of encryption you want to use by clicking one of these three radio buttons: DES, 3DES, or AES.
Step 13 If you chose AES encryption, then from the AES Size drop-down list, choose the level of AES encryption to use: 128, 192, or 256.
Step 14 In the Encryption Password field, type the password to use for encryption. The maximum number of alphanumeric characters allowed for this password is 64.
Step 15 Click OK to create a group (if this is the first user in that group), display this group in the Group Name drop-down list, and create a user for that group.
The Add SNMP User Entry dialog box closes.
SNMP parameters for Version 3 are configured, and the changes are saved to the running configuration.
See Monitoring SNMP.
To configure an SNMP user list with a group of specified users in it, perform the following steps:
Step 1 Choose Configuration > Device Management > Management Access > SNMP.
Step 2 In the SNMPv3 Users pane, to add a configured user group or a new user group, on the SNMPv3 User/Group tab, click Add > SNMP User Group. To change group parameters, click Edit > SNMP Group. To remove a configured user group, select it, then click Delete > SNMP Group. When you remove the last user in a group, ASDM deletes the group.
The Add SNMP User Group dialog box appears.
Step 3 Enter the user group name.
Step 4 To select an existing user or user group, click the Existing User/User Group radio button.
Step 5 To create a new user, click the Create new user radio button.
Step 6 From the Group Name drop-down list, choose the group to which the SNMP user belongs. The available groups are as follows:
Step 7 In the Username field, enter the name of a configured user or a new user. The username must be unique for the SNMP server group selected.
Step 8 Indicate the type of password you want to use by clicking one of the two radio buttons: Encrypted or Clear Text.
Step 9 Indicate the type of authentication you want to use by clicking one of the two radio buttons: MD5 or SHA.
Step 10 In the Authentication Password field, type the password to use for authentication.
Step 11 Retype the password to use for authentication.
Step 12 Indicate the type of encryption you want to use by clicking one of these three radio buttons: DES, 3DES, or AES.
Step 13 In the Encryption Password field, type the password to use for encryption. The maximum number of alphanumeric characters allowed for this password is 64.
Step 14 Retype the password to use for encryption.
Step 15 Click Add to add the new user to the specified user group in the Members in Group pane. Click Remove to delete an existing user from the Members in Group pane.
Step 16 Click OK to create a new user for the specified user group.
The Add SNMP User Group dialog box closes.
SNMP parameters for Version 3 are configured, and the changes are saved to the running configuration.
NMSs are the PCs or workstations that you set up to monitor SNMP events and manage devices, such as the ASA.You can monitor the health of a device from an NMS by polling required information from the SNMP agent that has been set up on the device. Predefined events from the SNMP agent to the NMS generate syslog messages.
SNMP generates detailed syslog messages that are numbered 212 nnn. Syslog messages indicate the status of SNMP requests, SNMP traps, SNMP channels, and SNMP responses from the ASA or ASASM to a specified host on a specified interface.
For detailed information about syslog messages, see the syslog messages guide.
Note SNMP polling fails if SNMP syslog messages exceed a high rate (approximately 4000 per second).
To monitor SNMP, perform the following steps:
To configure the syslog server, see Chapter45, “Logging”
For additional information related to implementing SNMP, see the following sections:
For a list of supported MIBs and traps for the ASA, ASAv, and ASASM by release, see the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
Not all OIDs in MIBs are supported. To obtain a list of the supported SNMP MIBs and OIDs for a specific ASA or ASASM, choose Tools > Command Line Interface, the following command, then click Send :
Note Although the oidlist keyword does not appear in the options list for the show snmp-server command help, it is available. However, this command is for Cisco TAC use only. Contact the Cisco TAC before using this command.
The following is sample output from the show snmp-server oidlist command:
For information about SNMP support, see the following URL:
http://www.cisco.com/en/US/tech/tk648/tk362/tk605/tsd_technology_support_sub-protocol_home.html
For information about using third-party tools to walk SNMP Version 3 MIBs, see the following URL:
http://www.cisco.com/en/US/docs/security/asa/asa83/snmp/snmpv3_tools.html
Table 46-2 lists each feature change and the platform release in which it was implemented. ASDM is backward-compatible with multiple platform releases, so the specific ASDM release in which support was added is not listed.