- About This Guide
- Index
- Glossary
-
- Configuring IPSec and ISAKMP
- Configuring L2TP over IPSec
- Setting General VPN Parameters
- Configuring Tunnel Groups, Group Policies, and Users
- Configuring IP Addresses for VPN
- Configuring Remote Access VPNs
- Configuring Network Admission Control
- Configuring Easy VPN on the ASA 5505
- Configuring the PPPoE Client
- Configuring LAN-to-LAN VPNs
- Configuring Clientless SSL VPN
- Configuring AnyConnect VPN Client Connections
- Configuring AnyConnect Host Scan
- Information About SNMP
Configuring SNMP
This chapter describes how to configure SNMP to monitor the ASA and includes the following sections:
Information About SNMP
SNMP is an application-layer protocol that facilitates the exchange of management information between network devices and is part of the TCP/IP protocol suite. This section describes SNMP and includes the following topics:
- Information About SNMP Terminology
- Information About MIBs and Traps
- SNMP Object Identifiers
- SNMP Physical Vendor Type Values
- Supported Tables in MIBs
- Supported Traps (Notifications)
- SNMP Version 3
The ASA provides support for network monitoring using SNMP Versions 1, 2c, and 3, and supports the use of all three versions simultaneously. The SNMP agent running on the ASA interface lets you monitor the ASA and through network management systems (NMSs), such as HP OpenView. The ASA supports SNMP read-only access through issuance of a GET request. SNMP write access is not allowed, so you cannot make changes with SNMP. In addition, the SNMP SET request is not supported.
You can configure the ASA to send traps, which are unsolicited messages from the managed device to the management station for certain events (event notifications) to an NMS, or you can use the NMS to browse the MIBs on the ASA. MIBs are a collection of definitions, and the ASA maintains a database of values for each definition. Browsing a MIB means issuing a series of GET-NEXT or GET-BULK requests of the MIB tree from the NMS to determine values.
The ASA has an SNMP agent that notifies designated management stations if events occur that are predefined to require a notification, for example, when a link in the network goes up or down. The notification it sends includes an SNMP OID, which identifies itself to the management stations. The ASASNMP agent also replies when a management station asks for information.
Information About SNMP Terminology
Table 79-1 lists the terms that are commonly used when working with SNMP:
Information About MIBs and Traps
MIBs are either standard or enterprise-specific. Standard MIBs are created by the IETF and documented in various RFCs. A trap reports significant events occurring on a network device, most often errors or failures. SNMP traps are defined in either standard or enterprise-specific MIBs. Standard traps are created by the IETF and documented in various RFCs. SNMP traps are compiled into the ASA software.
If needed, you can also download RFCs, standard MIBs, and standard traps from the following locations:
ftp://ftp-sj.cisco.com/pub/mibs
Download a complete list of Cisco MIBs, traps, and OIDs from the following location:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
In addition, download Cisco OIDs by FTP from the following location:
ftp://ftp.cisco.com/pub/mibs/oid/oid.tar.gz
Note In software versions 7.2(1), 8.0(2), and later, the interface information accessed through SNMP refreshes about every 5 seconds. As a result, we recommend that you wait for at least 5 seconds between consecutive polls.
SNMP Object Identifiers
Each Cisco system-level product has an SNMP object identifier (OID) for use as a MIB-II sysObjectID. The CISCO-PRODUCTS-MIB includes the OIDs that can be reported in the sysObjectID object in the SNMPv2-MIB. You can use this value to identify the model type. Table 79-2 lists the sysObjectID OIDs for ASA models.
SNMP Physical Vendor Type Values
Each Cisco chassis or standalone system has a unique type number for SNMP use. The entPhysicalVendorType OIDs are defined in the CISCO-ENTITY-VENDORTYPE-OID-MIB. This value is returned in the entPhysicalVendorType object from the ASA SNMP agent. You can use this value to identify the type of component (module, power supply, fan, sensors, CPU, and so on). Table 79-3 lists the physical vendor type values for the ASA models.
Supported Tables in MIBs
Table 79-4 lists the supported tables and objects for the specified MIBs.
Supported Traps (Notifications)
Table 79-5 lists the supported traps (notifications) and their associated MIBs.
SNMP Version 3
This section describes SNMP Version 3 and includes the following topics:
SNMP Version 3 Overview
SNMP Version 3 provides security enhancements that are not available in SNMP Version 1 or SNMP Version 2c. SNMP Versions 1 and 2c transmit data between the SNMP server and SNMP agent in clear text. SNMP Version 3 adds authentication and privacy options to secure protocol operations. In addition, this version controls access to the SNMP agent and MIB objects through the User-based Security Model (USM) and View-based Access Control Model (VACM). The ASA also support the creation of SNMP groups and users, as well as hosts, which is required to enable transport authentication and encryption for secure SNMP communications.
Security Models
For configuration purposes, the authentication and privacy options are grouped together into security models. Security models apply to users and groups, which are divided into the following three types:
SNMP Groups
An SNMP group is an access control policy to which users can be added. Each SNMP group is configured with a security model, and is associated with an SNMP view. A user within an SNMP group must match the security model of the SNMP group. These parameters specify what type of authentication and privacy a user within an SNMP group uses. Each SNMP group name and security model pair must be unique.
SNMP Users
SNMP users have a specified username, a group to which the user belongs, authentication password, encryption password, and authentication and encryption algorithms to use. The authentication algorithm options are MD5 and SHA. The encryption algorithm options are DES, 3DES, and AES (which is available in 128, 192, and 256 versions). When you create a user, you must associate it with an SNMP group. The user then inherits the security model of the group.
SNMP Hosts
An SNMP host is an IP address to which SNMP notifications and traps are sent. To configure SNMP Version 3 hosts, along with the target IP address, you must configure a username, because traps are only sent to a configured user. SNMP target IP addresses and target parameter names must be unique on the ASA. Each SNMP host can have only one username associated with it. To receive SNMP traps, after you have added the snmp-server host command, make sure that you configure the user credentials on the NMS to match the credentials for the ASA.
Implementation Differences Between the ASA, ASA Services Module, and the Cisco IOS Software
The SNMP Version 3 implementation in the ASA and ASASM differs from the SNMP Version 3 implementation in the Cisco IOS software in the following ways:
- The local-engine and remote-engine IDs are not configurable. The local engine ID is generated when the ASA starts or when a context is created.
- No support exists for view-based access control, which results in unrestricted MIB browsing.
- Support is restricted to the following MIBs: USM, VACM, FRAMEWORK, and TARGET.
- You must create users and groups with the correct security model.
- You must remove users, groups, and hosts in the correct sequence.
- Use of the snmp-server host command creates an ASA rule to allow incoming SNMP traffic.
Licensing Requirements for SNMP
The following table shows the licensing requirements for this feature:
|
---|
Prerequisites for SNMP
SNMP has the following prerequisite:
You must have Cisco Works for Windows or another SNMP MIB-II compliant browser to receive SNMP traps or browse a MIB.
Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Supported in single and multiple context mode.
Supported in routed and transparent firewall mode.
- Supported in SNMP Version 3.
- The SNMP client in each ASA shares engine data with its peer. Engine data includes the engineID, engineBoots, and engineTime objects of the SNMP-FRAMEWORK-MIB. Engine data is written as a binary file to flash:/snmp/ contextname.
- Does not support view-based access control, but the VACM MIB is available for browsing to determine default view settings.
- The ENTITY-MIB is not available in the non-admin context. Use the IF-MIB instead to perform queries in the non-admin context.
- Does not support SNMP Version 3 for the AIP SSM or AIP SSC.
- Does not support SNMP debugging.
- Does not support retireval of ARP information.
- Does not support SNMP SET commands.
- When using NET-SNMP Version 5.4.2.1, only supports the encryption algorithm version of AES128. Does not support the encryption algorithm versions of AES256 or AES192.
- Changes to the existing configuration are rejected if the result places the SNMP feature in an inconsistent state.
- For SNMP Version 3, configuration must occur in the following order: group, user, host.
- Before a group is deleted, you must ensure that all users associated with that group are deleted.
- Before a user is deleted, you must ensure that no hosts are configured that are associated with that username.
- If users have been configured to belong to a particular group with a certain security model, and if the security level of that group is changed, you must do the following in this sequence:
– Remove the users from that group.
– Change the group security level.
– Add users that belong to the new group.
- The creation of custom views to restrict user access to a subset of MIB objects is not supported.
- All requests and traps are available in the default Read/Notify View only.
- The connection-limit-reached trap is generated in the admin context. To generate this trap. you must have at least one snmp-server host configured in the user context in which the connection limit has been reached.
- The value returned for ifNumber will be larger than the number of interfaces that you can query through SNMP, because ifNumber includes hidden internal interfaces that are not viewable.
- You cannot query for the chassis temperature for the ASA 5585 SSP-40 (NPE).
Configuring SNMP
This section describes how to configure SNMP and includes the following topics:
- Enabling SNMP
- Configuring SNMP Traps
- Configuring a CPU Usage Threshold
- Configuring a Physical Interface Threshold
- Using SNMP Version 1 or 2c
- Using SNMP Version 3
Enabling SNMP
The SNMP agent that runs on the ASA performs two functions:
To enable the SNMP agent and identify an NMS that can connect to the SNMP server, enter the following command:
|
|
---|---|
|
Ensures that the SNMP server on the ASA is enabled. By default, the SNMP server is enabled. |
What to Do Next
See the “Configuring SNMP Traps” section.
Configuring SNMP Traps
To designate which traps that the SNMP agent generates and how they are collected and sent to NMSs, enter the following command:
What to Do Next
Configuring a CPU Usage Threshold
To configure the CPU usage threshold, enter the following command:
What to Do Next
See the “Configuring a Physical Interface Threshold” section.
Configuring a Physical Interface Threshold
To configure the physical interface threshold, enter the following command:
What to Do Next
- See the “Using SNMP Version 1 or 2c” section.
- See the “Using SNMP Version 3” section.
Using SNMP Version 1 or 2c
To configure parameters for SNMP Version 1 or 2c, perform the following steps:
Detailed Steps
|
|
|
---|---|---|
hostname(config)# snmp-server host mgmt 10.7.14.90 version 2 hostname(config)# snmp-server host corp 172.18.154.159 community public |
Specifies the recipient of an SNMP notification, indicates the interface from which traps are sent, and identifies the name and IP address of the NMS or SNMP manager that can connect to the ASA. The trap keyword limits the NMS to receiving traps only. The poll keyword limits the NMS to sending requests (polling) only. By default, SNMP traps are enabled. By default, the UDP port is 162. The community string is a shared secret key between the ASA and the NMS. The key is a case-sensitive value up to 32 alphanumeric characters. Spaces are not permitted. The default community-string is public. The ASA uses this key to determine whether the incoming SNMP request is valid. For example, you could designate a site with a community string and then configure the ASA and the management station with the same string. The ASA uses the specified string and does not respond to requests with an invalid community string. For more information about SNMP hosts, see the “SNMP Hosts” section. Note To receive traps, after you have added the snmp-server host command, make sure that you configure the user on the NMS with the same credentials as the credentials configured on the ASA. |
|
|
Sets the community string, which is for use only with SNMP Version 1 or 2c. |
|
|
What to Do Next
See the “Monitoring SNMP” section.
Using SNMP Version 3
To configure parameters for SNMP Version 3, perform the following steps:
Detailed Steps
|
|
|
---|---|---|
|
Specifies a new SNMP group, which is for use only with SNMP Version 3. When a community string is configured, two additional groups with the name that matches the community string are autogenerated: one for the Version 1 security model and one for the Version 2 security model. For more information about security models, see the “Security Models” section. The auth keyword enables packet authentication. The noauth keyword indicates no packet authentication or encryption is being used. The priv keyword enables packet encryption and authentication. No default values exist for the auth or priv keywords. |
|
hostname(config)# snmp-server user testuser1 testgroup1 v3 auth md5 testpassword aes 128 mypassword hostname(config)# snmp-server user testuser1 public v3 encrypted auth md5 00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD:EE:FF |
Configures a new user for an SNMP group, which is for use only with SNMP Version 3. The username argument is the name of the user on the host that belongs to the SNMP agent. The group-name argument is the name of the group to which the user belongs. The v3 keyword specifies that the SNMP Version 3 security model should be used and enables the use of the encrypted, priv, and the auth keywords. The encrypted keyword specifies the password in encrypted format. Encrypted passwords must be in hexadecimal format. The auth keyword specifies which authentication level (md5 or sha) should be used. The priv keyword specifies the encryption level. No default values for the auth or priv keywords, or default passwords exist. For the encryption algorithm, you can specify either the des, 3des, or aes keyword. You can also specify which version of the AES encryption algorithm to use: 128, 192, or 256. The auth-password argument specifies the authentication user password. The priv-password argument specifies the encryption user password. Note If you forget a password, you cannot recover it and you must reconfigure the user. You can specify a plain-text password or a localized digest. The localized digest must match the authentication algorithm selected for the user, which can be either MD5 or SHA. When the user configuration is displayed on the console or is written to a file (for example, the startup-configuration file), the localized authentication and privacy digests are always displayed instead of a plain-text password (see the second example). The minimum length for a password is 1 alphanumeric character; however, we recommend that you use at least 8 alphanumeric characters for security. |
|
hostname(config)# snmp-server host mgmt 10.7.14.90 version 3 testuser1 hostname(config)# snmp-server host mgmt 10.7.26.5 version 3 testuser2 |
Specifies the recipient of an SNMP notification. Indicates the interface from which traps are sent. Identifies the name and IP address of the NMS or SNMP manager that can connect to the ASA. The trap keyword limits the NMS to receiving traps only. The poll keyword limits the NMS to sending requests (polling) only. By default, SNMP traps are enabled. By default, the UDP port is 162. The community string is a shared secret key between the ASA and the NMS. The key is a case-sensitive value up to 32 alphanumeric characters. Spaces are not permitted. The default community-string is public. The ASA uses this key to determine whether the incoming SNMP request is valid. For example, you could designate a site with a community string and then configure the ASAand the NMS with the same string. The ASAuses the specified string and does not respond to requests with an invalid community string. For more information about SNMP hosts, see the “SNMP Hosts” section. Note When SNMP Version 3 hosts are configured on the ASA, a user must be associated with that host. To receive traps, after you have added the snmp-server host command, make sure that you configure the user on the NMS with the same credentials as the credentials configured on the ASA. |
|
|
What to Do Next
See the “Monitoring SNMP” section.
Troubleshooting Tips
To ensure that the SNMP process that receives incoming packets from the NMS is running, enter the following command:
To capture syslog messages from SNMP and have them appear on the ASA or ASASM console, enter the following commands:
To make sure that the SNMP process is sending and receiving packets, enter the following commands:
The output is based on the SNMP group of the SNMPv2-MIB.
To make sure that SNMP packets are going through the ASA or ASASM and to the SNMP process, enter the following commands:
If the NMS cannot request objects successfully or is not handing incoming traps from the ASA or ASASM correctly, use a packet capture to isolate the problem, by entering the following commands:
If the ASA or ASASM is not performing as expected, obtain information about network topology and traffic by doing the following:
If a fatal error occurs, to help in reproducing the error, send a traceback file and the output of the show tech-support command to Cisco TAC.
If SNMP traffic is not being allowed through the ASA or ASASM interfaces, you might also need to permit ICMP traffic from the remote SNMP server using the icmp permit command.
For the ASA 5580, differences may appear in the physical interface statistics output and the logical interface statistics output between the show interface command and the show traffic command.
Interface Types and Examples
The interface types that produce SNMP traffic statistics include the following:
- Logical—Statistics collected by the software driver, which are a subset of physical statistics.
- Physical—Statistics collected by the hardware driver. Each physical named interface has a set of logical and physical statistics associated with it. Each physical interface may have more than one VLAN interface associated with it. VLAN interfaces only have logical statistics.
Note For a physical interface that has multiple VLAN interfaces associated with it, be aware that SNMP counters for ifInOctets and ifOutoctets OIDs match the aggregate traffic counters for that physical interface.
The examples in Table 79-6 show the differences in SNMP traffic statistics. Example 1 shows the difference in physical and logical output statistics for the show interface command and the show traffic command. Example 2 shows output statistics for a VLAN-only interface for the show interface command and the show traffic command. The example shows that the statistics are close to the output that appears for the show traffic command.
Monitoring SNMP
NMSs are the PCs or workstations that you set up to monitor SNMP events and manage devices, such as the ASA.You can monitor the health of a device from an NMS by polling required information from the SNMP agent that has been set up on the device. Predefined events from the SNMP agent to the NMS generate syslog messages. This section includes the following topics:
SNMP Syslog Messaging
SNMP generates detailed syslog messages that are numbered 212 nnn. Syslog messages indicate the status of SNMP requests, SNMP traps, SNMP channels, and SNMP responses from the ASA to a specified host on a specified interface.
For detailed information about syslog messages, see syslog message guide.
Note SNMP polling fails if SNMP syslog messages exceed a high rate (approximately 4000 per second).
SNMP Monitoring
To monitor SNMP, enter one of the following commands:
Examples
The following example shows how to display SNMP server statistics:
The following example shows how to display the SNMP server running configuration:
Configuration Examples for SNMP
This section includes the following topics:
Configuration Example for SNMP Versions 1 and 2c
The following example shows how the ASA can receive SNMP requests from host 192.0.2.5 on the inside interface but does not send any SNMP syslog requests to any host:
Configuration Example for SNMP Version 3
The following example shows how the ASA can receive SNMP requests using the SNMP Version 3 security model, which requires that the configuration follow this specific order: group, followed by user, followed by host:
Where to Go Next
To configure the syslog server, see Chapter77, “Configuring Logging”
Additional References
For additional information related to implementing SNMP, see the following sections:
RFCs for SNMP Version 3
MIBs
For a list of supported MIBs and traps for the ASAby release, see the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
Not all OIDs in MIBs are supported. To obtain a list of the supported SNMP MIBs and OIDs for a specific ASA, enter the following command:
Note Although the oidlist keyword does not appear in the options list for the show snmp-server command help, it is available. However, this command is for Cisco TAC use only. Contact the Cisco TAC before using this command.
The following is sample output from the show snmp-server oidlist command:
Application Services and Third-Party Tools
For information about SNMP support, see the following URL:
http://www.cisco.com/en/US/tech/tk648/tk362/tk605/tsd_technology_support_sub-protocol_home.html
For information about using third-party tools to walk SNMP Version 3 MIBs, see the following URL:
http://www.cisco.com/en/US/docs/security/asa/asa83/snmp/snmpv3_tools.html
Feature History for SNMP
Table 79-7 lists each feature change and the platform release in which it was implemented.