SNMP
The Simple Network Management Protocol (SNMP) manages and monitors networking devices. Cisco ASA SNMP inspection enables packet traffic monitoring between network devices. The Cisco ASA can be configured to deny traffic based on the SNMP packet version. Early versions of SNMP are less secure. Denying SNMPv1 traffic may be required by your security policy. This is done by configuring an SNMP map with the snmp-map command and then associating it to the inspect snmp command, as shown in Example 8-15.
Example 8-15. SNMP Inspection
snmp-map mysnmpmap deny version 1 policy-map asa_global_fw_policy class inspection_default inspect snmp mysnmpmap
In Example 8-15, the Cisco ASA is setup for an snmp map, called mysnmpmap, which denies any SNMPv1 packets. The following are the deny version subcommand options:
- 1 = SNMP version 1
- 2 = SNMP version 2 (party based)
- 2c = SNMP version 2c (community based)
- 3 = SNMP version 3