HOW TO: Configure SNMP v2c on Cisco ASA

Follow by Email

This article is a detailed guide to configuring SNMP v2c on a Cisco ASA firewall. SNMP stands for Simple Network Management Protocol. Up to ASA software version 8.1, only the SNMP version v1 and v2c was supported. The ASA software version 8.2 and higher also supports SNMPv3, which is the most secure snmp protocol version.

The ASA works as an SNMP agent, so you need also a Network Management System (NMS) which will act as the SNMP manager in order to provide network monitoring and management functionality. With the NMS you can either poll the ASA appliance to collect information or the ASA appliance can send snmp traps (event notifications) to the NMS server. SNMP Traps are sent on UDP port 162 and SNMP polls and SNMP responses are sent on UDP port 161. So, the ASA will listen on UDP port 161 and the NMS will listen on UDP port 161 and 162.

NOTE: You can only poll the ASA via SNMP using read-only community or configure the ASA to send SNMP traps, but you cannot configure the ASA via SNMP, so it does not support an RW (read-write) community.

Enable SNMP

Ensures that the SNMP server on the ASA is enabled. By default, the SNMP server is enabled.

snmp-server enable
Define SNMP manager (host)

To define a host which is allowed to poll the ASA and receive traps from the ASA, use the following command.

snmp-server host <nameif> <IP> [trap|poll] [community <KEY>] [version <1|2c|3>]

Where “nameif” is the ASA interface through which the NMS (SNMP manager) can be reached, and “ip address” is the NMS(SNMP manager) IP address. If you specify one of the keywords trap or poll, the device is limited to that function only but if you don’t specify any keyword (trap or poll), this command snmp-server host <nameif> <IP> [community <KEY>] [version <1|2c|3>] permits the configured host to poll the device and receive SNMP traps from it. This is very important to understand.

Configure SNMP Community

The community value is used for authentication of SNMP messages and is a pre-shared secret on both the ASA and the NMS(SNMP manager), for SNMP version 1 and 2c. There are two ways you can define a community value.

1. Globally using the command

snmp-server community <KEY>

2. or by defining explicitly if it differs from the globally configured community using the command

snmp-server host <nameif> <IP> [trap|poll] [community <KEY>] [version <1|2c|3>]
Configure SNMP trap settings

To enable sending of SNMP traps, issue the command

snmp-server enable-traps [all|<list_of_traps>]

If you don’t specify any arguments to this command, the default set of SNMP traps is enabled and all SNMP Traps will be sent on UDP port 162 to the NMS. By default, when you enable all traps authentication, linkup, linkdown, coldstart, and warmstart SNMP traps are enabled.

Deny unnecessary SNMP versions

SNMP application inspection lets you restrict SNMP traffic to a specific version of SNMP. Earlier versions of SNMP are less secure; therefore, denying certain SNMP versions may be required by your security policy. The ASA can deny SNMP versions 1, 2, 2c, or 3. You control the versions permitted by creating an SNMP map. You then apply the SNMP map when you enable SNMP inspection using the MPF (Modular Policy Framework) as shown in the configuration example after Optional features.

Optional features
Configure a CPU Usage Threshold

Configure the threshold value for a high CPU threshold and the threshold monitoring period using the following command. Valid threshold values for a high CPU threshold range from 10 to 94 percent. Valid values for the monitoring period range from 1 to 60 minutes.

snmp cpu threshold rising threshold_value monitoring_period

The default for the high threshold level is over 70 percent, and the default for the critical threshold level is over 95 percent. The default monitoring period is set to 1 minute. You cannot configure the critical CPU threshold level, which is maintained at a constant 95 percent.

Configure a Physical Interface Threshold

Configure the threshold value for an SNMP physical interface using the following command. The threshold value is defined as a percentage of interface bandwidth utilization. Valid threshold values range from 30 to 99 percent. The default value is 70 percent.

snmp interface threshold threshold_value
Send Syslog message using SNMP trap.

When you enable logging history in the global configuration mode, ASA can log syslog messages via SNMP traps. You can also define the logging class and send specific syslog messages via SNMP trap.

Configuration Example

Configure SNMP on ASA2 as follows:

Send all SNMP traps to host which is part of inside segment of the ASA and running version 2c. Use a gloabl community of N3tF!xPr0.

ASA(config)# snmp-server community N3tF!xPr0
ASA(config)# snmp-server host inside trap version 2c
ASA(config)# snmp-server enable traps all
Deny SNMP version 1 and 2 requests using an SNMP map.

ASA(config)# snmp-map SNMP_VERSION_1_2
ASA(config-snmp-map)# deny version 1
ASA(config-snmp-map)# deny version 2
ASA(config-snmp-map)# !
ASA(config-snmp-map)# !
ASA(config-snmp-map)# policy-map global_policy
ASA(config-pmap)# class inspection_default
ASA(config-pmap-c)# inspect snmp SNMP_VERSION_1_2
Send SNMP trap if the 5Min CPU goes above 75% and interface utilization goes beyond 85% usage.

ASA(config)# snmp cpu threshold rising 75 5
ASA(config)# snmp interface threshold 85
Send all SSL VPN syslog messages of critical or higher level as SNMP traps to the NMS.

ASA(config)# logging class webvpn history critical
ASA(config)# logging class webfo history critical
ASA(config)# logging class svc history critical

I hope you enjoyed this article. Please feel free to leave any comment or feedback.

Follow by Email

Ashutosh Patel

Ashutosh Patel is the Author and editor of He currently works as a Network Security Architect. Follow him on following social media to know more about him.

Leave a Reply

Your email address will not be published. Required fields are marked *

Show Buttons
Hide Buttons

Enjoy this article? Please spread the word :)