How to Configure SNMP on Cisco ASA 5500 Firewall with Example

Written By Harris Andrea

SNMP stands for Simple Network Management Protocol. Up to ASA software 8.1, the SNMP version supported was v1 and v2c. The newest ASA software 8.2 supports also SNMP v3 which is the most secure snmp protocol version.

The ASA works as an SNMP server (or agent), so you need also a Network Management System (NMS) which will act as the SNMP manager in order to provide network monitoring and management functionality.

The NMS is basically a management server such as the CiscoWorks product. With the NMS you can either poll the ASA appliance to collect information, or the ASA appliance can send snmp traps (event notifications) to the NMS server.

SNMP Traps are sent on UDP port 162 and SNMP poll uses UDP port 161. So, the ASA will listen on udp 161 and the NMS will listen on udp 162 and 161.

Table of Contents

Configuring SNMP on ASA

Step1: Enable the snmp server on the ASA

ASA(config)# snmp-server enable

Step2: Identify the NMS host that can connect to the ASA for SNMP management

ASA(config)# snmp-server host [interface_name][ ip_address] community [community string]

Where “interface name” is the ASA interface through which the NMS can be reached, and “ip address” is the NMS address. “community string” is like a preshared password which must be configured on both the ASA and the NMS in order for the two elements to communicate.

Step3: Specify the ASA community string

ASA(config)# snmp-server community [community string]

Step4: Enable the ASA to send snmp traps to the NMS

ASA(config)# snmp-server enable traps [all | snmp [trap] [trap] ]

The default configuration has all snmp traps enabled (snmp-server enable traps snmp authentication linkup linkdown coldstart). It is recommended to leave all traps enabled as the default setting.

Configuration Example:

ASA(config)# snmp-server enable
ASA(config)# snmp-server host inside 10.1.1.100 community somesecretword
ASA(config)# snmp-server community somesecretword
ASA(config)# snmp-server enable traps snmp authentication linkup linkdown coldstart

MORE READING: Configuring Object Groups on Cisco ASA (Network, Service Objects etc)

Configuration Example of SNMP v3

Currently the most secure SNMP version is v3. To configure this version you need first to create an SNMP group, then an SNMP server and lastly a host (NMS) which will communicate with the firewall for management purposes.

Let’s configure SNMP v3 with the example below:

ASA(config)# snmp-server enable
ASA(config)# snmp-server group snmpgroup v3 auth <- create v3 group with authentication
ASA(config)# snmp-server user administrator snmpgroup v3 auth sha strongpass <- create user “administrator” belonging to group “snmpgroup”
ASA(config)#snmp-server host inside 10.1.1.1 version 3 administrator <- specify the NMS host

Comments

Pete says

October 18, 2018 at 7:09 pm

Hi,
I’m being asked to configure snmp for multiple NMS ip’s
do I just repeat the snmp-server host command for each IP as below?

snmp-server host inside 10.1.1.100 community somesecretword
snmp-server host inside 10.1.1.101 community somesecretword
Harris Andrea says

October 19, 2018 at 4:22 am

Hi Pete, yes you can include multiple SNMP server host IPs as you mention.

Thanks for the feedback also about the error message of the server. I will check it.

Harris
Pete says

July 12, 2019 at 11:44 pm

Hi Harris,

Our NMS is hosted on another network by our parent organization.
For the configuration line snmp-server host inside 10.1.1.100 community somesecretword should I use the outside interface?

If I need to allow the NMS to access my servers behind the firewall I assume I need to create an access list permitting the NMS on on udp 162 and 161?
Harris Andrea says

July 13, 2019 at 3:10 pm

Pete, the command “snmp-server host inside 10.1.1.100 …..” assumes that the NMS server is reachable via the inside interface of the ASA. If the NMS is reachable via the outside interface then you must change the keyword “inside” to “outside”. It all depends from which ASA interface you can reach the NMS (routing wise).

Regarding the other question, yes you will need to allow UDP 161, 162 and any possible required NAT translation.
Tripti Hughes says

December 12, 2019 at 2:27 am

Hi,

I wanted to configure snmp group authentication in plain-text? How can I do that?

snmp-server user admin NPM-GROUP v3 engineID encrypted auth md5 priv aes 128

I want to enter plain-text password after “aes 128”, how can i do it. I need to have md5 and aes 128, so that i can configure it on solarwind
Harris Andrea says

December 12, 2019 at 5:43 am

Hello, here is a link from Cisco with an example:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/snmp/configuration/15-sy/snmp-15-sy-book/nm-snmp-encrupt-snmp-support.html

The command would be:

snmp-server user admin NPM-GROUP v3 auth md5 secureone priv aes 128 privatetwo access 2

“access 2” references an ACL
Manoj says

March 23, 2021 at 7:18 pm

Can you tell me how to configure SNMP on cisco ASAs and switches? What I am looking for is the command to configure an SNMP server and community string on both types of devices. I also want to source SNMP from vlan500 interface. Can you come up with commands to do this?

SNMP server is 10.120.3.16

Community string is nothing93311
Harris Andrea says

March 24, 2021 at 6:55 am

Hello, have you read the article above? This is what it explains.

Here is an example config:

ASA(config)# snmp-server enable
ASA(config)# snmp-server host vlan500 10.120.3.16 community nothing93311
ASA(config)# snmp-server community nothing93311
ASA(config)# snmp-server enable traps all

(I assume that the name of the ASA interface from which it connects to the SNMP server is “vlan500”)

How to Configure SNMP on Cisco ASA 5500 Firewall

Configuring SNMP on ASA

Configuration Example:

Configuration Example of SNMP v3

Related Posts

Download Free Cisco Commands Cheat Sheets

About Harris Andrea

Comments

Leave a Reply

About Networks Training

Amazon Disclosure

Search

BLOGROLL