Cisco Systems ASA 5540 Network Router User Manual


  Open as PDF
of 2086
 
78-3
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 78 Configuring SNMP
Information About SNMP
(USM) and View-based Access Control Model (VACM). The ASAalso support the creation of SNMP
groups and users, as well as hosts, which is required to enable transport authentication and encryption
for secure SNMP communications.
Security Models
For configuration purposes, the authentication and privacy options are grouped together into security
models. Security models apply to users and groups, which are divided into the following three types:
NoAuthPriv—No Authentication and No Privacy, which means that no security is applied to
messages.
AuthNoPriv—Authentication but No Privacy, which means that messages are authenticated.
AuthPriv—Authentication and Privacy, which means that messages are authenticated and encrypted.
SNMP Groups
An SNMP group is an access control policy to which users can be added. Each SNMP group is
configured with a security model, and is associated with an SNMP view. A user within an SNMP group
must match the security model of the SNMP group. These parameters specify what type of authentication
and privacy a user within an SNMP group uses. Each SNMP group name and security model pair must
be unique.
SNMP Users
SNMP users have a specified username, a group to which the user belongs, authentication password,
encryption password, and authentication and encryption algorithms to use. The authentication algorithm
options are MD5 and SHA. The encryption algorithm options are DES, 3DES, and AES (which is
available in 128, 192, and 256 versions). When you create a user, you must associate it with an SNMP
group. The user then inherits the security model of the group.
SNMP Hosts
An SNMP host is an IP address to which SNMP notifications and traps are sent. To configure SNMP
Version 3 hosts, along with the target IP address, you must configure a username, because traps are only
sent to a configured user. SNMP target IP addresses and target parameter names must be unique on the
ASA. Each SNMP host can have only one username associated with it. To receive SNMP traps, configure
the SNMP NMS, and make sure that you configure the user credentials on the NMS to match the
credentials for the ASA.
Implementation Differences Between the ASA, ASA Services Module, and the Cisco IOS Software
The SNMP Version 3 implementation in the ASA and ASASM differs from the SNMP Version 3
implementation in the Cisco IOS software in the following ways:
The local-engine and remote-engine IDs are not configurable. The local engine ID is generated when
the ASA starts or when a context is created.
No support exists for view-based access control, which results in unrestricted MIB browsing.
Support is restricted to the following MIBs: USM, VACM, FRAMEWORK, and TARGET.
You must create users and groups with the correct security model.