SNMP v3 – Access List with SNMP v3 Cisco

access-controlciscocisco-asasnmp

I was wondering if someone could help me with something. I am trying to set up SNMP v3 but with access control. Now, I have made the user and group. That's all fine, but I can't seem to get the access control part working.

When I attempt to add it at the end the switch throws a paddy saying it's not possible.

Here is what I am putting in:
snmp-server user User1 Group1 v3 auth md5 BeepBoop access 10

The access list I am trying to make is 10. I have made the list with the IP addresses within the list.

edit:

snmp-server user User1 Group1 v3 auth md5 BeepBoop access 10
                                                   ^
ERROR: % Invalid input detected at '^' marker.

Cisco Adaptive Security Appliance Software Version 9.8(1) Firepower Extensible Operating System Version 2.2(1.47) Device Manager Version 7.8(1)

Best Answer

The problem is that you don't have the access option on the ASA snmp-server user command like you do on IOS.

snmp-server user username group-name { v3 [ encrypted ]] [ auth { md5 | sha ]} auth-password [ priv [ des | 3des | aes ] [ 128 | 192 | 256 ] priv-password

As Ricky Beam points out, you use the snmp-server host command to restict the host access:

snmp-server host interface { hostname | ip_address } [ trap | poll ] [ community community-string ] [ version { 1 | 2c | 3 username }] [ udp-port port ]

See the Cisco ASA Series CLI Configuration Guide, 9.0:

Your ASA configuration:

route outside 0.0.0.0 0.0.0.0 172.16.1.1 1

This will provide a default route via the outside interface, but how will the ASA know how to reach subnets residing behind the Layer 3 Distribution Switch?

You'll need to add routes to the internal subnets via the inside interface using the Layer 3 Distribution Switch as the next-hop IP address.

ASA static routing example:

route inside 172.19.12.0 255.255.255.240 172.16.2.2
route inside 172.19.3.0 255.255.255.0 172.16.2.2
route inside 172.20.100.0 255.255.255.224 172.16.2.2

Your Cisco Router's configuration:

ip route 0.0.0.0 0.0.0.0 200.200.200.200

Additionally, how will your border router know how to reach subnets other than it's connected routes, and the catch all default route via the outside interface's next-hop address 200.200.200.200?

Router static routing example:

ip route 172.19.12.0 255.255.255.240 172.16.1.10
ip route 172.19.3.0 255.255.255.0 172.16.1.10
ip route 172.19.100.0 255.255.255.224 172.16.1.10
ip route 172.16.2.0 255.255.255.224 172.16.1.10

Generate List of Subnets on Switch Using SNMP

Interfaces/IP Addressing:

If you're looking to poll a device's IP address, subnet mask and corresponding interface you can use the following OIDs from the IP-MIB and IF-MIB MIBs:

.1.3.6.1.2.1.4.20.1.1 - The IP address can be found at this OID

~]$ snmptranslate .1.3.6.1.2.1.4.20.1.1
IP-MIB::ipAdEntAddr

~]$ snmpwalk -v2c -c cisco 10.30.46.1 .1.3.6.1.2.1.4.20.1.1
IP-MIB::ipAdEntAddr.10.30.46.1 = IpAddress: 10.30.46.1
IP-MIB::ipAdEntAddr.25.255.25.254 = IpAddress: 25.255.25.254
IP-MIB::ipAdEntAddr.55.44.33.22 = IpAddress: 55.44.33.22
IP-MIB::ipAdEntAddr.172.31.10.10 = IpAddress: 172.31.10.10

.1.3.6.1.2.1.4.20.1.3 - The subnet mask cane be found at this OID

~]$ snmptranslate .1.3.6.1.2.1.4.20.1.3
IP-MIB::ipAdEntNetMask

~]$ snmpwalk -v2c -c cisco 10.30.46.1 .1.3.6.1.2.1.4.20.1.3
IP-MIB::ipAdEntNetMask.10.30.46.1 = IpAddress: 255.255.255.0
IP-MIB::ipAdEntNetMask.25.255.25.254 = IpAddress: 255.255.255.0
IP-MIB::ipAdEntNetMask.55.44.33.22 = IpAddress: 255.255.255.0
IP-MIB::ipAdEntNetMask.172.31.10.10 = IpAddress: 255.255.255.0

.1.3.6.1.2.1.4.20.1.2 - The interface index (ifTable Indexes) are unique integers for each interface.

~]$ snmptranslate .1.3.6.1.2.1.4.20.1.2
IP-MIB::ipAdEntIfIndex

~]$ snmpwalk -v2c -c cisco 10.30.46.1 .1.3.6.1.2.1.4.20.1.2
IP-MIB::ipAdEntIfIndex.10.30.46.1 = INTEGER: 1
IP-MIB::ipAdEntIfIndex.25.255.25.254 = INTEGER: 5
IP-MIB::ipAdEntIfIndex.55.44.33.22 = INTEGER: 6
IP-MIB::ipAdEntIfIndex.172.31.10.10 = INTEGER: 7

.1.3.6.1.2.1.2.2.1.2 - The interface friendly name can be found at this OID and the ifTable index is appended (eg. ...2.1.2.[INDEX]) for each interface.

~]$ snmptranslate .1.3.6.1.2.1.2.2.1.2
IF-MIB::ifDescr

~]$ snmpwalk -v2c -c cisco 10.30.46.1 .1.3.6.1.2.1.2.2.1.2
IF-MIB::ifDescr.1 = STRING: FastEthernet0/0
IF-MIB::ifDescr.2 = STRING: FastEthernet0/1
IF-MIB::ifDescr.4 = STRING: Null0
IF-MIB::ifDescr.5 = STRING: Loopback0
IF-MIB::ifDescr.6 = STRING: Tunnel10
IF-MIB::ifDescr.7 = STRING: Dialer1
IF-MIB::ifDescr.8 = STRING: Virtual-Access1

You can walk these OIDs manually, script something out in the language of your choice, or use much smarter programs/scripts similar to what's mentioned in Tim Peck's answer.

Here's a quick (and dirty) shell example:

#!/bin/bash
# duct taped by one.time
# Basic interface information collector

##
# Set usage var and getoptions
usage="Usage: interface-info.sh -H <IP Address> -C <snmp community string>

OPTIONS:
  -H Hostname          set IP address or hostname
  -h Help              prints usage options

SNMPv2 OPTIONS:
  -C Community         set SNMPv2 community string
"

while getopts H:C:h option;
do
        case $option in
                H) ipaddress=$OPTARG;;
                C) community=$OPTARG;;
                h) echo "$usage"
                exit $invalid_result;;
        esac
done

##
# Prevent blank argvars
if [[ -z $ipaddress || -z $community ]]; then
  echo "$usage"
  exit 0
fi

## 
# Set field separator to new line
IFS=$'\n'

##
# Store our IP-MIB info in arrays
ipAdEntAddr=( $(snmpbulkwalk -v2c -c $community  $ipaddress .1.3.6.1.2.1.4.20.1.1 | awk -F ": " '{print $2}') )
ipAdEntNetMask=( $(snmpbulkwalk -v2c -c $community $ipaddress .1.3.6.1.2.1.4.20.1.3 | awk -F ": " '{print $2}') )
ipAdEntIfIndex=( $(snmpbulkwalk -v2c -c $community $ipaddress .1.3.6.1.2.1.4.20.1.2 | awk -F ": " '{print $2}') )

for ((i=0; i<${#ipAdEntAddr[@]}; i++)); do
  ifDescr[$i]=$(snmpwalk -v2c -c $community $ipaddress .1.3.6.1.2.1.2.2.1.2.${ipAdEntIfIndex[$i]} | awk -F ": " '{print $2}')
  echo "${ifDescr[$i]}: ${ipAdEntAddr[$i]} ${ipAdEntNetMask[$i]}"
done

Example:

~]$ ./interface-info.sh -H 10.30.46.1 -C cisco
FastEthernet0/0: 10.30.46.1 255.255.255.0
Loopback0: 25.255.25.254 255.255.255.0
Tunnel10: 55.44.33.22 255.255.255.0
Dialer1: 172.31.10.10 255.255.255.0

VLANs:

If you're looking for the VLAN IDs and VLAN names you can use the following OID:

.1.3.6.1.4.1.9.9.46.1.3.1.1.4.1 The vtpVlanName can be found (on Cisco devices) at this OID and the VLAN-ID can be found appended, e.g.: ...1.4.1.[VLAN-ID] (similar to the ifIndex and ifDescr example above).

~]$ snmptranslate  .1.3.6.1.4.1.9.9.46.1.3.1.1.4.1
SNMPv2-SMI::enterprises.9.9.46.1.3.1.1.4.1

~]$ snmpwalk -v2c -c cisco 192.168.0.8 SNMPv2-SMI::enterprises.9.9.46.1.3.1.1.4.1
SNMPv2-SMI::enterprises.9.9.46.1.3.1.1.4.1.1 = STRING: "default"
SNMPv2-SMI::enterprises.9.9.46.1.3.1.1.4.1.10 = STRING: "VLAN0010"
SNMPv2-SMI::enterprises.9.9.46.1.3.1.1.4.1.21 = STRING: "VLAN0021"
SNMPv2-SMI::enterprises.9.9.46.1.3.1.1.4.1.100 = STRING: "VLAN0100"
SNMPv2-SMI::enterprises.9.9.46.1.3.1.1.4.1.344 = STRING: "VLAN0344"
SNMPv2-SMI::enterprises.9.9.46.1.3.1.1.4.1.456 = STRING: "iSCSI-TRAFFIC"
SNMPv2-SMI::enterprises.9.9.46.1.3.1.1.4.1.1002 = STRING: "fddi-default"
SNMPv2-SMI::enterprises.9.9.46.1.3.1.1.4.1.1003 = STRING: "token-ring-default"
SNMPv2-SMI::enterprises.9.9.46.1.3.1.1.4.1.1004 = STRING: "fddinet-default"
SNMPv2-SMI::enterprises.9.9.46.1.3.1.1.4.1.1005 = STRING: "trnet-default"

Manual example of scraping the VLAN IDs:

    ~]$ snmpbulkwalk -v2c -c cisco 192.168.0.8 1.3.6.1.4.1.9.9.46.1.3.1.1.4 | sed -e 's/.*4.1.\(.*\) =.*/\1/'
    1
    10
    21
    100
    344
    456
    1002
    1003
    1004
    1005