Cisco ASA 5510 SNMP config-change

ciscocisco-asasnmp

I´m trying to set snmp trap when cisco asa 5510 is changed.

I´m using this line:

snmp-server host DMZ ZZ.YY.XX.5 community *****

snmp-server enable traps entity config-change fru-insert fru-remove

But it doesn´t send any trap when I modify or save my config.
Is it the right way?

In the cisco doc is not very clear what config-change means.
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/monitor_snmp.html
The snmp-server enable traps entity config-change fru-insert fru-remove command is used to enable this notification.

What type of config-change refers ? hardware o system config file?

Best Answer

For mine I use:

snmp-server enable traps entity config-change

This captures any running or startup config changes. The fru-insert and fru-remove should capture hardware changes (not problems with existing but actual inserts or removals of modules).

I know you specified the community in the snmp-server host line but do you also have a line for snmp-server community ***** ?

I use snmp v3 so mine will look different than yours, but still, you should be right.

Are you sure it isn't sending traps though?

You can troubleshoot with various commands (or even using an snmpwalk tool like the one from Paessler):

To ensure that the SNMP process that receives incoming packets from the NMS is running, enter the following command:

hostname(config)# show process | grep snmp

To capture syslog messages from SNMP and have them appear on the ASA or ASASM console, enter the following commands:

hostname(config)# logging list snmp message 212001-212015

hostname(config)# logging console snmp

To make sure that the SNMP process is sending and receiving packets, enter the following commands:

hostname(config)# clear snmp-server statistics

hostname(config)# show snmp-server statistics

The output is based on the SNMP group of the SNMPv2-MIB.

To make sure that SNMP packets are going through the ASA or ASASM and to the SNMP process, enter the following commands:

hostname(config)# clear asp drop

hostname(config)# show asp drop

Related Solutions

Cisco ASA config management

Here's an answer from the non-sophisticated front: I upload configs to a TFTP server (running on my laptop, if the Customer doesn't have a dedicated TFTP server) every time I make a persistent change (I've trained myself to do so right after doing a "copy run start") and then check it in to a Subversion repository (either the Customer's, if they have one, or mine, if they don't). It's a winning strategy for me because I have a fairly small amount of gear to deal with (probably under 100 switches in all my Customers combined, well under 50 routers / firewalls).

With a larger amount of gear, I'd probably look at something like RANCID.

(No doubt there are a variety of proprietary and open source offerings out there to do Cisco device config management... since I don't do a lot of it myself I'll be interested to see what other people have to say about this.)

Cisco ASA 5510 Time of Day Based Policing

The PIXOS feature you are looking for is called Time Based Access List. It is a two step approach

Create the time-range object
Attach the time-range object to a specific rule

The ASA will then only apply the targeted rule during that time-range. You should be able to get what you want with something like this

hostname(config)#time-range OffHours
hostname(config-time-range)#periodic weekdays 17:00 to 07:00
hostname(config)#access-list Residence line 1 extended permit ip any any time-range OffHours
hostname(config)#access-group Residence in interface inside

Full write-up at Cisco Command Reference

Best Answer

Related Solutions

Cisco ASA config management

Cisco ASA 5510 Time of Day Based Policing

Related Topic