Table Of Contents
Configuring Management Access
Configuring ASDM Access
Configuring CLI Parameters
Adding a Banner
Configuring SSH Access
Configuring SSH Access
Using an SSH Client
Configuring Telnet Access
Allowing a VPN Management Connection
Customizing a CLI Prompt
Configuring the Security Appliance as a TFTP Client
Configuring ICMP Access
Configuring SNMP
Information About SNMP
Information About SNMP Terminology
Information About the Management Information Base and Traps
SNMP Overview
Configuring an SNMP Agent and Management Station
Configuring the SNMP Agent
Adding an SNMP Management Station
Configuring SNMP Traps
Configuring Management Access Rules
Configuring AAA for System Administrators
Configuring Authentication for CLI, ASDM, and enable command Access
Configuring Command Authorization
Command Authorization Overview
About Preserving User Credentials
Configuring Local Command Authorization
Configuring TACACS+ Command Authorization
Configuring Management Access Accounting
Recovering from a Lockout
Using an SSH Client
Configuring Telnet Access
Configuring Management Access
This chapter contains the following topics:
•
Configuring ASDM Access
•Configuring CLI Parameters
•Configuring the Security Appliance as a TFTP Client
•Configuring ICMP Access
•Configuring SNMP
•Configuring SNMP
•Configuring Management Access Rules
•Configuring AAA for System Administrators
Configuring ASDM Access
To use ASDM, you need to enable the HTTPS server, and allow HTTPS connections to the FWSM.
The FWSM allows a maximum of 5 concurrent ASDM instances per context, if available, with a maximum of 80 ASDM instances between all contexts. You can control the number of ASDM sessions allowed per context using resource classes. (See the "Configuring Resource Classes" section on page 9-16.) To configure ASDM access to the FWSM, perform the following steps:
Step 1 From the Configuration > Device Management > Management Access > ASDM/HTTPS pane, click Add.
The Add HTTP Configuration dialog box appears.
Step 2 From the Interface Name drop-down list, choose the interface to use for ASDM access.
Step 3 In the IP Address field, add the IP address of the network or host that is allowed access.
Step 4 From the Mask drop-down list, choose the mask associated with the network or host that is allowed access.
Step 5 Click OK.
Step 6 Verify that the Enable HTTP Server check box is checked (this is the default setting).
Step 7 Click Apply.
The changes are saved to the running configuration.
Configuring CLI Parameters
This section includes the following topics:
•Adding a Banner
•Configuring SSH Access
•Configuring Telnet Access
•Customizing a CLI Prompt
Adding a Banner
You can configure a message to display when a user connects to the security appliance, before a user logs in, or before a user enters privileged EXEC mode.
See the following guidelines:
•From a security perspective, it is important that your banner discourage unauthorized access. Do not use the words welcome or please, as they appear to invite intruders in. The following banner sets the correct tone for unauthorized access:
You have logged in to a secure device. If you are not authorized to access this
device,
log out immediately or risk possible criminal consequences.
•See RFC 2196 for guidelines about banner messages.
•Only ASCII characters are allowed, including new line (Enter), which counts as two characters.
•Do not use tabs in the banner, because they are not preserved in the CLI version.
•There is no length limit for banners other than those for RAM and flash memory.
•You can dynamically add the hostname or domain name of the FWSM by including the strings $(hostname) and $(domain).
•If you configure a banner in the system configuration, you can use that banner text within a context by using the $(system) string in the context configuration
•After a banner is added, FWSM Telnet or SSH sessions may close if:
–There is not enough system memory available to process the banner message(s).
–A TCP write error occurs when attempting to display banner message(s).
To add a message of the day, login, or session banner, perform the following steps:
Step 1 From the Configuration > Device Management > Management Access > Command Line (CLI) > Banner pane, add your banner text to the field for the type of banner you are creating for the CLI:
•Session (exec) banner—This banner appears when a user accesses privileged EXEC mode at the CLI.
•Login Banner—This banner appears when a user logs in to the CLI.
•Message-of-the-day (motd) Banner—This banner appears when a user first connects to the CLI.
Step 2 Click Apply.
The banner is added and the changes are saved to the running configuration.
Configuring SSH Access
The FWSM allows SSH connections to the FWSM for management purposes. The FWSM allows a maximum of 5 concurrent SSH connections per context, if available, with a maximum of 100 connections divided between all contexts. You can control the number of SSH sessions allowed per context using resource classes. (See the "Configuring Resource Classes" section on page 9-16.) In the admin context only, you can have up to 15 Telnet and 15 SSH sessions concurrently.
Note For CLI users: note that if you have two or more concurrent Telnet or SSH sessions and one of the sessions is at the More prompt, the other sessions may hang until the More prompt is dismissed. To disable the More prompt and avoid this situation, enter the pager lines 0 command.
SSH is an application running on top of a reliable transport layer, such as TCP/IP, that provides strong authentication and encryption capabilities. The FWSM supports the SSH remote shell functionality provided in SSH Versions 1 and 2 and supports DES and 3DES ciphers.
Note XML management over SSL and SSH are not supported.
This section includes the following topics:
•Configuring SSH Access
•Using an SSH Client
Configuring SSH Access
To configure SSH access to the FWSM, perform the following steps:
Step 1 From the Configuration > Device Management > Management Access > Command Line (CLI) > Secure Shell (SSH) pane, click Add.
The Add Secure Shell Configuration dialog box appears.
Step 2 From the Interface Name drop-down list, choose the interface to use for SSH access.
Step 3 In the IP Address field, add the IP address of the network or host that is allowed access.
Step 4 From the Mask drop-down list, choose the mask associated with the network or host that is allowed access.
Step 5 Click OK.
Step 6 From the Allowed SSH Versions drop-down list, choose 1, 2 or 1&2. 1&2 is the default.
Step 7 To change the timeout value, in the Timeout field type a value in minutes. The default timeout value is 60 minutes.
Step 8 Click Apply.
The changes are saved to the running configuration.
Using an SSH Client
To gain access to the FWSM CLI using SSH, at the SSH client enter the username "pix" and enter the login password (see the "Device Name/Password" section on page 7-7). By default, the password is "cisco."
When starting an SSH session, a dot (.) displays on the FWSM terminal before the SSH user authentication prompt appears, as follows:
The display of the dot does not affect the functionality of SSH. The dot appears on the terminal when generating a server key or decrypting a message using private keys during SSH key exchange before user authentication occurs. These tasks can take up to two minutes or longer. The dot is a progress indicator that verifies that the FWSM is busy and has not hung.
Configuring Telnet Access
The FWSM allows Telnet connections to the FWSM for management purposes. You cannot use Telnet to the lowest security interface unless you use Telnet inside an IPSec tunnel.
The FWSM allows a maximum of 5 concurrent Telnet connections per context, if available, with a maximum of 100 connections divided between all contexts. You can control the number of Telnet sessions allowed per context using resource classes. (See the "Configuring a Class" section on page 4-23.) In admin context only, you can have up to 15 Telnet and 15 SSH sessions concurrently.
Note Please note that if you have two or more concurrent Telnet or SSH sessions and one of the sessions is at the More prompt, the other sessions may hang until the More prompt is dismissed. To disable the More prompt and avoid this situation, enter the pager lines 0 command.
Please note that concurrent access to the FWSM is not recommended. In some cases, two Telnet sessions issuing the same commands might cause one of the sessions to hang until a key is depressed on the other session. To configure SSH access to the FWSM, perform the following steps:
Step 1 From the Configuration > Device Management > Management Access > Command Line (CLI) > Telnet pane, click Add.
The Add Telnet Configuration dialog box appears.
Step 2 From the Interface Name drop-down list, choose the interface to use for Telnet access.
Step 3 In the IP Address field, add the IP address of the network or host that is allowed access.
Step 4 From the Mask drop-down list, choose the mask associated with the network or host that is allowed access.
Step 5 Click OK.
Step 6 To change the timeout value, in the Timeout field type a value in minutes. The default timeout value is 5 minutes.
Step 7 Click Apply.
The changes are saved to the running configuration.
Allowing a VPN Management Connection
The FWSM supports IPSec for management access. An IPSec VPN ensures that IP packets can safely travel over insecure networks such as the Internet. All communication between two VPN peers occurs over a secure tunnel, which means the packets are encrypted and authenticated by the peers.
The FWSM can connect to another VPN concentrator, such as a Cisco PIX firewall or a Cisco IOS router, using a site-to-site tunnel. You specify the peer networks that can communicate over the tunnel. In the case of the FWSM, the only address available on the FWSM end of the tunnel is the interface itself.
In routed mode, the FWSM can also accept connections from VPN clients, either hosts running the Cisco VPN client, or VPN concentrators such as the Cisco PIX firewall or Cisco IOS router running the Easy VPN client. Unlike a site-to-site tunnel, you do not know in advance the IP address of the client. Instead, you rely on client authentication. Transparent firewall mode does not support remote clients. Transparent mode does support site-to-site tunnels.
The FWSM can support 5 concurrent IPSec connections, with a maximum of 10 concurrent connections divided between all contexts. You can control the number of IPSec sessions allowed per context using resource classes. (See the "Configuring Resource Classes" section on page 9-16.)
You cannot configure VPN using ASDM. To configure VPN at the CLI, see the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using the CLI.
Customizing a CLI Prompt
The CLI Prompt pane lets you customize the prompt used during CLI sessions. By default, the prompt shows the hostname of the FWSM. In multiple context mode, the prompt also displays the context name. You can display the following items in the CLI prompt.
context
|
(Multiple mode only) Displays the name of the current context.
|
domain
|
Displays the domain name.
|
hostname
|
Displays the hostname.
|
priority
|
Displays the failover priority as pri (primary) or sec (secondary).
|
state
|
Displays the traffic-passing state of the unit. The following values are displayed for the state:
•act—Failover is enabled, and the unit is actively passing traffic.
•stby— Failover is enabled, and the unit is not passing traffic and is in a standby, failed, or other non-active state.
•actNoFailover—Failover is not enabled, and the unit is actively passing traffic.
•stbyNoFailover—Failover is not enabled, and the unit is not passing traffic. This might happen when there is an interface failure above the threshold on the standby unit.
|
To customize the prompt used during CLI sessions so that it shows something other than the hostname or context name, complete the following steps:
Step 1 In single mode, go to the Configuration > Device Management > Management Access > CLI Prompt pane. In multiple mode in the System, go to the Configuration > Device Management > Device Administration> CLI Prompt pane
Step 2 , do any of the following to customize the prompt:
•To add an attribute to the prompt, click the attribute in the Available Prompts list and then click Add. You can add multiple attributes to the prompt. The attribute is moved from the Available Prompts list to the Selected Prompts list.
•To remove an attribute from the prompt, click the attribute in the Selected Prompts list and then click Delete. The attribute is moved from the Selected Prompts list to the Available Prompts list.
•To change the order in which the attributes appear in the command prompt, click the attribute in the Selected Prompts list and click Move Up or Move Down to change the order.
The prompt is changed and displays in the CLI Prompt Preview field.
Step 3 Click Apply.
The new prompt is saved to the running configuration.
Configuring the Security Appliance as a TFTP Client
TFTP is a simple client/server file transfer protocol described in RFC783 and RFC1350 Rev. 2. You can configure the FWSM as a TFTP client so that it can transfer a copy of its running configuration file to a TFTP server using File > Save Running Configuration to TFTP Client or Tools > Command Line Interface. In this way, you can back up and propagate configuration files to multiple FWSMs.
The FWSM supports only one TFTP client. The full path to the TFTP client is specified in Configuration > Device Management > Management Access > File Access > TFTP Client. Once configured here, you can use a colon (:) to specify the IP address in the CLI configure net and copy commands. However, any other authentication or configuration of intermediate devices necessary for communication from the FWSM to the TFTP client is done apart from this function.
To configure the FWSM as a TFTP client for saving configuration files to a TFTP server, perform the following steps:
Step 1 From the Configuration > Device Management > Management Access > File Access > TFTP Client pane, check Enable.
Step 2 From the Interface Name drop-down list, choose the interface to use as a TFTP client.
Step 3 In the IP Address field, add the IP address of the TFTP server where configuration files will be saved.
Step 4 In the Path field, add the path to the TFTP server where configuration files will be saved.
For example: /tftpboot/asa/config3
Step 5 Click Apply.
The changes are saved to the running configuration. This TFTP server will be used to save the FWSM configuration files. For more information, see Save Running Configuration to TFTP Server, page 2-4.
Configuring ICMP Access
By default, ICMP (including ping) is not allowed to an FWSM interface (or through the FWSM). ICMP is an important tool for testing your network connectivity; however, it can also be used to attack the FWSM or your network. We recommend allowing ICMP during your initial testing, but then disallowing it during normal operation.
Note See the "Rule Limits" section on page A-6 for information about the maximum number of ICMP rules allowed for the entire system. For allowing ICMP traffic through the FWSM, see the "Access Rules" section on page 22-1.
We recommend that permission is always granted for the ICMP unreachable message type (type 3). Denying ICMP unreachable messages disables ICMP Path MTU discovery, which can halt IPSec and PPTP traffic. See RFC 1195 and RFC 1435 for details about Path MTU Discovery.
If you configure ICMP rules, then the FWSM uses a first match to the ICMP traffic followed by an implicit deny all. That is, if the first matched entry is a permit entry, the ICMP packet continues to be processed. If the first matched entry is a deny entry or an entry is not matched, the FWSM discards the ICMP packet and generates a syslog message.
To configure ICMP access rules, perform the following steps:
Step 1 From the Configuration > Device Management > Management Access > ICMP pane, click Add.
If you want to insert a rule in the ICMP table, click the rule that the new rule will precede, and click Insert.
The Create ICMP Rule dialog box appears in the right-hand pane.
Step 2 From the ICMP Type drop-down list, choose the type of ICMP message for this rule.
Table 17-1 lists the types of ICMP messages.
Table 17-1 ICMP Type Literals
ICMP Type
|
Literal
|
0
|
echo-reply
|
3
|
unreachable
|
4
|
source-quench
|
5
|
redirect
|
6
|
alternate-address
|
8
|
echo
|
9
|
router-advertisement
|
10
|
router-solicitation
|
11
|
time-exceeded
|
12
|
parameter-problem
|
13
|
timestamp-request
|
14
|
timestamp-reply
|
15
|
information-request
|
16
|
information-reply
|
17
|
mask-request
|
18
|
mask-reply
|
31
|
conversion-error
|
32
|
mobile-redirect
|
Step 3 From the Interface selection list, choose the destination FWSM interface the rule is to be applied to.
Step 4 In the IP Address field, add a specific IP address for the host or network or click Any Address.
Step 5 From the Mask drop-down list, choose the network mask.
Step 6 Click OK.
The dialog box closes.
Step 7 Click Apply.
The ICMP rule is added to the end of the ICMP table and the change is saved to the running configuration.
Configuring SNMP
This section describes how to configure SNMP, and includes the following topics:
•Information About SNMP
•Configuring an SNMP Agent and Management Station, page 17-16
•Configuring SNMP Traps, page 17-19
Information About SNMP
The Simple Network Management Protocol (SNMP) enables the monitoring of network devices from a central location. The FWSM supports network monitoring using SNMP Versions 1 and 2c, as well as traps and SNMP read access, but does not support SNMP write access.
You can configure the FWSM to send traps (event notifications) to a network management station (NMS), or you can use the NMS to browse the MIBs on the security appliance. Use CiscoWorks for Windows or any other SNMP V1, MIB-II-compliant browser to receive SNMP traps and browse a MIB.
The FWSM has an SNMP agent that notifies designated management stations if events occur that are pre-defined to require a notification, for example, when a link in the network goes up or down. The notification it sends includes an SNMP OID, identifying itself to the management stations.
The FWSM SNMP agent also replies when a management station asks for information.
This section includes the following topics:
•Information About SNMP Terminology
•Information About the Management Information Base and Traps
Information About SNMP Terminology
The following terms are commonly used when working with SNMP.
Term
|
Description
|
Management stations
|
The PCs or workstations set up to monitor SNMP events and manage devices such as the FWSM.
|
SNMP Agent
|
The SNMP server running on the FWSM. The agent responds to requests for information and actions from the management station. The agent also controls access to the its management information base (MIB), the collection of objects that can be viewed or changed by the SNMP manager.
|
OID
|
The system object identifier (OID) that identifies a device to its a management station and indicates to users the source of information monitored and displayed.
|
MIB
|
Management Information Bases, or standardized data structures, for collecting information about packets, connections, buffers, failovers, etc. MIBs are defined by product and the protocols and hardware standards used by most network devices. SNMP management stations can browse MIBs and request specific data or events be sent as they occur. Some MIB data can be modified for administrative purposes.
|
Trap
|
Predefined events that generate a message from the SNMP agent to the management station. Events include alarm conditions such as link up, link down, or syslog event.
|
Browsing
|
Monitoring the health of a device from the management station by pulling required information from the device SNMP agent. This activity may include doing an snmpget or snmpwalk of the MIB tree from the management station.
|
Information About the Management Information Base and Traps
MIBs are either standard or enterprise-specific. Standard MIBs are created by the IETF and documented in various RFCs. A trap reports significant events occurring on a network device, most often errors or failures. SNMP traps are defined in either standard or enterprise-specific MIBs. Standard traps are created by the IETF and documented in various RFCs. Standard traps are compiled into the FWSM software.
If needed, you can also download RFCs, standard MIBS, and standard traps from the IETF website:
http://www.ietf.org/
Download Cisco MIBs from the following location:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
Download Cisco OIDs from the following location:
ftp://ftp.cisco.com/pub/mibs/oid/oid.tar.gz.
The following table describes the SNMP MIB support that the FWSM provides:
SNMP Overview
The FWSM provides support for network monitoring using SNMP V1 and V2c. The FWSM supports traps and SNMP read access, but does not support SNMP write access.
You can configure the FWSM to send traps (event notifications) to a network management station (NMS), or you can use the NMS to browse the MIBs on the FWSM. MIBs are a collection of definitions, and the FWSM maintains a database of values for each definition. Browsing a MIB entails issuing an SNMP get request from the NMS. Use CiscoWorks for Windows or any other SNMP V1 or V2C, MIB-II-compliant browser to receive SNMP traps and browse a MIB.
Table 17-2 lists supported MIBs and traps for the FWSM and, in multiple mode, for each context. You can download Cisco MIBs from the following website.
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
After you download the MIBs, compile them for your NMS.
Note Limit the frequency of using SNMP to obtain data, because it might degrade performance. In addition, to collect resource usage data efficiently, schedule polling on a per-context basis.
Table 17-2 SNMP MIB and Trap Support
MIB and Trap
|
Description
|
CISCO-CRYPTO-ACCELERATOR-MIB
|
The FWSM supports browsing of the MIB.
|
•CISCO-ENTITY-MIB
•CISCO-ENTITY-ALARM-MIB
•CISCO-ENTITY-FRU-CONTROL-MIB
•CISCO-ENTITY-REDUNDANCY-MIB
|
The FWSM supports browsing of the following groups and tables:
•entLogicalTable
•entPhysicalTable
The FWSM sends the following traps:
•alarm-asserted
•alarm-cleared
•config-change
•fru-insert
•fru-remove
•redun-switchover
|
CISCO-IP-PROTOCOL-FILTER-MIB
|
The FWSM supports browsing of the following tables:
•cippfIpProfileTable
•cippfIpFilterExtTable
•cippfIpFilterStatsTable
•cippfIpFilterTable
The following example shows how to retrieve entries displayed from the show access-list command through SNMP operations on the cippfIpfilterTable and cippfIpfilterStatsTable objects.
ip address 50.0.0.2 255.0.0.0
ip address 60.0.0.2 255.0.0.0
snmp-server host outside 60.0.0.1 community public version 2c
udp-port 161
hostname# show access-list
access-list aaa line 1 extended permit tcp any any eq www
(hitcnt=0) 0xe0998155
snmpwalk 60.0.0.2 -c public -v 2c 1.3.6.1.4.1.9.9.278 returns as
SNMPv2-SMI::enterprises.9.9.278.1.1.1.1.2.3.97.97.97 = INTEGER: 2
<<<< 2 means extended access-list
SNMPv2-SMI::enterprises.9.9.278.1.1.2.1.2.1.1 = STRING: "aaa"
SNMPv2-SMI::enterprises.9.9.278.1.1.2.1.2.2.1 = STRING: "aaa"
SNMPv2-SMI::enterprises.9.9.278.1.1.2.1.3.1.1 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.278.1.1.2.1.3.2.1 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.3.3.97.97.97.1 = INTEGER:
2
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.4.3.97.97.97.1 = INTEGER:
1
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.5.3.97.97.97.1 =
Hex-STRING: 00 00 00 00 <-- denotes src network
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.6.3.97.97.97.1 =
Hex-STRING: 00 00 00 00 <-- denotes src network mask
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.7.3.97.97.97.1 =
Hex-STRING: 00 00 00 00 <-- denotes dest network
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.8.3.97.97.97.1 =
Hex-STRING: 00 00 00 00 <-- denotes dest network mask
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.9.3.97.97.97.1 = INTEGER:
6 <-- 6 stands for tcp protocol number
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.10.3.97.97.97.1 =
Gauge32: 0 <-0 means any port
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.11.3.97.97.97.1 =
Gauge32: 0 <-0 means any port.
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.12.3.97.97.97.1 =
Gauge32: 80 <- www translates to 80
|
CISCO-IP-PROTOCOL-FILTER-MIB (Continued)
|
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.13.3.97.97.97.1 =
Gauge32: 0 <- 0 means any port.
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.16.3.97.97.97.1 =
INTEGER: 2 <- 2 means log for ACL is disabled.
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.17.3.97.97.97.1 =
INTEGER: 1 <- 1 means ACL log enabled.
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.22.3.97.97.97.1 = ""
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.23.3.97.97.97.1 = ""
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.24.3.97.97.97.1 = ""
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.25.3.97.97.97.1 = ""
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.26.3.97.97.97.1 = ""
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.27.3.97.97.97.1 = ""
SNMPv2-SMI::enterprises.9.9.278.1.1.4.1.2.3.97.97.97.1 = INTEGER:
0
SNMPv2-SMI::enterprises.9.9.278.1.1.4.1.3.3.97.97.97.1 = Gauge32:
0
SNMPv2-SMI::enterprises.9.9.278.1.2.1.1.1.3.97.97.97.1 = Counter64: 0 <<<< 0 is current ACL hit counter for ACL 'aaa'
where "3.97.97.97" denotes the access-list name in ASCII characters. The access-list name "aaa" translates to 97.97.97, where "97" is the ASCII equivalent of the character "a." The "3" denotes the number of characters in the ASCII list name.
The following example shows an unexpanded access-list with a network object-group, which can be retrieved through SNMP operations. The hit counter for individual access-lists is aggregated and displayed in the SNMP OID "cipppfIpFilterHits."
ip address 50.0.0.2 255.0.0.0
ip address 60.0.0.2 255.0.0.0
object-group network src-network
network-object 50.1.1.1 255.255.255.255
network-object 50.1.1.2 255.255.255.255
network-object 50.1.1.3 255.255.255.255
object-group network dest-network
network-object 60.1.1.1 255.255.255.255
network-object 60.1.1.2 255.255.255.255
network-object 60.1.1.3 255.255.255.255
access-list aaa extended permit tcp object-group src-network
object-group dest-network
snmp-server host outside 60.0.0.1 community public version 2c
udp-port 161
hostname(config)# show access-list
|
CISCO-IP-PROTOCOL-FILTER-MIB (Continued)
|
access-list mode auto-commit
access-list cached ACL log flows: total 0, denied 0
(deny-flow-max 4096)
access-list aaa; 9 elements
access-list aaa line 1 extended permit tcp object-group
src-network object-group dest-network 0x705bc913 <---- only
exposed
access-list aaa line 1 extended permit tcp host 50.1.1.1 host
60.1.1.1 (hitcnt=0) 0xcb224dc0 <---- not exposed
access-list aaa line 1 extended permit tcp host 50.1.1.1 host
60.1.1.2 (hitcnt=0) 0x324aa638 <---- not exposed
access-list aaa line 1 extended permit tcp host 50.1.1.1 host
60.1.1.3 (hitcnt=0) 0xca52e993 <---- not exposed
access-list aaa line 1 extended permit tcp host 50.1.1.2 host
60.1.1.1 (hitcnt=0) 0xa45db454 <---- not exposed
access-list aaa line 1 extended permit tcp host 50.1.1.2 host
60.1.1.2 (hitcnt=0) 0xd69df47f <---- not exposed
access-list aaa line 1 extended permit tcp host 50.1.1.2 host
60.1.1.3 (hitcnt=0) 0xb06956a6 <---- not exposed
access-list aaa line 1 extended permit tcp host 50.1.1.3 host
60.1.1.1 (hitcnt=0) 0xcd7aeba4 <---- not exposed
access-list aaa line 1 extended permit tcp host 50.1.1.3 host
60.1.1.2 (hitcnt=0) 0x3210272d <---- not exposed
access-list aaa line 1 extended permit tcp host 50.1.1.3 host
60.1.1.3 (hitcnt=0) 0xa2b03187 <---- not exposed
snmpwalk 60.0.0.2 -c public -v 2c 1.3.6.1.4.1.9.9.278
SNMPv2-SMI::enterprises.9.9.278.1.1.1.1.2.3.97.97.97 = INTEGER: 2
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.3.3.97.97.97.1 = INTEGER:
2
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.4.3.97.97.97.1 = INTEGER:
1
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.5.3.97.97.97.1 = ""
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.6.3.97.97.97.1 = ""
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.7.3.97.97.97.1 = ""
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.8.3.97.97.97.1 = ""
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.9.3.97.97.97.1 = INTEGER:
6
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.10.3.97.97.97.1 =
Gauge32: 0
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.11.3.97.97.97.1 =
Gauge32: 0
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.12.3.97.97.97.1 =
Gauge32: 0
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.13.3.97.97.97.1 =
Gauge32: 0
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.16.3.97.97.97.1 =
INTEGER: 2
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.17.3.97.97.97.1 =
INTEGER: 1
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.22.3.97.97.97.1 = STRING:
"src-network" <--- source network object group name
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.23.3.97.97.97.1 = STRING:
"dest-network" <-- destination network object-group name..
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.24.3.97.97.97.1 = ""
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.25.3.97.97.97.1 = ""
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.26.3.97.97.97.1 = ""
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.27.3.97.97.97.1 = ""
|
CISCO-IP-PROTOCOL-FILTER-MIB (Continued)
|
SNMPv2-SMI::enterprises.9.9.278.1.1.4.1.2.3.97.97.97.1 = INTEGER:
0
SNMPv2-SMI::enterprises.9.9.278.1.1.4.1.3.3.97.97.97.1 = Gauge32:
0
SNMPv2-SMI::enterprises.9.9.278.1.2.1.1.1.3.97.97.97.1 =
Counter64: 0 <-- aggregated ACL hit counter
The following example shows access-list entries displayed in the show ipv6 access-list command can be retrieved and displayed through SNMP operations.
ip address 50.0.0.2 255.0.0.0
ipv6 address 2000:400:3:1::100/64
ip address 60.0.0.2 255.0.0.0
ipv6 address 2001:400:3:1::100/64
ipv6 access-list allow_ipv6 permit tcp any any eq www
access-group allow_ipv6 in interface inside
access-group allow_ipv6 in interface outside
snmp-server host outside 60.0.0.1 community public version 2c
udp-port 161
FWSM# show ipv6 access-list
ipv6 access-list allow_ipv6; 1 elements
ipv6 access-list allow_ipv6 line 1 permit tcp any any eq www
(hitcnt=0) 0xfabbda56
snmpwalk 60.0.0.2 -c public -v 2c 1.3.6.1.4.1.9.9.278 returns as
SNMPv2-SMI::enterprises.9.9.278.1.1.1.1.2.10.97.108.108.111.119.9
5.105.112.118.54 = INTEGER: 3
SNMPv2-SMI::enterprises.9.9.278.1.1.2.1.2.1.3 = STRING:
"allow_ipv6"
SNMPv2-SMI::enterprises.9.9.278.1.1.2.1.2.2.3 = STRING:
"allow_ipv6"
SNMPv2-SMI::enterprises.9.9.278.1.1.2.1.3.1.3 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.278.1.1.2.1.3.2.3 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.3.10.97.108.108.111.119.9
5.105.112.118.54.1 = INTEGER: 2
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.4.10.97.108.108.111.119.9
5.105.112.118.54.1 = INTEGER: 2
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.5.10.97.108.108.111.119.9
5.105.112.118.54.1 = Hex-STRING: 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.6.10.97.108.108.111.119.9
5.105.112.118.54.1 = Hex-STRING: 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00
95.105.112.118.54.1 = Gauge32: 0
|
CISCO-IP-PROTOCOL-FILTER-MIB (Continued)
|
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.7.10.97.108.108.111.119.9
5.105.112.118.54.1 = Hex-STRING: 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.8.10.97.108.108.111.119.9
5.105.112.118.54.1 = Hex-STRING: 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.9.10.97.108.108.111.119.9
5.105.112.118.54.1 = INTEGER: 6
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.10.10.97.108.108.111.119.
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.11.10.97.108.108.111.119.
95.105.112.118.54.1 = Gauge32: 0
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.12.10.97.108.108.111.119.
95.105.112.118.54.1 = Gauge32: 80
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.13.10.97.108.108.111.119.
95.105.112.118.54.1 = Gauge32: 0
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.16.10.97.108.108.111.119.
95.105.112.118.54.1 = INTEGER: 2
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.17.10.97.108.108.111.119.
95.105.112.118.54.1 = INTEGER: 1
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.22.10.97.108.108.111.119.
95.105.112.118.54.1 = ""
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.23.10.97.108.108.111.119.
95.105.112.118.54.1 = ""
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.24.10.97.108.108.111.119.
95.105.112.118.54.1 = ""
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.25.10.97.108.108.111.119.
95.105.112.118.54.1 = ""
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.26.10.97.108.108.111.119.
95.105.112.118.54.1 = ""
SNMPv2-SMI::enterprises.9.9.278.1.1.3.1.27.10.97.108.108.111.119.
95.105.112.118.54.1 = ""
SNMPv2-SMI::enterprises.9.9.278.1.1.4.1.2.10.97.108.108.111.119.9
5.105.112.118.54.1 = INTEGER: 0
SNMPv2-SMI::enterprises.9.9.278.1.1.4.1.3.10.97.108.108.111.119.9
5.105.112.118.54.1 = Gauge32: 0
SNMPv2-SMI::enterprises.9.9.278.1.2.1.1.1.10.97.108.108.111.119.9
5.105.112.118.54.1 = Counter64: 0
Note You cannot perform an SNMP query for either type of access-list.
You cannot perform an SNMP query for access-list entries expanded because of the use of an object-group. You can only perform an SNMP query for unexpanded access-lists using an object-group. You can only perform an SNMP query for an aggregated access-list hit counter for an access-list using an object-group. You cannot perform an SNMP query for the hit counter for access-list entries expanded because of an object-group in an access-list.
You cannot perform an SNMP query for access-list names configured with more than 112 characters.
|
CISCO-FIREWALL-MIB
|
The FWSM supports browsing of the MIB.
The FWSM supports browsing of the following group:
•cfwSystem
The information in cfwSystem.cfwStatus, which relates to failover status, pertains to the entire device and not just a single context.
The FWSM supports browsing of the following table:
•cfwConnectionStatTable
|
CISCO-IPSEC-FLOW-MONITOR-MIB
|
The FWSM supports browsing of the MIB.
The FWSM sends the following traps:
•start
•stop
|
CISCO-L4L7-RESOURCE-LIMIT-MIB
|
The FWSM supports browsing of the MIB.
The FWSM supports browsing of the following traps:
•limit-reached
•rate-limit-reached
The FWSM supports browsing of the following tables:
•ciscoL4L7ResourceLimitTable
•ciscoL4L7ResourceRateLimitTable
|
CISCO-MEMORY-POOL-MIB
|
The FWSM supports browsing of the following table:
•ciscoMemoryPoolTable—The memory usage described in this table applies only to the Cisco ASA general-purpose processor, and not to the network processors.
|
CISCO-NAT-EXT-MIB
|
The FWSM supports browsing of the MIB.
|
CISCO-PROCESS-MIB
|
The FWSM supports browsing of the MIB.
The FWSM supports browsing of the following table:
•cpmCPUTotalTable
The FWSM sends the following trap:
•rising threshold
|
CISCO-REMOTE-ACCESS-MONITOR-MIB
|
The FWSM supports browsing of the MIB.
The FWSM sends the following trap:
•session-threshold-exceeded
|
CISCO-SYSLOG-MIB
|
The FWSM sends the following trap:
•clogMessageGenerated
You cannot browse this MIB.
|
CISCO-UNIFIED-FIREWALL-MIB
|
The FWSM supports browsing of the MIB.
The FWSM supports browsing of the following group:
•cufwUrlFilterGlobals—This group provides global URL filtering statistics.
|
IF-MIB
|
The FWSM supports browsing of the following tables:
•ifTable
•ifXTable
|
IP-FORWARD-MIB
|
The FWSM supports browsing of the following table: inetCidrRouteTable.
The following example shows how entries displayed from the show route command can be retrieved through SNMP operations.
ip address 50.0.0.2 255.0.0.0
ip address 60.0.0.2 255.0.0.0
snmp-server host outside 60.0.0.1 community public version 2c
udp-port 161
50.0.0.0 255.0.0.0 is directly connected, inside
60.0.0.0 255.0.0.0 is directly connected, outside
An SNMP request from the inetCidrRouteTable returns:
snmpwalk 60.0.0.2 -c public -v 2c 1.3.6.1.2.1.4.24.7 returns
IP-MIB::ip.24.7.1.7.1.4.50.0.0.0.8.0.1.4.0.0.0.0 = INTEGER: 1
<---- ifindex
IP-MIB::ip.24.7.1.7.1.4.60.0.0.0.8.0.1.4.0.0.0.0 = INTEGER: 2
<---- Inindex
IP-MIB::ip.24.7.1.8.1.4.50.0.0.0.8.0.1.4.0.0.0.0 = INTEGER: 3
<---- refer local
IP-MIB::ip.24.7.1.8.1.4.60.0.0.0.8.0.1.4.0.0.0.0 = INTEGER: 3
<---- refer local
IP-MIB::ip.24.7.1.9.1.4.50.0.0.0.8.0.1.4.0.0.0.0 = INTEGER: 2
<---- 2 means local or connected route
IP-MIB::ip.24.7.1.9.1.4.60.0.0.0.8.0.1.4.0.0.0.0 = INTEGER: 2
<---- 2 means local or connected route
IP-MIB::ip.24.7.1.10.1.4.50.0.0.0.8.0.1.4.0.0.0.0 = Gauge32: 0
IP-MIB::ip.24.7.1.10.1.4.60.0.0.0.8.0.1.4.0.0.0.0 = Gauge32: 0
IP-MIB::ip.24.7.1.11.1.4.50.0.0.0.8.0.1.4.0.0.0.0 = Gauge32: 0
IP-MIB::ip.24.7.1.11.1.4.60.0.0.0.8.0.1.4.0.0.0.0 = Gauge32: 0
IP-MIB::ip.24.7.1.12.1.4.50.0.0.0.8.0.1.4.0.0.0.0 = INTEGER: 0
<--- primary metric 0 for connected route
IP-MIB::ip.24.7.1.12.1.4.60.0.0.0.8.0.1.4.0.0.0.0 = INTEGER: 0
<--- primary metric 0 for connected route
IP-MIB::ip.24.7.1.13.1.4.50.0.0.0.8.0.1.4.0.0.0.0 = INTEGER: -1
IP-MIB::ip.24.7.1.13.1.4.60.0.0.0.8.0.1.4.0.0.0.0 = INTEGER: -1
IP-MIB::ip.24.7.1.14.1.4.50.0.0.0.8.0.1.4.0.0.0.0 = INTEGER: -1
IP-MIB::ip.24.7.1.14.1.4.60.0.0.0.8.0.1.4.0.0.0.0 = INTEGER: -1
IP-MIB::ip.24.7.1.15.1.4.50.0.0.0.8.0.1.4.0.0.0.0 = INTEGER: -1
IP-MIB::ip.24.7.1.15.1.4.60.0.0.0.8.0.1.4.0.0.0.0 = INTEGER: -1
IP-MIB::ip.24.7.1.16.1.4.50.0.0.0.8.0.1.4.0.0.0.0 = INTEGER: -1
IP-MIB::ip.24.7.1.16.1.4.60.0.0.0.8.0.1.4.0.0.0.0 = INTEGER: -1
IP-MIB::ip.24.7.1.17.1.4.50.0.0.0.8.0.1.4.0.0.0.0 = INTEGER: 1
<----- 1 means route is active
IP-MIB::ip.24.7.1.17.1.4.60.0.0.0.8.0.1.4.0.0.0.0 = INTEGER: 1
<----- 1 means route is active
|
IP-FORWARD-MIB (Continued)
|
For an SNMP request to retrieve the SNMP OID "inetCidrRouteIfIndex" from the inetCidrRouteTable, enter the following:
snmpget 60.0.0.2 -c public -v 2c
ip.24.7.1.7.1.4.50.0.0.0.8.0.1.4.0.0.0.0 returns as
IP-MIB::ip.24.7.1.7.1.4.50.0.0.0.8.0.1.4.0.0.0.0 = INTEGER: 1
Note You cannot perform an SNMP query for IPv6 route entries.
Up to a three-minute delay may occur between route entries displayed in the show route command, and you can perform an SNMP query for this entry.
|
IP-MIB
|
The FWSM supports browsing of the following table: ipNetToPhysicalTable
The following examples show how entries displayed through the show arp command can be retrieved through SNMP operations.
ip address 50.0.0.2 255.0.0.0
ip address 60.0.0.2 255.0.0.0
snmp-server host outside 60.0.0.1 community public version 2c
udp-port 161
inside 50.0.0.1 0004.23b3.9dea
outside 60.0.0.1 000e.0c4e.f6cc
For an SNMP request from the ipNetToPhysicalTable, enter the following:
snmpwalk 60.0.0.2 -c public -v 2c IP-MIB::ip.35 returns
IP-MIB::ip.35.1.4.1.1.4.50.0.0.1 = Hex-STRING: 00 04 23 B3 9D EA
IP-MIB::ip.35.1.4.2.1.4.60.0.0.1 = Hex-STRING: 00 0E 0C 4E F6 CC
For an SNMP request for a specific IP address from the ipNetToPhysicalTable, enter the following:
snmpwalk 60.0.0.2 -c public -v 2c
IP-MIB::ip.35.1.4.1.1.4.50.0.0.1 returns
IP-MIB::ip.35.1.4.1.1.4.50.0.0.1 = Hex-STRING: 00 04 23 B3 9D EA
The ipNetToPhysicalTable object is indexed by ipNetToPhysicalIfIndex, ipNetToPhysicalNetAddressType, and ipNetToPhysicalNetAddress, in which ipNetToPhysicalIfIndex will be the VLAN interface number. The ipNetToPhysicalNetAddress object is the IP address for which the MAC entry is to be retrieved. Only the ipNetToPhysicalPhysAddress object is populated from ipNetToPhysicalTable to retrieve the MAC address for the indexed IP address.
Note Up to a three-minute delay may occur between ARP entries displayed in the show arp command, and you can perform an SNMP query for this entry.
|
MIB-II
|
The FWSM supports browsing of the following group and table:
•system
|
NAT-MIB
|
The FWSM supports browsing of the MIB.
The FWSM sends the following trap:
•packet-discard
The FWSM supports browsing of the following tables:
•natAddrBindTable
•natAddrPortBindTable
|
RFC1213-MIB
|
The FWSM supports browsing of the following table:
•ip.ipAddrTable
|
SNMP core traps
|
The FWSM sends the following SNMP core traps:
•authentication—An SNMP request fails because the NMS did not authenticate with the correct community string.
•linkup—An interface has transitioned to the "up" state.
•linkdown—An interface is down, for example, if you removed the nameif command.
•coldstart—The FWSM is running after a reload.
|
SNMPv2-MIB
|
The FWSM supports browsing of the following:
•snmp
|
TCP-MIB
|
The FWSM supports browsing of the following table:
•tcpConnectionTable
|
UDP-MIB
|
The FWSM supports browsing of the following table:
•udpEndpointTable
|
Configuring an SNMP Agent and Management Station
This section includes the following topics:
•Configuring the SNMP Agent
•Adding an SNMP Management Station
Configuring the SNMP Agent
To configure an SNMP agent, perform the following steps:
Step 1 From the Configuration > Device Management > Management Access > SNMP pane, in the Community String (default) field, add a default community string.
Enter the password used by the SNMP management stations when sending requests to the FWSM. The SNMP community string is a shared secret among the SNMP management stations and the network nodes being managed. The FWSM uses the password to determine if the incoming SNMP request is valid. The password is a case-sensitive value up to 32 characters in length. Spaces are not permitted. The default is "public." SNMPv2c allows separate community strings to be set for each management station. If no community string is configured for any management station, the value set here will be used by default.
Step 2 In the Contact field, add the name of the FWSM system administrator. The text is case-sensitive and can be up to 127 characters. Spaces are accepted, but multiple spaces are shortened to a single space.
Step 3 In the Location field, add the location of the FWSM being managed by SNMP. The text is case-sensitive and can be up to 127 characters. Spaces are accepted, but multiple spaces are shortened to a single space.
Step 4 In the Listening Port field, add the number of the FWSM port that listens for SNMP requests from management stations; or keep the default, port number161.
Step 5 Click Apply.
The SNMP agent is configured and the changes are saved to the running configuration.
Adding an SNMP Management Station
To add an SNMP management station, perform the following steps:
Step 1 From the Configuration > Device Management > Management Access > SNMP pane, Click Add.
The Add SNMP Host Access Entry dialog box appears.
Step 2 From the Interface Name drop-down menu, choose the interface where the SNMP host resides.
Step 3 In the IP Address field, add the SNMP host IP address.
Step 4 In the UDP Port field, add the SNMP host UDP port, or keep the default, port 162.
Step 5 In the Community String field, add the SNMP host community string. If no community string is specified for a management station, the value set in Community String (default) field on the SNMP pane will be used.
Step 6 From the SNMP Version drop-down menu, choose the SNMP version used by the SNMP host.
Step 7 Check the Poll or Trap check boxes to specify the method for communicating with this management station.
Step 8 Click OK.
The dialog box closes.
Step 9 Click Apply.
The management station is configured and changes are saved to the running configuration.
Configuring SNMP Traps
To designate which traps the SNMP agent generates and how they are collected and sent to network management stations, perform the following steps:
Step 1 From the Configuration > Device Management > Management Access > SNMP pane, click Configure Traps.
The SNMP Trap Configuration dialog box appears.
Step 2 Click the SNMP events to notify through SNMP traps.
Step 3 Click OK.
The dialog box closes.
Step 4 Click Apply.
The SNMP traps are configured and the changes are saved to the running configuration.
Configuring Management Access Rules
Access Rules specifically permit or deny traffic to or from a particular peer (or peers) while Management Access Rules provide access control for to-the-box traffic. For example, in addition to detecting IKE Denial of Service attacks, you can block them using management access rules.
To add a Management Access Rule, perform the following steps:
Step 1 From the Configuration > Device Management > Management Access > Management Access Rules pane, from the Add menu, click Add Management Access Rule.
The Add Management Access Rules dialog box appears.
Step 2 From the Interface drop-down list, choose an interface for applying the rule.
Step 3
