Rsh inspection, Snmp inspection, Snmp inspection overview – Cisco ASA 5505 User Manual
Page 957
46-11
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 46 Configuring Inspection for Management Application Protocols
RSH Inspection
RSH Inspection
RSH inspection is enabled by default. The RSH protocol uses a TCP connection from the RSH client to
the RSH server on TCP port 514. The client and server negotiate the TCP port number where the client
listens for the STDERR output stream. RSH inspection supports NAT of the negotiated port number if
necessary.
SNMP Inspection
This section describes the IM inspection engine. This section includes the following topics:
•
SNMP Inspection Overview, page 46-11
•
Configuring an SNMP Inspection Policy Map for Additional Inspection Control, page 46-11
SNMP Inspection Overview
SNMP application inspection lets you restrict SNMP traffic to a specific version of SNMP. Earlier
versions of SNMP are less secure; therefore, denying certain SNMP versions may be required by your
security policy. The ASA can deny SNMP versions 1, 2, 2c, or 3. You control the versions permitted by
creating an SNMP map.
You then apply the SNMP map when you enable SNMP inspection according to the
Application Layer Protocol Inspection” section on page 42-6
.
Configuring an SNMP Inspection Policy Map for Additional Inspection Control
To create an SNMP inspection policy map, perform the following steps:
Step 1
To create an SNMP map, enter the following command:
hostname(config)# snmp-map map_name
hostname(config-snmp-map)#
where map_name is the name of the SNMP map. The CLI enters SNMP map configuration mode.
Step 2
To specify the versions of SNMP to deny, enter the following command for each version:
hostname(config-snmp-map)# deny version version
hostname(config-snmp-map)#
where version is 1, 2, 2c, or 3.
The following example denies SNMP Versions 1 and 2:
hostname(config)# snmp-map sample_map
hostname(config-snmp-map)# deny version 1
hostname(config-snmp-map)# deny version 2