Security models, Snmp groups, Snmp users – Cisco ASA 5505 User Manual

Page 1796: Snmp hosts

Advertising
background image

79-16

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 79 Configuring SNMP

Information About SNMP

(USM) and View-based Access Control Model (VACM). The ASA also support the creation of SNMP
groups and users, as well as hosts, which is required to enable transport authentication and encryption
for secure SNMP communications.

Security Models

For configuration purposes, the authentication and privacy options are grouped together into security
models. Security models apply to users and groups, which are divided into the following three types:

NoAuthPriv—No Authentication and No Privacy, which means that no security is applied to
messages.

AuthNoPriv—Authentication but No Privacy, which means that messages are authenticated.

AuthPriv—Authentication and Privacy, which means that messages are authenticated and encrypted.

SNMP Groups

An SNMP group is an access control policy to which users can be added. Each SNMP group is
configured with a security model, and is associated with an SNMP view. A user within an SNMP group
must match the security model of the SNMP group. These parameters specify what type of authentication
and privacy a user within an SNMP group uses. Each SNMP group name and security model pair must
be unique.

SNMP Users

SNMP users have a specified username, a group to which the user belongs, authentication password,
encryption password, and authentication and encryption algorithms to use. The authentication algorithm
options are MD5 and SHA. The encryption algorithm options are DES, 3DES, and AES (which is
available in 128, 192, and 256 versions). When you create a user, you must associate it with an SNMP
group. The user then inherits the security model of the group.

SNMP Hosts

An SNMP host is an IP address to which SNMP notifications and traps are sent. To configure SNMP
Version 3 hosts, along with the target IP address, you must configure a username, because traps are only
sent to a configured user. SNMP target IP addresses and target parameter names must be unique on the
ASA. Each SNMP host can have only one username associated with it. To receive SNMP traps, after you
have added the snmp-server host command, make sure that you configure the user credentials on the
NMS to match the credentials for the ASA.

Implementation Differences Between the ASA, ASA Services Module, and the Cisco IOS Software

The SNMP Version 3 implementation in the ASA and ASASM differs from the SNMP Version 3
implementation in the Cisco IOS software in the following ways:

The local-engine and remote-engine IDs are not configurable. The local engine ID is generated when
the ASA starts or when a context is created.

No support exists for view-based access control, which results in unrestricted MIB browsing.

Support is restricted to the following MIBs: USM, VACM, FRAMEWORK, and TARGET.

You must create users and groups with the correct security model.

Advertising