SNMP stands for Simple Network Management Protocol. we are going to talk about how we configure SNMP on Cisco ASA 5500 Firewall, Up to ASA software 8.1, the SNMP version supported was v1 and v2c. The newest ASA software 8.2 supports also SNMP v3 which is the most secure snmp protocol version.
The ASA works as an SNMP server (or agent), so you need also a Network Management System (NMS) which will act as the SNMP manager in order to provide network monitoring and management functionality. The NMS is basically a management server such as the CiscoWorks product. With the NMS you can either poll the ASA appliance to collect information, or the ASA appliance can send snmp traps (event notifications) to the NMS server. SNMP Traps are sent on UDP port 162 and SNMP poll uses UDP port 161. So, the ASA will listen on udp 161 and the NMS will listen on udp 162 and 161.
Configuring SNMP
Step1: Enable the snmp server on the ASA
ASA(config)# snmp-server enable
Step2: Identify the NMS host that can connect to the ASA for SNMP management
ASA(config)# snmp-server host [interface_name][ ip_address] community[community string]
Where “interface name” is the ASA interface through which the NMS can be reached, and “ip address” is the NMS address. “community string” is like a preshared password which must be configured on both the ASA and the NMS in order for the two elements to communicate.
Step3: Specify the ASA community string
ASA(config)# snmp-server community [community string]
Step4: Enable the ASA to send snmp traps to the NMS
ASA(config)# snmp-server enable traps [all | snmp [trap] [trap] ]
The default configuration has all snmp traps enabled (snmp-server enable traps snmp authentication linkup linkdown coldstart). It is recommended to leave all traps enabled as the default setting.
Configuration Example:
ASA(config)# snmp-server enable
ASA(config)# snmp-server host inside 10.1.1.100 community somesecretword
ASA(config)# snmp-server community somesecretword
ASA(config)# snmp-server enable traps snmp authentication linkup linkdown coldstart