Configure SNMP support on a PIX Security Appliance

The PIX Security Appliance provides support for network monitoring using SNMP V1 and V2c. The PIX supports traps and SNMP read access, but does not support SNMP write access.

SNMP Example
In Figure , the NMS uses a Get operation to request management information contained in an agent on host 172.18.0.15. Within the Get request, the NMS includes a complete Object Identifier (OID) so that the agent knows exactly what is being sought. The response from the agent contains a variable binding containing the same OID and the data associated with it. The NMS then uses a Set request to tell the agent to change a piece of information. In an unrelated communication, host 172.16.0.2 sends a trap to the NMS because some urgent condition has occurred.

Enable SNMP
The SNMP agent that runs on the PIX Security Appliance performs two functions:

  • Replies to SNMP requests from NMSs.
  • Sends traps to NMSs.

To enable the SNMP agent and identify an NMS that can connect to the PIX Security Appliance, follow these steps:

Step 1
Identify the IP address of the NMS that can connect to the PIX Security Appliance with the snmp-server host interface_name ip_address [trap | poll] [community text ] [version 1 | 2c ] [udp-port port ] global configuration command. Specify trap or poll to limit the NMS to receiving traps only or browsing only. By default, the NMS can use both functions.

SNMP traps are sent on UDP port 162 by default. The port number can be changed by using the udp-port keyword.

Step 2
Specify the community string with the snmp-server community key global configuration command. The SNMP community string is a shared secret between the PIX Security Appliance and the NMS. The key is a case-sensitive value up to 32 characters in length. Spaces are not permitted.

Step 3
(Optional) Set the SNMP server location or contact information with the snmp-server {contact | location} text global configuration command.

Step 4
Enable the PIX Security Appliance to send traps to the NMS with the snmp-server enable [traps [all | feature [ trap1 ] [ trap2 ]] [...]] global configuration command. By default, SNMP core traps are enabled. If a trap type is not entered in the command, syslog is the default. To enable or disable all traps, enter the all option. For snmp , each trap type can be identified separately.

Step 5
Enable system messages to be sent as traps to the NMSwith the logging history level global configuration command. Syslog traps must also be enabled using the preceding snmp-server enable traps command.

Step 6
Enable logging, so system messages are generated and can then be sent to an NMS, with the logging on global configuration command.

Lab Activity

Lab Exercise: Configure SNMP Monitoring of the PIX Security Appliance Using ASDM

In this lab exercise, students will enable the SNMP community string. Students will also establish the contact and location of the SNMP Agent. Students will then learn to limit SNMP to the inside server. Finally, students will test the configuration.

Interactive Media Activity

Demonstration Activity: Configuring SNMP on the PIX Security Appliance

In this activity, students will learn how to configure SNMP to the PIX Security Appliance.

Cisco Security Appliance CLI Configuration Guide, Version 7.0 – Monitoring and Troubleshooting