Home page logo
/

firewall-wizards logo Firewall Wizards mailing list archives

Re: SNMP RW ASA 7.2.1
From: Pablo Pérez <pablo.perez.arg () gmail com>
Date: Thu, 20 Jul 2006 17:11:09 -0300

Thanks a lot  for your cooperation, it was very helpfully.
Regards.-
 
Pablo
 

  _____  

From: firewall-wizards-bounces () listserv icsalabs com
[mailto:firewall-wizards-bounces () listserv icsalabs com] On Behalf Of Victor
Williams
Sent: Miércoles, 19 de Julio de 2006 07:23 p.m.
To: Firewall Wizards Security Mailing List
Cc: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] SNMP RW ASA 7.2.1


Well, notice I said the VMS replacement.

VMS 2.3 will not let you do anything but collect syslogs from a 7.2.x ASA or
PIX device.  You can't manage the configuration or anything like that.  You
have to go back to 6.3.5 PIX OS or earlier for true management capabilities.
You can still collect syslog messages from the PIX and do reports on them
tho...HTML or PDF format I believe are your only options.

VMS with the Firewall Manager add-on (free if you bought the VMS suite)
allowed you to collect the system configuration via PDM or SNMP (assuming
you were using 6.3.5 OS or before) and then re-apply it with the RW ability
of SNMP or through PDM.  Personally, it never worked like I wanted it to,
and the syntax/display of the VPN configuration for a PIX always looked
completely stupid (unintuitive)  to me in the VMS interface, so I always
reverted to managing all those devices at the command line...i.e. it was a
worthless tool for my tastes.  Basically what I wanted was a pretty report
on denied messages of any kind (for the managers that like that sort of
thing) and any other message of higher severity than warning...which was the
stuff I was actually interested in.  Throw in the fact that you had to have
ONE specific version of the Java runtime for everything to work right
(always the version that interferes with everything else you're doing on
your PC), and I was completely disenchanted.

The replacement for VMS 2.3 (called Cisco Security Monitoring, Analysis and
Response System (CS-MARS)) will let you manage all the current
security-related products as well as monitor them from a semi-central
location.  This would include ASA and VPN 3000 series devices, the IDS/IPS
add-on to the ASA devices, as well as the security agents that get loaded on
Windows/Unix/Linux hosts.  I haven't actually used it, but seen it in action
at a customer NOC.  However, the ONE specific Java requirement for it all to
work right is still there...so I won't be using it anytime soon.

Regarding the monitoring that I wanted to do, I wanted to see certain denied
messages or error messages, as well as get reports on those.  I also wanted
to get alerted on when something like the active firewall in an
active/failover pair failed and the failover one picked up.  Basically, the
only way I got it to work like I wanted and to get an alert in near
real-time (page me or send an email to my mobile device), I used a
combination of SNMPc and AdventNet's Firewall Analyzer.  SNMPc for the
uptime/downtime/alert monitoring, AdventNet's Firewall Analyzer for the
pretty reports to managers that don't mean a thing 99.999% of the time
except to tell you that Blaster and Code Red is still alive and well.  

Since pre-7.x PIXen didn't send SNMP traps for anything but like 8 different
things except via Syslog, you need to have a syslog collector/parser that
does it while it's receiving the syslog.  SNMPc does that, and you can
program the action it takes depending on what the syslog message is.  So if
you received a SNMP trap via syslog protocol that stated you had a failover
action in a pair of firewalls, that's what would get sent to you via
whatever action you specified.  In this case, an SMTP email sent to my cell
phone.

Given the choice again, I wouldn't spend the time/money on the Cisco
management solution unless I needed to monitor/manage LOTS of Cisco-only
infrastructure.  The current situation doesn't call for it, so a
roll-your-own OSS setup or a cheap software solution (sub $4k) works the
same in our situation.  I just don't have the time to roll my own
anything...so I always look for something low-$$ that does a specific task
and isn't dependant on ONE version of (insert software name here) to work
correctly.


Brian Loe wrote: 

What exactly does VMS do that's special so far as communication goes?

Even on older boxen its able to see tunnel traffic - where is it

pulling it from? Its not avialable via SNMP...



I'd like to avoid VMS and use all open-source tools. Not even for

management, really, just monitoring and such.



On 7/19/06, Victor Williams  <mailto:vbwilliams () neb rr com>
<vbwilliams () neb rr com> wrote:

  

I'm pretty sure they removed RW access because the management interfaces

for the ASA units is now SSH and/or SSL/TLS.



Basically, if you want anything other than logging/alerting remotely

(outside of SSH command line access), you have to use ASDM or Cisco's

new replacement of VMS which lets you manage 7.x ASA and/or PIX units as

well as VPN concentrators.

    

_______________________________________________

firewall-wizards mailing list

firewall-wizards () listserv icsalabs com

https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards





  



-- 

Victor Williams

Network Architect

SSCP, RHCE


_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]