Cisco Systems ASA 5585-X Manual De Usuario

13-10

Cisco ASA Series Firewall CLI Configuration Guide

Chapter 13 Configuring Inspection for Management Application Protocols

RSH Inspection

service-policy global_policy global

RSH Inspection

RSH inspection is enabled by default. The RSH protocol uses a TCP connection from the RSH client to
the RSH server on TCP port 514. The client and server negotiate the TCP port number where the client
listens for the STDERR output stream. RSH inspection supports NAT of the negotiated port number if
necessary.

SNMP Inspection

This section describes the SNMP inspection engine. This section includes the following topics:

•

SNMP Inspection Overview, page 13-10

•

Configuring an SNMP Inspection Policy Map for Additional Inspection Control, page 13-10

SNMP Inspection Overview

SNMP application inspection lets you restrict SNMP traffic to a specific version of SNMP. Earlier
versions of SNMP are less secure; therefore, denying certain SNMP versions may be required by your
security policy. The ASA can deny SNMP versions 1, 2, 2c, or 3. You control the versions permitted by
creating an SNMP map.

You then apply the SNMP map when you enable SNMP inspection according to the

“Configuring

Application Layer Protocol Inspection” section on page 9-7

Configuring an SNMP Inspection Policy Map for Additional Inspection Control

To create an SNMP inspection policy map, perform the following steps:

Step 1

To create an SNMP map, enter the following command:

ciscoasa(config)# snmp-map map_name

ciscoasa(config-snmp-map)#

where map_name is the name of the SNMP map. The CLI enters SNMP map configuration mode.

Step 2

To specify the versions of SNMP to deny, enter the following command for each version:

ciscoasa(config-snmp-map)# deny version version

ciscoasa(config-snmp-map)#

where version is 1, 2, 2c, or 3.

The following example denies SNMP Versions 1 and 2:

ciscoasa(config)# snmp-map sample_map

ciscoasa(config-snmp-map)# deny version 1