Rsh Inspection; Snmp Inspection - Cisco ASA Series Configuration Manual
Firewall cli, asa services module, and the adaptive security virtual appliance
Hide thumbs
Also See for ASA Series:
- Cli configuration manual (2164 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
RSH Inspection
Example:
hostname(config-class)# no inspect radius-accounting
hostname(config-class)# inspect radius-accounting radius-class-map
Note
If you are editing an existing service policy (such as the default global policy called global_policy), you
Step 5
are done. Otherwise, activate the policy map on one or more interfaces.
service-policy policymap_name {global | interface interface_name}
Example:
hostname(config)# service-policy global_policy global
The global keyword applies the policy map to all interfaces, and interface applies the policy to one
interface. Only one global policy is allowed. You can override the global policy on an interface by
applying a service policy to that interface. You can only apply one policy map to each interface.
RSH Inspection
RSH inspection is enabled by default. The RSH protocol uses a TCP connection from the RSH client to
the RSH server on TCP port 514. The client and server negotiate the TCP port number where the client
listens for the STDERR output stream. RSH inspection supports NAT of the negotiated port number if
necessary.
For information on enabling RSH inspection, see
page
SNMP Inspection
SNMP application inspection lets you restrict SNMP traffic to a specific version of SNMP. Earlier
versions of SNMP are less secure; therefore, denying certain SNMP versions may be required by your
security policy. The ASA can deny SNMP versions 1, 2, 2c, or 3. You control the versions permitted by
creating an SNMP map.
SNMP inspection is not enabled in the default inspection policy, so you must enable it if you need this
inspection. You can simply edit the default global inspection policy to add SNMP inspection. You can
alternatively create a new service policy as desired, for example, an interface-specific policy.
Procedure
Create an SNMP map.
Step 1
Use the snmp-map map_name command to create the map and enter SNMP map configuration mode,
then the deny version version command to identify the versions to disallow. The version can be 1, 2, 2c,
or 3.
Cisco ASA Series Firewall CLI Configuration Guide
15-16
If you are editing an in-use policy to use a different inspection policy map, you must remove the
RADIUS accounting inspection with the no inspect radius-accounting command, and then
re-add it with the new inspection policy map name.
12-9.
Chapter 15
Inspection of Database, Directory, and Management Protocols
Configure Application Layer Protocol Inspection,
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
