Re: [fw-wiz] SNMP RW ASA 7.2.1

Well, notice I said the VMS replacement.

VMS 2.3 will not let you do anything but collect syslogs from a 7.2.x ASA or PIX device. You can't manage the configuration or anything like that. You have to go back to 6.3.5 PIX OS or earlier for true management capabilities. You can still collect syslog messages from the PIX and do reports on them tho...HTML or PDF format I believe are your only options.

VMS with the Firewall Manager add-on (free if you bought the VMS suite) allowed you to collect the system configuration via PDM or SNMP (assuming you were using 6.3.5 OS or before) and then re-apply it with the RW ability of SNMP or through PDM. Personally, it never worked like I wanted it to, and the syntax/display of the VPN configuration for a PIX always looked completely stupid (unintuitive) to me in the VMS interface, so I always reverted to managing all those devices at the command line...i.e. it was a worthless tool for my tastes. Basically what I wanted was a pretty report on denied messages of any kind (for the managers that like that sort of thing) and any other message of higher severity than warning...which was the stuff I was actually interested in. Throw in the fact that you had to have ONE specific version of the Java runtime for everything to work right (always the version that interferes with everything else you're doing on your PC), and I was completely disenchanted.

The replacement for VMS 2.3 (called Cisco Security Monitoring, Analysis and Response System (CS-MARS)) will let you manage all the current security-related products as well as monitor them from a semi-central location. This would include ASA and VPN 3000 series devices, the IDS/IPS add-on to the ASA devices, as well as the security agents that get loaded on Windows/Unix/Linux hosts. I haven't actually used it, but seen it in action at a customer NOC. However, the ONE specific Java requirement for it all to work right is still I won't be using it anytime soon.

Regarding the monitoring that I wanted to do, I wanted to see certain denied messages or error messages, as well as get reports on those. I also wanted to get alerted on when something like the active firewall in an active/failover pair failed and the failover one picked up. Basically, the only way I got it to work like I wanted and to get an alert in near real-time (page me or send an email to my mobile device), I used a combination of SNMPc and AdventNet's Firewall Analyzer. SNMPc for the uptime/downtime/alert monitoring, AdventNet's Firewall Analyzer for the pretty reports to managers that don't mean a thing 99.999% of the time except to tell you that Blaster and Code Red is still alive and well.

Since pre-7.x PIXen didn't send SNMP traps for anything but like 8 different things except via Syslog, you need to have a syslog collector/parser that does it while it's receiving the syslog. SNMPc does that, and you can program the action it takes depending on what the syslog message is. So if you received a SNMP trap via syslog protocol that stated you had a failover action in a pair of firewalls, that's what would get sent to you via whatever action you specified. In this case, an SMTP email sent to my cell phone.

Given the choice again, I wouldn't spend the time/money on the Cisco management solution unless I needed to monitor/manage LOTS of Cisco-only infrastructure. The current situation doesn't call for it, so a roll-your-own OSS setup or a cheap software solution (sub $4k) works the same in our situation. I just don't have the time to roll my own I always look for something low-$$ that does a specific task and isn't dependant on ONE version of (insert software name here) to work correctly.

Brian Loe wrote:

What exactly does VMS do that's special so far as communication goes?
Even on older boxen its able to see tunnel traffic - where is it
pulling it from? Its not avialable via SNMP...

I'd like to avoid VMS and use all open-source tools. Not even for
management, really, just monitoring and such.

On 7/19/06, Victor Williams <vbwilliams@xxxxxxxxxx> wrote:

I'm pretty sure they removed RW access because the management interfaces
for the ASA units is now SSH and/or SSL/TLS.

Basically, if you want anything other than logging/alerting remotely
(outside of SSH command line access), you have to use ASDM or Cisco's
new replacement of VMS which lets you manage 7.x ASA and/or PIX units as
well as VPN concentrators.

firewall-wizards mailing list

Victor Williams
Network Architect

firewall-wizards mailing list