About SNMP v3 MD5 authentication and CISCO ASA
Leaving job close to major deadlines
How can Caller ID be faked?
Interview was just a one hour panel. Got an offer the next day; do I accept or is this a red flag?
How can I maintain game balance while allowing my player to craft genuinely useful items?
Redirecting output only on a successful command call
2 Managed Packages in 1 Dev Org
Manager wants to hire me; HR does not. How to proceed?
Is it common to delay the start date of a postdoc?
Why do you need to heat the pan before heating the olive oil?
Testing thermite for chemical properties
At what temperature should the earth be cooked to prevent human infection?
How can the US president give an order to a civilian?
How to sort human readable size
How to know whether to write accidentals as sharps or flats?
How to write a nice frame challenge?
What is the color associated with lukewarm?
How to ask if I can mow my neighbor's lawn
What is the context for Napoleon's quote "[the Austrians] did not know the value of five minutes"?
Using roof rails to set up hammock
Does knowing the surface area of all faces uniquely determine a tetrahedron?
Is swap gate equivalent to just exchanging the wire of the two qubits?
Right indicator flash-frequency has increased and rear-right bulb is out
TiKZ won't graph 1/sqrt(x)
Why can't I craft scaffolding in Minecraft 1.14?
About SNMP v3 MD5 authentication and CISCO ASA
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I have 2 CISCO ASA 5505 for two almost equal networks in my office, one for our operational platform and the other for the test platform. Each network has a server dedicated to Nagios.
When I arrived, I inherited all these devices and their configuration. It seems my predecessor configured Nagios services to check the Firewall using SNMP requests, and they are configured for SNMP v3. These checks are working in the test platform, but failing fue to authentication in the operational platform.
So I started checking the command used at Negios. In both platforms, the Nagios SNMP commands are the same:
check_snmp! -H 192.168.1.1 -o sysUpTime.0 -P 3 -L authPriv -U MyUser -a md5 -A 'mKo45s8p' -X 'ryp9Utl7'
I checked in Nagios documentation that check_snmp traces to UNIX snmpget. Therefore, -U introduces the user (MyUser in this case), -a defines the encryption for the authentication password -A, and -X seems to be a DES encryption password (I don't understand what -X is for, but this is not the problem).
Then I went to the Cisco ASA configuration, and I checked that these passwords are stored as hex hashes, and each device has a different pair of hashes. For example, for the test device we have:
snmp-server user MyUser MyTeam v3 encrypted auth md5 c0:77:58:25:10:4e:58:bf:e4:e6:4d:b7:d6:28:9e:a6 priv des a7:00:24:2b:28:e6:4d:11:56:be:30:69:77:47:c7:1a
At this point, I assumed that test firewall hashes corresponded to the MD5 of the authentication password and to the DES of the encryption password, just as they are defined in the Nagios command. And therefore, since the hashes are different in the operational platform and the command used is the same, they just don't match.
While this statement is probably true, this is my real problem: if I check the MD5 with any online tool, the MD5 of mKo45s8p is 00c3669318eeee45b5b4d2ffde58c323. This does not match the hash configured at the firewall. Regarding the DES encryption password, I don't even know how to check it, since online tools ask for different inputs.
So, since there is no way back from MD5, I cannot get the correct password to be used in the Nagios command for operational platform. I can't define a new password since my conversion to hash seems to be incorrect. The only solution I can think of, is using the same hash from the test firewall at the operational firewall, but I definitely prefer understanding what is going on and solve it with new passwords.
Any help?
cisco-asa snmp encryption md5
asked May 31 at 7:14
Roman RdgzRoman Rdgz
63
add a comment |
I have 2 CISCO ASA 5505 for two almost equal networks in my office, one for our operational platform and the other for the test platform. Each network has a server dedicated to Nagios.
When I arrived, I inherited all these devices and their configuration. It seems my predecessor configured Nagios services to check the Firewall using SNMP requests, and they are configured for SNMP v3. These checks are working in the test platform, but failing fue to authentication in the operational platform.
So I started checking the command used at Negios. In both platforms, the Nagios SNMP commands are the same:
check_snmp! -H 192.168.1.1 -o sysUpTime.0 -P 3 -L authPriv -U MyUser -a md5 -A 'mKo45s8p' -X 'ryp9Utl7'
I checked in Nagios documentation that check_snmp traces to UNIX snmpget. Therefore, -U introduces the user (MyUser in this case), -a defines the encryption for the authentication password -A, and -X seems to be a DES encryption password (I don't understand what -X is for, but this is not the problem).
Then I went to the Cisco ASA configuration, and I checked that these passwords are stored as hex hashes, and each device has a different pair of hashes. For example, for the test device we have:
snmp-server user MyUser MyTeam v3 encrypted auth md5 c0:77:58:25:10:4e:58:bf:e4:e6:4d:b7:d6:28:9e:a6 priv des a7:00:24:2b:28:e6:4d:11:56:be:30:69:77:47:c7:1a
At this point, I assumed that test firewall hashes corresponded to the MD5 of the authentication password and to the DES of the encryption password, just as they are defined in the Nagios command. And therefore, since the hashes are different in the operational platform and the command used is the same, they just don't match.
While this statement is probably true, this is my real problem: if I check the MD5 with any online tool, the MD5 of mKo45s8p is 00c3669318eeee45b5b4d2ffde58c323. This does not match the hash configured at the firewall. Regarding the DES encryption password, I don't even know how to check it, since online tools ask for different inputs.
So, since there is no way back from MD5, I cannot get the correct password to be used in the Nagios command for operational platform. I can't define a new password since my conversion to hash seems to be incorrect. The only solution I can think of, is using the same hash from the test firewall at the operational firewall, but I definitely prefer understanding what is going on and solve it with new passwords.
Any help?
cisco-asa snmp encryption md5
asked May 31 at 7:14
Roman RdgzRoman Rdgz
63
add a comment |
I have 2 CISCO ASA 5505 for two almost equal networks in my office, one for our operational platform and the other for the test platform. Each network has a server dedicated to Nagios.
When I arrived, I inherited all these devices and their configuration. It seems my predecessor configured Nagios services to check the Firewall using SNMP requests, and they are configured for SNMP v3. These checks are working in the test platform, but failing fue to authentication in the operational platform.
So I started checking the command used at Negios. In both platforms, the Nagios SNMP commands are the same:
check_snmp! -H 192.168.1.1 -o sysUpTime.0 -P 3 -L authPriv -U MyUser -a md5 -A 'mKo45s8p' -X 'ryp9Utl7'
I checked in Nagios documentation that check_snmp traces to UNIX snmpget. Therefore, -U introduces the user (MyUser in this case), -a defines the encryption for the authentication password -A, and -X seems to be a DES encryption password (I don't understand what -X is for, but this is not the problem).
Then I went to the Cisco ASA configuration, and I checked that these passwords are stored as hex hashes, and each device has a different pair of hashes. For example, for the test device we have:
snmp-server user MyUser MyTeam v3 encrypted auth md5 c0:77:58:25:10:4e:58:bf:e4:e6:4d:b7:d6:28:9e:a6 priv des a7:00:24:2b:28:e6:4d:11:56:be:30:69:77:47:c7:1a
At this point, I assumed that test firewall hashes corresponded to the MD5 of the authentication password and to the DES of the encryption password, just as they are defined in the Nagios command. And therefore, since the hashes are different in the operational platform and the command used is the same, they just don't match.
While this statement is probably true, this is my real problem: if I check the MD5 with any online tool, the MD5 of mKo45s8p is 00c3669318eeee45b5b4d2ffde58c323. This does not match the hash configured at the firewall. Regarding the DES encryption password, I don't even know how to check it, since online tools ask for different inputs.
So, since there is no way back from MD5, I cannot get the correct password to be used in the Nagios command for operational platform. I can't define a new password since my conversion to hash seems to be incorrect. The only solution I can think of, is using the same hash from the test firewall at the operational firewall, but I definitely prefer understanding what is going on and solve it with new passwords.
Any help?
cisco-asa snmp encryption md5
asked May 31 at 7:14
Roman RdgzRoman Rdgz
63
I have 2 CISCO ASA 5505 for two almost equal networks in my office, one for our operational platform and the other for the test platform. Each network has a server dedicated to Nagios.
When I arrived, I inherited all these devices and their configuration. It seems my predecessor configured Nagios services to check the Firewall using SNMP requests, and they are configured for SNMP v3. These checks are working in the test platform, but failing fue to authentication in the operational platform.
So I started checking the command used at Negios. In both platforms, the Nagios SNMP commands are the same:
check_snmp! -H 192.168.1.1 -o sysUpTime.0 -P 3 -L authPriv -U MyUser -a md5 -A 'mKo45s8p' -X 'ryp9Utl7'
I checked in Nagios documentation that check_snmp traces to UNIX snmpget. Therefore, -U introduces the user (MyUser in this case), -a defines the encryption for the authentication password -A, and -X seems to be a DES encryption password (I don't understand what -X is for, but this is not the problem).
Then I went to the Cisco ASA configuration, and I checked that these passwords are stored as hex hashes, and each device has a different pair of hashes. For example, for the test device we have:
snmp-server user MyUser MyTeam v3 encrypted auth md5 c0:77:58:25:10:4e:58:bf:e4:e6:4d:b7:d6:28:9e:a6 priv des a7:00:24:2b:28:e6:4d:11:56:be:30:69:77:47:c7:1a
At this point, I assumed that test firewall hashes corresponded to the MD5 of the authentication password and to the DES of the encryption password, just as they are defined in the Nagios command. And therefore, since the hashes are different in the operational platform and the command used is the same, they just don't match.
While this statement is probably true, this is my real problem: if I check the MD5 with any online tool, the MD5 of mKo45s8p is 00c3669318eeee45b5b4d2ffde58c323. This does not match the hash configured at the firewall. Regarding the DES encryption password, I don't even know how to check it, since online tools ask for different inputs.
So, since there is no way back from MD5, I cannot get the correct password to be used in the Nagios command for operational platform. I can't define a new password since my conversion to hash seems to be incorrect. The only solution I can think of, is using the same hash from the test firewall at the operational firewall, but I definitely prefer understanding what is going on and solve it with new passwords.
Any help?
cisco-asa snmp encryption md5
cisco-asa snmp encryption md5
asked May 31 at 7:14
Roman RdgzRoman Rdgz
63
asked May 31 at 7:14
Roman RdgzRoman Rdgz
63
asked May 31 at 7:14
Roman RdgzRoman Rdgz
63
asked May 31 at 7:14
Roman RdgzRoman Rdgz
63
asked May 31 at 7:14
Roman RdgzRoman Rdgz
63
63
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f969600%2fabout-snmp-v3-md5-authentication-and-cisco-asa%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f969600%2fabout-snmp-v3-md5-authentication-and-cisco-asa%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
