Skye Hagen
2012-03-24 18:41:21 UTC
I am running RANCID 2.3.6, and noticed that the snmp community string was
not being removed on certain lines from our Firewall Services Module (FWSM)
configs. The specific line was 'snmp-server host outside 10.10.196.238 poll
community <comm_str>'. I checked, and it doesn¹t look like this bug was
fixed in 2.3.8.
There is no Cisco Command Lookup Tool for the FWSM directly, however it is
based on older versions of the PIX/ASA commands. For ASA version 7.x and
lower, the format of the command is 'snmp-server host interface_name
ip_address [trap | poll] [community text] [version {1 | 2c}] [udp-port port]
'.
For ASA version 8.x and higher, the format changed a little. It is
'snmp-server host {interface {hostname | ip_address}} [trap | poll]
[community 0 | 8 community-string] [version {1 | 2c | 3 username}]
[udp-port port] '.
To cover both of these formats, I changed this section of rancid from...
if (/^(snmp-server community) (\S+)/) {
if ($filter_commstr) {
ProcessHistory("SNMPSERVERCOMM","keysort","$_",
"!$1 <removed>$'") && next;
} else {
ProcessHistory("SNMPSERVERCOMM","keysort","$_","$_") &&
next;
}
}
To...
if (/^(snmp-server .*community) ([08] )?(\S+)/) {
if ($filter_commstr) {
ProcessHistory("SNMPSERVERCOMM","keysort","$_",
"!$1 $2<removed>$'") && next;
} else {
ProcessHistory("SNMPSERVERCOMM","keysort","$_","$_") &&
next;
}
}
I don't have an ASA 8.x device, so I couldn't test this with a real config.
It worked when I dummied up an ASA config, and it works with my FWSM
configs.
Skye.
not being removed on certain lines from our Firewall Services Module (FWSM)
configs. The specific line was 'snmp-server host outside 10.10.196.238 poll
community <comm_str>'. I checked, and it doesn¹t look like this bug was
fixed in 2.3.8.
There is no Cisco Command Lookup Tool for the FWSM directly, however it is
based on older versions of the PIX/ASA commands. For ASA version 7.x and
lower, the format of the command is 'snmp-server host interface_name
ip_address [trap | poll] [community text] [version {1 | 2c}] [udp-port port]
'.
For ASA version 8.x and higher, the format changed a little. It is
'snmp-server host {interface {hostname | ip_address}} [trap | poll]
[community 0 | 8 community-string] [version {1 | 2c | 3 username}]
[udp-port port] '.
To cover both of these formats, I changed this section of rancid from...
if (/^(snmp-server community) (\S+)/) {
if ($filter_commstr) {
ProcessHistory("SNMPSERVERCOMM","keysort","$_",
"!$1 <removed>$'") && next;
} else {
ProcessHistory("SNMPSERVERCOMM","keysort","$_","$_") &&
next;
}
}
To...
if (/^(snmp-server .*community) ([08] )?(\S+)/) {
if ($filter_commstr) {
ProcessHistory("SNMPSERVERCOMM","keysort","$_",
"!$1 $2<removed>$'") && next;
} else {
ProcessHistory("SNMPSERVERCOMM","keysort","$_","$_") &&
next;
}
}
I don't have an ASA 8.x device, so I couldn't test this with a real config.
It worked when I dummied up an ASA config, and it works with my FWSM
configs.
Skye.