Tag: Cisco

Came across a decent host template for Cisco ASA devices that works well with Cacti.
Grab the CISCO-FIREWALL-MIB if you don’t already have them.  Get either Version 1 or Version 2 directly from Cisco and also get CISCO-SMI Version 1 or Version 2:

• Browse Cisco MIBs:  http://tools.cisco.com/Support/SNMP/do/BrowseMIB.do?local=en&step=2&mibName=CISCO-FIREWALL-MIB
• Cisco CISCO-FIREWALL-MIB Version 1
• Cisco CISCO-FIREWALL-MIB Version 2
• Cisco CISCO-SMI Version 1
• Cisco CISCO-SMI Version 2

Determine where your MIBs are stored on your linux system:

linuxhost:~# snmptranslate -Dinit_mib .1.3|grep MIBDIRS
init_mib: Seen MIBDIRS: Looking in [...snip...] for mib dirs ...

You can use wget to download the MIB file version you want and specify where to save it according to one of the paths in the MIBDIRS output…  I like putting them in /usr/share/snmp/mibs.  Make sure the directory exists, if it doesn’t, just issue the following command:

linuxhost:~# mkdir -p /usr/share/snmp/mibs

Now, download the each of the MIBs (CISCO-FIREWALL-MIB and CISCO-SMI).   Use the above links to get a direct link.  I’m getting Version 2 of each of the MIBs.

linuxhost:~# wget -d -O /usr/share/snmp/mibs/CISCO-FIREWALL-MIB "ftp://ftp.cisco.com/pub/mibs/v2/CISCO-FIREWALL-MIB.my"
linuxhost:~# wget -d -O /usr/share/snmp/mibs/CISCO-SMI "ftp://ftp.cisco.com/pub/mibs/v2/CISCO-SMI.my"

After it’s downloaded, run a test on the server and see if you can poll an ASA in your network.  I’ll test the ConnectionStat entry:

linuxhost:~# snmpwalk -m +CISCO-FIREWALL-MIB  -c public -v 2c 192.168.9.253 -OS ConnectionStat
CISCO-FIREWALL-MIB::cfwConnectionStatDescription.protoIp.currentInUse = STRING: number of connections currently in use by the entire firewall
CISCO-FIREWALL-MIB::cfwConnectionStatDescription.protoIp.high = STRING: highest number of connections in use at any one time since system startup
CISCO-FIREWALL-MIB::cfwConnectionStatCount.protoIp.currentInUse = Counter32: 0
CISCO-FIREWALL-MIB::cfwConnectionStatCount.protoIp.high = Counter32: 0
CISCO-FIREWALL-MIB::cfwConnectionStatValue.protoIp.currentInUse = Gauge32: 113
CISCO-FIREWALL-MIB::cfwConnectionStatValue.protoIp.high = Gauge32: 508

It works without errors!
Notice you must specify the CISCO-FIREWALL-MIB using the -m +CISCO-FIREWALL-MIB argument.
To make this load automatically, modify your snmp.conf file.  This is typically located in /etc/snmp/snmp.conf on Sys-V systems;  To figure out where snmp reads it’s configuration file from, issue the following:

linuxhost:~# net-snmp-config --snmpconfpath
/etc/snmp:/usr/share/snmp:/usr/lib/snmp:/root/.snmp:/var/lib/snmp

This shows it checks each of those paths, in order, until it finds the snmp.conf;  So, modify your snmp.conf file and add the following line: mibs +CISCO-FIREWALL-MIB

There may be an existing line mibs : — you can remove the colon and replace it with +CISCO-FIREWALL-MIB.
Next, run the snmpget command without the -m +CISCO-FIREWALL-MIB”and you should have success and no errors.
To get this setup in Cacti, log in to your cacti server as admin. In the console tab, navigate to the “Import Templates” menu item and click on it.

Download the Host Template zip file (from original site http://forums.cacti.net/download/file.php?id=7607 ).
Extract the files to your desktop or wherever.
In the Import Templates window, click “Browse…” and choose the cacti_host_template ZIP file to import.

You are now done.
You can create a new device and choose the Cisco ASA – Security Device from the host templates now.