Driver Support Document
| SYSOID Mapping | ||
| SYSOID | MODEL | OS VERSION |
| 1.3.6.1.4.1.9.1.669 | ciscoASA5520 | 8.0, 8.1, 8.2 |
| 1.3.6.1.4.1.9.1.670 | ciscoASA5520 | 7.x, 8.0, 8.1, 8.2 |
| 1.3.6.1.4.1.9.1.672 | ciscoASA5540 | 7.x, 8.0, 8.1, 8.2 |
| 1.3.6.1.4.1.9.1.673 | ciscoASA5540sc | 7.x, 8.0, 8.1, 8.2 |
| 1.3.6.1.4.1.9.1.745 | ciscoASA5505 | 7.x, 8.0, 8.1, 8.2 |
| 1.3.6.1.4.1.9.1.914 | ciscoASA5580 | 7.x, 8.0, 8.1, 8.2 |
Because of community string masking that is specific to the Cisco ASA, support for updating SNMP community strings has been removed from this driver.
Connections to Cisco ASA child devices can go through the parent device. However, if the Telnet and SSH connection methods on the Cisco ASA child device do not match the parent device's connection methods, some communications could fail because the child device's connection method settings do not override the parent device's connection method settings.
The context management feature adds independent device entries for contexts on the device automatically by using the inventory diagnostic. This feature can be disabled by adding the access variable "disable_context" and setting it to true. Disabling the feature will remove any previously created context devices permanently and will result in the inability to directly manage contexts with NA. Changes will take effect the next time the inventory diagnostic task is run.
The SNMP community string updater can update, modify, or remove SNMP community strings. It cannot add, modify, or remove SNMP host entries that might be needed for desired SNMP functionality.
The Limited Access Password field in the Deploy Passwords task only changes the telnet console access password, using the passwd command on the device.
Cisco Firewalls require the specification of the interface to be used for relaying of syslog messages. The custom access variable "SyslogInterface" should be set to the correct interface to ensure correct operation of Syslog tasks.
The "show running-config" & "show startup-config" commands mask important information in the output. However, snapshots via CLI is made available to address snapshot support for Client Contexts that don't have an outside path for TFTP use.
When supported, the "more system:running-config" or TFTP snapshots allows for capture of non-masked information. As of consequence the behavior of ASA drivers in regard to snapshots provide for the following:
Single-mode devices:
CLI snapshot option is available only for capturing the running-configuration.
Capturing Startup-config via CLI is disabled as it runs the risk of capturing masked information.
TFTP via CLI is enabled for capturing both running-config & startup-config.Admin-context in multiple mode:
CLI is disabled because the "more system:running-config" is unsupported
TFTP via CLI is enabled for capturing both running-config & startup-config.System Context in multiple mode:
CLI snapshot is enabled for capturing both running-config & startup-config.
TFTP via CLI is enabled for capturing both running-config & startup-config.Client Context in multiple mode:
CLI snapshots use "show running-config" & "show startup-config" commands and can contain masked information.
TFTP via CLI is enabled for capturing both running-config & startup-config if an outside path for TFTP use is available.
The 'Memory Troubleshooting for Cisco PIX configuration' diagnostic requires the "show proc" command. This command can be issued on the device itself, but it is unavailable on the device's security contexts. When the diagnostic is run within a context, the task fails.
Configuration Deployment is disabled for Client-Context as it can result in overwriting valid information with masked content.
The PIX occasionally has difficulty merging new configuration commands with the existing configuration. Because of this, we recommend that you double-check PIX configurations after you deploy them from the system.
First, take a snapshot of the configuration. Then check whether your changes were actually deployed to the running configuration as expected. Sometimes the system reports the deployment as failed, but still applies changes to the running configuration.
To retrieve (or deploy) a PIX device configuration using TFTP, you may need to specify the TFTP interface to use on the device. If the device self-selects the wrong interface for the TFTP settings, you can override the TFTP interface access setting in the device's password rules in the system. Note that you must either set up a device-specific password rule or define a password rule that applies specifically to PIX devices that are exhibiting this problem.
To change a device password rule:
- Edit the device and select "Use device-specific password information" or create or edit a device password rule applying to the appropriate device(s).
- Click "Show Device Access Settings"
- Choose "PIX TFTP interface" from one of the drop-down menus for "Name"
- Enter the desired interface (e.g. "outside") for the "Value" of this setting.
- Ensure all other authentication information is correct, and then save the device or password rule.
The PIX occasionally has difficulty merging new configuration commands with the existing configuration. Because of this, we recommend that you double-check PIX configurations after you deploy them from the system.
First, take a snapshot of the configuration. Then check whether your changes were actually deployed to the running configuration as expected. Sometimes the system reports the deployment as failed, but still applies changes to the running configuration.
The PIX does not support accounting sessions. Therefore, the system cannot provide real-time change detection through AAA.
Cisco Firewalls require the specification of the interface to be used for relaying of syslog messages. The custom access variable "SyslogInterface" should be set to the correct interface to ensure correct operation of Syslog tasks.
The SNMP community string updater can update, modify, or remove SNMP community strings. It cannot add, modify, or remove SNMP host entries that might be needed for desired SNMP functionality.
The Limited Access Password field in the Deploy Passwords task only changes the telnet console access password, using the passwd command on the device.