I have 2 CISCO ASA 5505 for two almost equal networks in my office, one for our operational platform and the other for the test platform. Each network has a server dedicated to Nagios.
When I arrived, I inherited all these devices and their configuration. It seems my predecessor configured Nagios services to check the Firewall using SNMP requests, and they are configured for SNMP v3. These checks are working in the test platform, but failing fue to authentication in the operational platform.
So I started checking the command used at Negios. In both platforms, the Nagios SNMP commands are the same:
check_snmp! -H 192.168.1.1 -o sysUpTime.0 -P 3 -L authPriv -U MyUser -a md5 -A 'mKo45s8p' -X 'ryp9Utl7'
I checked in Nagios documentation that check_snmp traces to UNIX
snmpget. Therefore, -U introduces the user (MyUser in this case), -a defines the encryption for the authentication password -A, and -X seems to be a DES encryption password (I don’t understand what -X is for, but this is not the problem).
Then I went to the Cisco ASA configuration, and I checked that these passwords are stored as hex hashes, and each device has a different pair of hashes. For example, for the test device we have:
snmp-server user MyUser MyTeam v3 encrypted auth md5 c0:77:58:25:10:4e:58:bf:e4:e6:4d:b7:d6:28:9e:a6 priv des a7:00:24:2b:28:e6:4d:11:56:be:30:69:77:47:c7:1a
At this point, I assumed that test firewall hashes corresponded to the MD5 of the authentication password and to the DES of the encryption password, just as they are defined in the Nagios command. And therefore, since the hashes are different in the operational platform and the command used is the same, they just don’t match.
While this statement is probably true, this is my real problem: if I check the MD5 with any online tool, the MD5 of mKo45s8p is 00c3669318eeee45b5b4d2ffde58c323. This does not match the hash configured at the firewall. Regarding the DES encryption password, I don’t even know how to check it, since online tools ask for different inputs.
So, since there is no way back from MD5, I cannot get the correct password to be used in the Nagios command for operational platform. I can’t define a new password since my conversion to hash seems to be incorrect. The only solution I can think of, is using the same hash from the test firewall at the operational firewall, but I definitely prefer understanding what is going on and solve it with new passwords.