[hroi]

NSA supposedly listens to our traffic, so learning the community string and management station's IP address is straight forward.

[revelation]

They capture at the fiber going out or in (or undersea), if you follow the other commenters here SNMP traffic would never go over those.

[tptacek]

I mean never say never. You definitely CAN tell an ASA to allow SNMP on an external interface. But it's probably not where you end up by default.

[tptacek]

That's true if you're speaking SNMP over the Internet. But how many ASAs actually do that?

[hroi]

ASAs are often used at the perimeter of small satellite networks using a local ISP's internet access, and then connecting back to HQ with IPSEC tunnels. I would guess that it is not uncommon, though bad practice, to centrally monitor SNMP on the external interface instead of over the IPSEC tunnel (which can be a little tricky to do).

[tptacek]

Yeah, it's true I guess, and if you're using a random community string and this is NSA, I think we can all safely assume NSA knows every community string spoken anywhere on the public Internet.

[jlgaddis]

I can count over a dozen easily, off the top of my head, without even looking into our customer database. I'm certain I'm not alone.