Tool to manage ASA/PIX/IOS ACLs

Unanswered Question
Jan 30th, 2008

Does anyone know of a tool that manages ASA/PIX/IOS ACLs? I am looking for a tool that can maintain shared policies and allow for local policies as well. Using the shared policies, I would like to be able to make one change to the policy and have it reflected to all the devices that share that policy.

I have evaluated Cisco Security Manager. I like the way the Access-rule portion functions, but I don't need it to manage any other part of my firewall configs. I have seen a bug where CSM wasn't able to detect port speed of the ASA5505. This bug would have left a large portion of our network down and unreachable for some time. Being able to use CSM to manage only the ACLs of my devices would reduce the chances of a bug bringing down my network and leaving the devices unreachable.

I also evaluated Solsoft Policy Server. This is a very slick approach to managing access on a network, but is a bit pricey. I may revisit this in the future if I am still in need of a solution.

I appreciate any suggestions.

Thank you,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
scottwclarke Wed, 01/30/2008 - 07:25

solar winds provides a really good if expensive management agent don't know if it does what you want it to exactly but it is worth a look.

MARK BAKER Wed, 01/30/2008 - 07:30

Thanks Scott,

You are probably referring to Cirrus network management. I forgot to mention that I had evaluated this product as well. It does have a nice policy reporting feature, but I found that I could not insert ACEs in the middle of an ACL with this tool like I could with Cisco Security Manager. The entries would go to the bottom of the ACL no matter where you configured it within the device config. This is the main reason I decided against using Cirrus. I don't think it was very expensive though.

Thanks again for your reply


MARK BAKER Wed, 01/30/2008 - 07:46


This may be what I am looking for! From what little I have read about it so far, I can see that you do understand what I am looking for. I am going to read more about it. Thank you for the link.



MARK BAKER Tue, 02/12/2008 - 05:16


Solsoft did present their policy server solution to us. Like I said earlier, it does appear to be a good product, but is a little pricey.

The Cyberoperations product does support various routers and firewalls to include PIX. I have a demo server being shipped to me. I will post my results to this forum.



MARK BAKER Thu, 02/28/2008 - 13:02

I was able to demo the Cyberoperations "ACL Compliance Director" product. It is infact the type of product I was looking for. It is very user friendly and offers some nice features for centrally managing ACLs. They are also open to suggestions to their product. I had suggested per device overrides for the network groups that you can configure that are kind of like object-groups on PIX/ASA firewalls even though they are not actually sent to the device during the ACL deployment. They are looking to implement this as well as a color code for ACLs that will show up in the Target summary list so I would be able to see at a glance that my policies were assigned to my devices as I had intended. There were a couple of other smaller suggestions too. They are more than willing to work with you on your needs. I would recommend this product to anyone that is looking for this type of product.

NOTE: One issue that I haven't heard back on is that with PIX firewalls the ACL is first removed and then replaced by the new updated ACL. During testing I found that it took ~10 seconds before the ACL was reapplied. During this time, the access was wide open from the inside interface. I had suggested using a incrementing ACL solution where the ACL would first be configured and then applied to the interface replacing the old ACL which could then be removed. I haven't heard back on this suggestion yet. This only affects the PIX and ASA currently, but they are looking to use ssh/tftp or ssh/ftp or ssh/sftp to deploy the ACL to the ASA the way they do on routers currently. This is suppose to remove the ~10 second delay issue that I see on the PIX.


This Discussion