Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1088
Views
0
Helpful
3
Replies

CSM and site to site VPN's to unmanaged devices

trasheuro
Level 1
Level 1

‎11-10-2008 06:06 PM - edited ‎02-21-2020 04:01 PM

Hi,

is anyone managing Site to Site IPSec VPN's between a managed firwall and a 3rd party (unmanaged) firewall with Cisco Security Manager? From the documentation (and testing) it appears that VPN's between managed and unmanaged devices are supported (See "Adding Unmanaged Devices to Your VPN Topology" from http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/3.2.1/user/guide/vpchap.html). Unfortunately CSM generates the error "Security Manager does not support policy discovery for unmanaged devices" when running Policy -> Discover VPN Policies, so all Site to Site VPN's must be defined manually. This is a major process for me as I need to import a large number of devices and VPN's into CSM. Is anyone aware of an easier way to accomplish this?

FYI - The manual process I've bee using is as follows:

1) Discover managed device.

2) Discover unmanaged device (using Add New Device wizard, and unselect "Manage in Cisco Security Manager")

3) Add an interface to the unmanaged device with correct peer IP address. This seems to be required otherwise when you submit changes an error occurs.

4) Create Site to Site VPN.

5) Submit and deploy.

Note that when deploying, CSM still wants to deploy to the unmanaged device (which seems strange to me as the device is not managed by CSM).

If anyone has any come across these issues I'd like to know if you have any workarounds.

Thanks,

Matt Moore

Labels:
0 Helpful
3 Replies 3

sadbulali
Level 4
Level 4

‎11-14-2008 11:13 AM

The steps you have provided for adding unmanaged devices is the only way of doing the same.For successful VPN discovery, the following prerequisites must be met:

1) All devices participating in the VPN must be added to the Security Manager inventory.

2) You must provide Security Manager with some basic information about the VPN. The VPN discovery wizard prompts you for the following information:

-VPN topology (hub and spoke, point to point, full mesh)

-VPN technology (Regular IPsec, IPsec/GRE, GRE dynamic IP, DMVPN, Easy VPN)

-Devices in the VPN and their roles (hub/spoke)

-Source of the VPN configuration. The VPN can be discovered directly from the live network or from Security

3) Manager's Configuration Archive.

4) Each device in the VPN must have a crypto map associated with a physical interface.

5) Each PIX 6.3 or ASA 5505 client device in an Easy VPN topology must have a vpnclient configuration.

0 Helpful

spasternacki
Level 1
Level 1

‎06-10-2009 05:27 AM

Matt,

Have you managed to get this automatic import process working? Or maybe you have found better workaround?

Anyone else came across this issue?

Regards,

Sebastian

0 Helpful

trasheuro
Level 1
Level 1
In response to spasternacki

‎06-10-2009 09:25 PM

I worked through my issues with TAC, and eventually CSM developers. They confirmed they are planning to address in an upcoming release, but they advised it would not be available for some time - possible the next major release.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents