06-22-2002 12:03 AM - edited 03-08-2019 11:05 PM
Hi,
Currently, I have my existing PIX Firewall and IOS routers in my network. I already have firewall rules and access-list on the PIX and routers respectively.
My company has bought CSPM 3.0 to manage these devices. While trying to add the rules in the Policy Manager for using my PIX firewall rules, I discover that the same rules also appear as access-list in my routers... Can I add these rules to just my PIX firewall only??
My worry is that if I continue to add my IOS routers access-list(different from the PIX firewall rules). All these commands will appear for both my PIX and routers.... This is not what I want.
Pls help.
06-23-2002 09:59 AM
You create all your "policies" in CSPM. Meaning you want network A to be able to talk to Network B on port 80... Then CSPM will calculate all the paths between A and B and then apply the corresponding Access-lists to the devices along the path.
Therefore, only the devices that need the access-list entries will have them applied.
Hope that helps,
David.
06-23-2002 07:50 PM
Correct me if I am wrong... Then in this case all my managed devices with network A and network B will have the access-list applied.This will definitely slow down my network...
is there a new release whereby we can choose the managed devices to distribute the rules to?
06-23-2002 10:08 PM
you don't need to mark your devices as managed!
if you insert your routers as routers and not as ios routers cspm won't build access-lists for it.
the other possibility is to use the epilog window.
you can apply the commands
no ip inspect
and then for each interface
no ip access-group in
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: