Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ASK THE EXPERT – CISCO SECURITY MANAGER

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Amrit Patel how to use the new Cisco Security Manager for policy administration and configuration of firewall and VPN policies. Amrit has over 25 years experience with systems and network services management, starting in the early days of DECnet with Digital Equipment Company. He has been with Cisco Systems Inc. for 11 years, both in a field and product development role. Currently, Amrit and his team are responsible for the security management product portfolio which supports Cisco’s multi-billion dollar security business, specifically, VPN technologies, firewalls, intrusion detection systems, network security and security information management.

Remember to use the rating system to let Amrit know if you have received an adequate response.

Amrit might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through June 2, 2006. Visit this forum often to view responses to your questions and the questions of other community members.

38 REPLIES
New Member

Re: ASK THE EXPERT – CISCO SECURITY MANAGER

Sorry, a mouse error :)

New Member

Re: ASK THE EXPERT – CISCO SECURITY MANAGER

hi amrit could u pls give a brief abt this security manager. is it a ppliance for managing security devices or a software lke cisco works or like security device manager where we had yo install it in a router and then use it. could u pls give a brief detail abt this product. can this product manage vpn conentrators,asa ,pix and routers and even ids and ips. waiting for ur reply.

regards

sebastan

New Member

Re: ASK THE EXPERT – CISCO SECURITY MANAGER

Hi Sebastan

Cisco Security Manager is a Windows based application, it comes on a DVD and once installed allows you to manager all Cisco Security devices excluding the VPN Concentrator 3000 series. You can manager ISR’s, PIX, ASA, all the security service modules for the Catalyst (FWSM, VPNSM, IDSM). And yes, it also allows you to manage IDS and IPS in network sensors of IOS.

Please check the link at www.cisco.com/go/csmanager for more details and to get an evaluation copy, not the evaluation copy does not need a license and will run for 90 days in full feature mode.

New Member

Re: ASK THE EXPERT – CISCO SECURITY MANAGER

h amrit thanks a lot. so for this to work do we have to install any bin files or images in the devices. like we install the asdm image in asa or pix. but there are already many management solutions for these boxes like asdm for pix and asa, security device manager for routers,for extra does this security manager gives.

regards

sebastan

New Member

Re: ASK THE EXPERT – CISCO SECURITY MANAGER

Hi

You do not need any extra bin files, all you need is the device up and running and the log on credentials for SSH and SSL access to the device.

Cisco Security Manager, provides the ability to define polices for firewall, VPN, IPS and all the device features like routing, QoS etc -- you can deploy these polices to one or more device in the network to scale.

New Member

Re: ASK THE EXPERT – CISCO SECURITY MANAGER

Hi,

I would like to make VPN connection between two PIX501 devices. How can use the PDM 'Cisco Easy VPN Remote' to do this?

On the PDM panel: Startup Wizard>Easy VPN Remote Configuration - can I enter the same login and password as to the ordinary VPN Client software?

Thanks,

Chris

New Member

Re: ASK THE EXPERT – CISCO SECURITY MANAGER

The "Cisco Easy VPN Remote" panel is correct.

That should work. Note that, for ordinary vpn client, the authentication is initially done via group name and password which is "stored" with vpn client when it is installed

The username/password prompt you get is after the group authentication, so this is going to depend on what you are configuring on the head-end device.

New Member

Re: ASK THE EXPERT – CISCO SECURITY MANAGER

I am trying to figure out how to do port-forwarding on the IOS firewall on a 2851 router.

For example, if traffic comes to the external IP address of the router on port 25, the router needs to know that all traffic on that port should be forwarded to 192.168.1.10.

Cisco Employee

Re: ASK THE EXPERT – CISCO SECURITY MANAGER

Hi,

If I understood your question correctly, that you need to translate the SMTP traffic to your internal SMTP server, in that case you need to use "static nat" functionality in IOS - reference example below

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml

However if your SMTP server is listening on differnt port e.g 8080 or something else then you need to use ip port map functionality in IOS Firewall

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_chapter09186a00800ca7c8.html

Thanks and Regards

Arshad

New Member

Re: ASK THE EXPERT – CISCO SECURITY MANAGER

Hi we have a client who has a mixed sw versions e.g. Pix v7.0 and IPS 4255 w/sw ver4.1 based on what i have read CSM 3.0 supports Pix SA, IPS etc...but what about the IPS w/ver4.1 (IDS) will it able to support as well w/o upgrading to v5.0 ? Kind of a financial overhead in terms of sw license per sensor.

Need a precise solution before suggesting for any upgrade of VMS 2.3 to CSM 3.0.

What about VMS 2.3 is there any end-of-sale announcement ?

Pls clarify...TIA

New Member

Re: ASK THE EXPERT – CISCO SECURITY MANAGER

Cisco Security Manager 3.0supports PIX/ASA 7.0 and IPS 4.x. The older management product VMS, also supports IDS 4.x but does not support PIX 7.0. Note that the signature updates for 4.x will be ending fairly soon, so it is in the best interest of the customer to upgrade to 5.0 as soon as possible. I would recommend that you upgrade to Cisco Security Manager 3.0.

New Member

Re: ASK THE EXPERT – CISCO SECURITY MANAGER

Normally newer ver of NMS is always downward compatible if CSM 3.0 does not support Pix v6.x does it has a capability to push the v7.0 code while preserving the config ? and if Signature updates for 4.x will be ending soon does this mean before the end of this year ?

New Member

Re: ASK THE EXPERT – CISCO SECURITY MANAGER

Cisco Security Manager does support PIX 6.3 and up, I stated 7.0 in my previous based on your orignal need to support 7.0.

If you upgrade the PIX running 6.3 to the 7.0 image, the config on the device will also get upgraded to be compatible with 7.0, then you can import the device into the manager for ongoing management.

New Member

Re: ASK THE EXPERT – CISCO SECURITY MANAGER

Hi,

It is possible to deploy QoS policies like bandwidth restrictions,and so on, from ACS 3.3 to a PC or a switch port in a Catalyst via dot1x or another protocol?

Best Regards,

Juan

New Member

Re: ASK THE EXPERT – CISCO SECURITY MANAGER

This question is not specifically related to Cisco Security Manger. From what I understand of the area, some of our new switches support this, the QoS can be configured as a VSA (Vendor Specific Attribute - RADIUS attribute 26), it is associated with a user.

Bronze

Re: ASK THE EXPERT – CISCO SECURITY MANAGER

First of all, I am very impressed with CS_Manager. It really simplifies network security management on the ASA. I have also, been impressed with the VPN management of the program with one exception listed below.

I have found that when I setup a VPN using CS-Manager, I more times than not have to reboot the remote PIX before an IPSec tunnel works. Even though this is annoying, since I don't have this issue when building a tunnel manually, I think the ability to reboot a device from CS-Manager would make it more tolerable.

Have you heard of this issue of needing to reboot a remote PIX after creating a tunnel using CS-Manager to get the tunnel to work?

New Member

Re: ASK THE EXPERT – CISCO SECURITY MANAGER

Thanks for your positive comments on Cisco Security Manager and Sorry that you ran into this.

If it is a brand new VPN configuration on the device it generally works, if the VPN configuration is being changed then a “clear crypto is sa” command is required to clear out the old SA’s then start building new ones.

You can use the FlexConfig feature to do this.

You can create a FlexConfig template with the command in it, say called ClearCrypto using the Object Manager. Then you can assign that template to all the devices you are changing. This template command will be executed each time you do a deployment, so once you have done your VPN updates you may want to remove the ClearCrypto template from the devices.

In a future release we will consider providing an option to issue that command as part of a VPN update only.

Bronze

Re: ASK THE EXPERT – CISCO SECURITY MANAGER

Thanks for the reply. I will try this solution even though I had tried to manually clear the isa sa on the PIX without any luck until I just rebooted it. I'm still test driving and know that the CS-Manager has too much potential to give up on it easily.

Thanks again,

Mark

Bronze

Re: ASK THE EXPERT – CISCO SECURITY MANAGER

Follow-up on work-around for setting up vpn.

situation:

I have two PIX 6.3(5) firewalls with current vpn to dynamic vpn head-end. when I created a point-to-point between the two spoke vpn firewalls I had to reboot to get an ISA SA to form.

work-around was to add "clear isa sa" in a flex-config. This did not work either. I found that the command needs to be "clear ipsec sa" in the flex-config to make the tunnel come up without a reboot.

Thanks again for the idea.

Mark

New Member

Re: ASK THE EXPERT – CISCO SECURITY MANAGER

how is the migration of VMS 2.3 to CS Manager?

is it recomended? what are the benefits of migrating to the new CS Manager.

New Member

Re: ASK THE EXPERT – CISCO SECURITY MANAGER

The topic of migrating from VMS 2.3 to CS Manager is covered in depth in the document: Migrating from CiscoWorks VPN/Security Management Solution to Cisco Security Manager which can be found here: http://www.cisco.com/en/US/products/ps6498/products_upgrade_guides_book09186a008063ea05.html. The overview section of the document covers many of the considerations when making this migration decision. The benefits of migrating are extensive and include items such as: 1) integrated application for security configuration management compared to multiple applications in VMS, 2) radically improved usability, 3) support for the latest Cisco devices, OS versions, and features.

The CS Manager Datasheet includes a comprehensive list of features and benefits: http://www.cisco.com/en/US/products/ps6498/products_data_sheet0900aecd803ffd5c.html

New Member

Re: ASK THE EXPERT – CISCO SECURITY MANAGER

Hi Amrit

When CSM will be able to spuport management to the CSA (MC for CSA 4.x, 5.x)?

New Member

Re: ASK THE EXPERT – CISCO SECURITY MANAGER

CSAMC has been separated out as a product by itself. We had many customers ask us to do this as the buying and operations centers for the Cisco Security Agent are very different. Going forward we will continue to take input as to any required change in direction.

Blue

Re: ASK THE EXPERT – CISCO SECURITY MANAGER

Can CSM co-exist on the same Windows box as CiscoWorks LMS 2.2 or 2.3? Does CSM require admin privilege to operate on a day-to-day basis, including during troubleshooting? Does Cisco have or plan a CSM appliance bundle, similar to Cisco Secure ACS or WLSE? Is CSM supported by Cisco on MS Virtual Server solution, or in a shared server hardware environment with third-party products?

New Member

Re: ASK THE EXPERT – CISCO SECURITY MANAGER

Cisco Security Manager is not supported to run with LMS. It does not require NT Administrator privs to operate the application.

Today there are no plans to provide an appliance version of the manager and it is not supported to run under VMWare or Virtual server.

We recommend a dedicated server for Cisoc Security Manager

New Member

Re: ASK THE EXPERT – CISCO SECURITY MANAGER

Our client has PIX 535 appliances and FWSM modules and he is managing them through VMS 2.3.

He now wants to upgrade the PIX v7.0.

The VMS V2.3 does not support v7.0.

Must he upgrade to CSM 3.0 or VMS will support it in the future?

New Member

Re: ASK THE EXPERT – CISCO SECURITY MANAGER

Hi

Your customer will need to upgrade to Cisco Security Manager 3.0, there are no plans to support newer releases of platforms on VMS

Bronze

Re: ASK THE EXPERT – CISCO SECURITY MANAGER

Does CS-Manager now or in a future release have the ability to issue show and clear commands to a managed device not in conjuction with a deploy? Such as show conn, xlate, clear isa sa and ipsec sa?

New Member

Re: ASK THE EXPERT – CISCO SECURITY MANAGER

Mark,

I can see how these features would be useful in troubleshooting etc, I will have them placed on our road map - Thx

234
Views
5
Helpful
38
Replies
CreatePlease login to create content