Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to discuss with Cisco expert Amrit Patel how to use the new Cisco Security Manager for policy administration and configuration of firewall and VPN policies. Amrit has over 25 years experience with systems and network services management, starting in the early days of DECnet with Digital Equipment Company. He has been with Cisco Systems Inc. for 11 years, both in a field and product development role. Currently, Amrit and his team are responsible for the security management product portfolio which supports Ciscos multi-billion dollar security business, specifically, VPN technologies, firewalls, intrusion detection systems, network security and security information management.
Remember to use the rating system to let Amrit know if you have received an adequate response.
Amrit might not be able to answer each question due to the volume expected during this event. Our moderators will post many of the unanswered questions in other discussion forums shortly after the event. This event lasts through June 2, 2006. Visit this forum often to view responses to your questions and the questions of other community members.
hi amrit could u pls give a brief abt this security manager. is it a ppliance for managing security devices or a software lke cisco works or like security device manager where we had yo install it in a router and then use it. could u pls give a brief detail abt this product. can this product manage vpn conentrators,asa ,pix and routers and even ids and ips. waiting for ur reply.
Cisco Security Manager is a Windows based application, it comes on a DVD and once installed allows you to manager all Cisco Security devices excluding the VPN Concentrator 3000 series. You can manager ISRs, PIX, ASA, all the security service modules for the Catalyst (FWSM, VPNSM, IDSM). And yes, it also allows you to manage IDS and IPS in network sensors of IOS.
Please check the link at www.cisco.com/go/csmanager for more details and to get an evaluation copy, not the evaluation copy does not need a license and will run for 90 days in full feature mode.
h amrit thanks a lot. so for this to work do we have to install any bin files or images in the devices. like we install the asdm image in asa or pix. but there are already many management solutions for these boxes like asdm for pix and asa, security device manager for routers,for extra does this security manager gives.
You do not need any extra bin files, all you need is the device up and running and the log on credentials for SSH and SSL access to the device.
Cisco Security Manager, provides the ability to define polices for firewall, VPN, IPS and all the device features like routing, QoS etc -- you can deploy these polices to one or more device in the network to scale.
I would like to make VPN connection between two PIX501 devices. How can use the PDM 'Cisco Easy VPN Remote' to do this?
On the PDM panel: Startup Wizard>Easy VPN Remote Configuration - can I enter the same login and password as to the ordinary VPN Client software?
The "Cisco Easy VPN Remote" panel is correct.
That should work. Note that, for ordinary vpn client, the authentication is initially done via group name and password which is "stored" with vpn client when it is installed
The username/password prompt you get is after the group authentication, so this is going to depend on what you are configuring on the head-end device.
I am trying to figure out how to do port-forwarding on the IOS firewall on a 2851 router.
For example, if traffic comes to the external IP address of the router on port 25, the router needs to know that all traffic on that port should be forwarded to 192.168.1.10.
If I understood your question correctly, that you need to translate the SMTP traffic to your internal SMTP server, in that case you need to use "static nat" functionality in IOS - reference example below
However if your SMTP server is listening on differnt port e.g 8080 or something else then you need to use ip port map functionality in IOS Firewall
Thanks and Regards
Hi we have a client who has a mixed sw versions e.g. Pix v7.0 and IPS 4255 w/sw ver4.1 based on what i have read CSM 3.0 supports Pix SA, IPS etc...but what about the IPS w/ver4.1 (IDS) will it able to support as well w/o upgrading to v5.0 ? Kind of a financial overhead in terms of sw license per sensor.
Need a precise solution before suggesting for any upgrade of VMS 2.3 to CSM 3.0.
What about VMS 2.3 is there any end-of-sale announcement ?
Cisco Security Manager 3.0supports PIX/ASA 7.0 and IPS 4.x. The older management product VMS, also supports IDS 4.x but does not support PIX 7.0. Note that the signature updates for 4.x will be ending fairly soon, so it is in the best interest of the customer to upgrade to 5.0 as soon as possible. I would recommend that you upgrade to Cisco Security Manager 3.0.
Normally newer ver of NMS is always downward compatible if CSM 3.0 does not support Pix v6.x does it has a capability to push the v7.0 code while preserving the config ? and if Signature updates for 4.x will be ending soon does this mean before the end of this year ?
Cisco Security Manager does support PIX 6.3 and up, I stated 7.0 in my previous based on your orignal need to support 7.0.
If you upgrade the PIX running 6.3 to the 7.0 image, the config on the device will also get upgraded to be compatible with 7.0, then you can import the device into the manager for ongoing management.
It is possible to deploy QoS policies like bandwidth restrictions,and so on, from ACS 3.3 to a PC or a switch port in a Catalyst via dot1x or another protocol?
This question is not specifically related to Cisco Security Manger. From what I understand of the area, some of our new switches support this, the QoS can be configured as a VSA (Vendor Specific Attribute - RADIUS attribute 26), it is associated with a user.
First of all, I am very impressed with CS_Manager. It really simplifies network security management on the ASA. I have also, been impressed with the VPN management of the program with one exception listed below.
I have found that when I setup a VPN using CS-Manager, I more times than not have to reboot the remote PIX before an IPSec tunnel works. Even though this is annoying, since I don't have this issue when building a tunnel manually, I think the ability to reboot a device from CS-Manager would make it more tolerable.
Have you heard of this issue of needing to reboot a remote PIX after creating a tunnel using CS-Manager to get the tunnel to work?
Thanks for your positive comments on Cisco Security Manager and Sorry that you ran into this.
If it is a brand new VPN configuration on the device it generally works, if the VPN configuration is being changed then a clear crypto is sa command is required to clear out the old SAs then start building new ones.
You can use the FlexConfig feature to do this.
You can create a FlexConfig template with the command in it, say called ClearCrypto using the Object Manager. Then you can assign that template to all the devices you are changing. This template command will be executed each time you do a deployment, so once you have done your VPN updates you may want to remove the ClearCrypto template from the devices.
In a future release we will consider providing an option to issue that command as part of a VPN update only.
Thanks for the reply. I will try this solution even though I had tried to manually clear the isa sa on the PIX without any luck until I just rebooted it. I'm still test driving and know that the CS-Manager has too much potential to give up on it easily.
Follow-up on work-around for setting up vpn.
I have two PIX 6.3(5) firewalls with current vpn to dynamic vpn head-end. when I created a point-to-point between the two spoke vpn firewalls I had to reboot to get an ISA SA to form.
work-around was to add "clear isa sa" in a flex-config. This did not work either. I found that the command needs to be "clear ipsec sa" in the flex-config to make the tunnel come up without a reboot.
Thanks again for the idea.
how is the migration of VMS 2.3 to CS Manager?
is it recomended? what are the benefits of migrating to the new CS Manager.
The topic of migrating from VMS 2.3 to CS Manager is covered in depth in the document: Migrating from CiscoWorks VPN/Security Management Solution to Cisco Security Manager which can be found here: http://www.cisco.com/en/US/products/ps6498/products_upgrade_guides_book09186a008063ea05.html. The overview section of the document covers many of the considerations when making this migration decision. The benefits of migrating are extensive and include items such as: 1) integrated application for security configuration management compared to multiple applications in VMS, 2) radically improved usability, 3) support for the latest Cisco devices, OS versions, and features.
The CS Manager Datasheet includes a comprehensive list of features and benefits: http://www.cisco.com/en/US/products/ps6498/products_data_sheet0900aecd803ffd5c.html
CSAMC has been separated out as a product by itself. We had many customers ask us to do this as the buying and operations centers for the Cisco Security Agent are very different. Going forward we will continue to take input as to any required change in direction.
Can CSM co-exist on the same Windows box as CiscoWorks LMS 2.2 or 2.3? Does CSM require admin privilege to operate on a day-to-day basis, including during troubleshooting? Does Cisco have or plan a CSM appliance bundle, similar to Cisco Secure ACS or WLSE? Is CSM supported by Cisco on MS Virtual Server solution, or in a shared server hardware environment with third-party products?
Cisco Security Manager is not supported to run with LMS. It does not require NT Administrator privs to operate the application.
Today there are no plans to provide an appliance version of the manager and it is not supported to run under VMWare or Virtual server.
We recommend a dedicated server for Cisoc Security Manager
Our client has PIX 535 appliances and FWSM modules and he is managing them through VMS 2.3.
He now wants to upgrade the PIX v7.0.
The VMS V2.3 does not support v7.0.
Must he upgrade to CSM 3.0 or VMS will support it in the future?
Your customer will need to upgrade to Cisco Security Manager 3.0, there are no plans to support newer releases of platforms on VMS
Does CS-Manager now or in a future release have the ability to issue show and clear commands to a managed device not in conjuction with a deploy? Such as show conn, xlate, clear isa sa and ipsec sa?