I need to tidy up my ASA5520, which includes remove unused access-list, NAT etc. what is the best way to document my ruleset?
Need advise on VPN, we have alot of 3rd party companies dial in, they are currently use a mixture of secure desktop and vpn client, they need access to servers which they RDP on to, what would you recommend they use?
How would you hand out passwords to 3rd party companies?
With regards to documenting rulebases, I think its more an individual thing and how your current documentation is laid out, having worked with multiple customers some just keep the raw ACL's in configuration backups. Others run spreadsheets which they add to whenever a change comes in, however the later soon starts to get huge.:)
Secure desktop or VPN client should give you the granular control over what they can/cant do, it will also give you the option of checking for valid anti-virus etc.. etc.. The main thing here is to make sure they only have access to what they need and the specific services.
In my opinion the issue of RSA token to external companies is always the best option when it come to password security.
I presume you are using object groups within your configuration, if this is the case the spreadsheets i have seen (I have never personally constructed one) have a sheet with all the object groups in and the relevent ip address, and then seperate sheets for each interface. Hence the easiest way I can think of when starting from scratch would be to get the rule base comma delliminated so you can import it into the spreadsheet.
As for 0 hit rules, its all down to house keeping and is always common to find lots of rules with no hits that were added as knee jerk reactions to faults or requests. I don't think there is any otherway to monitor the acl's with zero hit on the actual device, you would need to look at a reporting/management platform I guess that could collate the data for you.
If you found any of this helpfull please rate the posts..
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :