I'm trying to use CSPM 3.0 for managing a PIX 515 with three interfaces and 4 VPNs terminated on it. I have already configured the PIX with CLI and works fine, but I just acquired CSPM3.0 and want to use it for management. The problem is that after I succesfuly created my exact network topology and configured all policy rules, the command generation feature does not reflect the actual policy rules, even if I saved and updated the database. When I preview the commands generated (before publishing them on the PIX), I notice that these commands do not cover all policy rules that I configured. For example, I have a rule permiting all IP traffic from inside to outside, but the command generation shows an access list which denies ALL outbound traffic. This is just one example....there are many more.
I have not used CPSM version 3 but I have done a lot of work with 2.3.
I found that that I had to spend a lot of time making sure that the network topology was correct in order for the correct rules to be generated. There were a few strange issues that I had with rules not being generated and most of the time I just had to play around with the topology until I had it right.
With your config do you get any errors/warnings when you do a save and update ? I found this fairly helpful.
While CSPM is a good product for managing multiple firewalls I find its adds too much management overhead to be valuable is a single firewall environment. Just my opinion
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...