Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

CSPM 3.0 issues


Currently, I have my existing PIX Firewall and IOS routers in my network. I already have firewall rules and access-list on the PIX and routers respectively.

My company has bought CSPM 3.0 to manage these devices. While trying to add the rules in the Policy Manager for using my PIX firewall rules, I discover that the same rules also appear as access-list in my routers... Can I add these rules to just my PIX firewall only??

My worry is that if I continue to add my IOS routers access-list(different from the PIX firewall rules). All these commands will appear for both my PIX and routers.... This is not what I want.

Pls help.

Cisco Employee

Re: CSPM 3.0 issues

You create all your "policies" in CSPM. Meaning you want network A to be able to talk to Network B on port 80... Then CSPM will calculate all the paths between A and B and then apply the corresponding Access-lists to the devices along the path.

Therefore, only the devices that need the access-list entries will have them applied.

Hope that helps,


New Member

Re: CSPM 3.0 issues

Correct me if I am wrong... Then in this case all my managed devices with network A and network B will have the access-list applied.This will definitely slow down my network...

is there a new release whereby we can choose the managed devices to distribute the rules to?

New Member

Re: CSPM 3.0 issues

you don't need to mark your devices as managed!

if you insert your routers as routers and not as ios routers cspm won't build access-lists for it.

the other possibility is to use the epilog window.

you can apply the commands

no ip inspect

and then for each interface

no ip access-group in

CreatePlease to create content