Does anyone know of a tool that manages ASA/PIX/IOS ACLs? I am looking for a tool that can maintain shared policies and allow for local policies as well. Using the shared policies, I would like to be able to make one change to the policy and have it reflected to all the devices that share that policy.
I have evaluated Cisco Security Manager. I like the way the Access-rule portion functions, but I don't need it to manage any other part of my firewall configs. I have seen a bug where CSM wasn't able to detect port speed of the ASA5505. This bug would have left a large portion of our network down and unreachable for some time. Being able to use CSM to manage only the ACLs of my devices would reduce the chances of a bug bringing down my network and leaving the devices unreachable.
I also evaluated Solsoft Policy Server. This is a very slick approach to managing access on a network, but is a bit pricey. I may revisit this in the future if I am still in need of a solution.
You are probably referring to Cirrus network management. I forgot to mention that I had evaluated this product as well. It does have a nice policy reporting feature, but I found that I could not insert ACEs in the middle of an ACL with this tool like I could with Cisco Security Manager. The entries would go to the bottom of the ACL no matter where you configured it within the device config. This is the main reason I decided against using Cirrus. I don't think it was very expensive though.
I was able to demo the Cyberoperations "ACL Compliance Director" product. It is infact the type of product I was looking for. It is very user friendly and offers some nice features for centrally managing ACLs. They are also open to suggestions to their product. I had suggested per device overrides for the network groups that you can configure that are kind of like object-groups on PIX/ASA firewalls even though they are not actually sent to the device during the ACL deployment. They are looking to implement this as well as a color code for ACLs that will show up in the Target summary list so I would be able to see at a glance that my policies were assigned to my devices as I had intended. There were a couple of other smaller suggestions too. They are more than willing to work with you on your needs. I would recommend this product to anyone that is looking for this type of product.
NOTE: One issue that I haven't heard back on is that with PIX firewalls the ACL is first removed and then replaced by the new updated ACL. During testing I found that it took ~10 seconds before the ACL was reapplied. During this time, the access was wide open from the inside interface. I had suggested using a incrementing ACL solution where the ACL would first be configured and then applied to the interface replacing the old ACL which could then be removed. I haven't heard back on this suggestion yet. This only affects the PIX and ASA currently, but they are looking to use ssh/tftp or ssh/ftp or ssh/sftp to deploy the ACL to the ASA the way they do on routers currently. This is suppose to remove the ~10 second delay issue that I see on the PIX.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :