Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Bronze

Tool to manage ASA/PIX/IOS ACLs

Does anyone know of a tool that manages ASA/PIX/IOS ACLs? I am looking for a tool that can maintain shared policies and allow for local policies as well. Using the shared policies, I would like to be able to make one change to the policy and have it reflected to all the devices that share that policy.

I have evaluated Cisco Security Manager. I like the way the Access-rule portion functions, but I don't need it to manage any other part of my firewall configs. I have seen a bug where CSM wasn't able to detect port speed of the ASA5505. This bug would have left a large portion of our network down and unreachable for some time. Being able to use CSM to manage only the ACLs of my devices would reduce the chances of a bug bringing down my network and leaving the devices unreachable.

I also evaluated Solsoft Policy Server. This is a very slick approach to managing access on a network, but is a bit pricey. I may revisit this in the future if I am still in need of a solution.

I appreciate any suggestions.

Thank you,

Mark

7 REPLIES
New Member

Re: Tool to manage ASA/PIX/IOS ACLs

solar winds provides a really good if expensive management agent don't know if it does what you want it to exactly but it is worth a look.

Bronze

Re: Tool to manage ASA/PIX/IOS ACLs

Thanks Scott,

You are probably referring to Cirrus network management. I forgot to mention that I had evaluated this product as well. It does have a nice policy reporting feature, but I found that I could not insert ACEs in the middle of an ACL with this tool like I could with Cisco Security Manager. The entries would go to the bottom of the ACL no matter where you configured it within the device config. This is the main reason I decided against using Cirrus. I don't think it was very expensive though.

Thanks again for your reply

Mark

New Member

Re: Tool to manage ASA/PIX/IOS ACLs

A google search turned up this http://www.cyberoperations.com/accesscontrolacl.html

seems like the kind of thing

Bronze

Re: Tool to manage ASA/PIX/IOS ACLs

Scott,

This may be what I am looking for! From what little I have read about it so far, I can see that you do understand what I am looking for. I am going to read more about it. Thank you for the link.

Thanks,

Mark

jim
New Member

Re: Tool to manage ASA/PIX/IOS ACLs

From what I could tell that application only managed ACL's on routers. I could be mistaken.

We reviewed an application from Solsoft which does several flavors of firewalls, vpn concentrators, and acls on routers. Might want to give them a look.

http://www.solsoft.com

Bronze

Re: Tool to manage ASA/PIX/IOS ACLs

Jim,

Solsoft did present their policy server solution to us. Like I said earlier, it does appear to be a good product, but is a little pricey.

The Cyberoperations product does support various routers and firewalls to include PIX. I have a demo server being shipped to me. I will post my results to this forum.

Thanks,

Mark

Bronze

Re: Tool to manage ASA/PIX/IOS ACLs

I was able to demo the Cyberoperations "ACL Compliance Director" product. It is infact the type of product I was looking for. It is very user friendly and offers some nice features for centrally managing ACLs. They are also open to suggestions to their product. I had suggested per device overrides for the network groups that you can configure that are kind of like object-groups on PIX/ASA firewalls even though they are not actually sent to the device during the ACL deployment. They are looking to implement this as well as a color code for ACLs that will show up in the Target summary list so I would be able to see at a glance that my policies were assigned to my devices as I had intended. There were a couple of other smaller suggestions too. They are more than willing to work with you on your needs. I would recommend this product to anyone that is looking for this type of product.

NOTE: One issue that I haven't heard back on is that with PIX firewalls the ACL is first removed and then replaced by the new updated ACL. During testing I found that it took ~10 seconds before the ACL was reapplied. During this time, the access was wide open from the inside interface. I had suggested using a incrementing ACL solution where the ACL would first be configured and then applied to the interface replacing the old ACL which could then be removed. I haven't heard back on this suggestion yet. This only affects the PIX and ASA currently, but they are looking to use ssh/tftp or ssh/ftp or ssh/sftp to deploy the ACL to the ASA the way they do on routers currently. This is suppose to remove the ~10 second delay issue that I see on the PIX.

177
Views
5
Helpful
7
Replies
CreatePlease to create content