Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
492
Views
0
Helpful
1
Replies

Cisco ISR Firewall/CSM Management Question...

wmcdonald
Level 1
Level 1

‎01-19-2015 04:10 PM - edited ‎02-21-2020 05:22 AM

Wasn't sure if this should be posted in the "Security" section or "Network Infrastructure" section. Anyway here we go:

 

We currently use Cisco Security Manager (CSM) to manage 36 pairs of ASA's and ASA-X's in field offices around our province. We have built 2 separate CSM policies (one for ASA's and the other for the ASA-X's), so when we need to add or remove a firewall rule we can add it to the two policies and then push-out it out to the remote ASA's.

This ensures that we have consistent firewall rule policies at our remote sites. We don't currently manage anything else with CSM, it is strictly used for managing ASA firewalls.

Now we have 6 new types of remote offices that I need to implement, the difference with these sites is that instead of using ASA's for local security policies (due to budgetary reasons) I will be implementing 2911 ISR's and running the IOS firewall to secure the site.

My question:

Can I build a new CSM policy for the IOS firewall implementations at the sites? I'd love to have a policy with common object groups and exceptions built into it so I can push the same policy to the 6 sites (just like what I'm doing for the ASA firewalls).

I'm not super interested in managing the whole ISR configuration with CSM, just the firewall portion (if possible).

Any input would be appreciated.

Thanks!

Willie

0 Helpful
1 Reply 1

mclarenh
Level 1
Level 1

‎02-04-2015 01:45 PM

Yes, absolutely. It supports ZBFW as well - takes a bit of thinking through, and it's worth doing a lab setup first, but if you get it right it's really easy to maintain.

As an example, I look after a medium sized VPN (70+ branch offices, each with a 1921 ISR, coming back to an ASA headend). The VPN stuff is all handled in CSM, and we use a single zone-based firewall policy across all the edge routers to enforce separation between user and management networks. In fact, the ISRs all have essentially identical config mandated by CSM policies, and the only things that change are interface IP addresses and hostnames :-)

--hugh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card