Showing results for 
Search instead for 
Did you mean: 


Cisco Security Manager: Managing ACL's and Flexconfig

Was wondering if there were any CSM gugu's out there that might be able to help explain something to me.

Query is for CSM 4.3.

In the Policy Object Manager under the "Access Control Lists" I have defined a number of ACLs. These are not firewall ACLs, but are used for things like defining interesting traffic for protocols such as WCCP.

As there is no policy defined for WCCP, I am having to use a Flexconfig to put WCCP config on an ASA (running 8.3).

My problem is, I can't seem to get CSM to deploy the ACLs I've defined, along with the WCCP Flexconfig, even though I have referenced (via variables) the ACLs in the Flexconfig script.

I would have thought, like any other object you define in CSM, if you make use of an object in a policy thats being deployed to a device, CSM realises that you need to deploy the object to the device and does it. A good example is host, network and group objects that are deployed to a device as part of firewall rules. If you define a firewall rule that makes use of object 'A' and put that in a rule policy, CSM realises that you need to define object 'A' on any devices that the policy containing the rule with object 'A' is being deployed to. Hence, we don't have issues with firewall rule insertion failing because they reference an object that doesn't actually exist on the device.

Does this work with Flexconfigs? If not, how can I have CSM deploy the ACLs that I've defined to a device before deploying the Flexconfig script that sets up WCCP in such a way that its referencing the ACLs? I really want to avoid defining the ACLs I want to use in more Flexconfig script.