Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1349
Views
0
Helpful
1
Replies

Info on CSM 4.4

ericlamer
Level 1
Level 1

‎03-14-2013 07:19 AM - edited ‎02-21-2020 04:51 AM

Hi,

   I am evaluating CSM 4.4 and have some questions, hope someone can answer them.

   I imported the config of my most complicated firewall and have those issue:

1- CSM does not support eigrp  

router eigrp 115

no auto-summary

distribute-list eigrpACL_Out out interface inside

distribute-list eigrpACL_In in interface inside

eigrp stub static

network x.x.x.x 255.255.255.192

passive-interface default

no passive-interface inside

2- This is not imported into CSM

access-list TNGCnat3 extended permit ip host x.x.x.x host y.y.y.y

static (inside,outside) z.z.z.z  access-list TNGCnat3

3-  When importing config those are not supported

Line 6:terminal width 170
Line 2358:ip audit signature 1000 disable
Line 2393:no asdm history enable
Line 2395:no arp permit-nonconnected
Line 2742:timeout tcp-proxy-reassembly 0:01:00
Line 2743:timeout floating-conn 0:00:00
Line 2754:service resetinbound
Line 2828:tls-proxy maximum-session 1000
Line 2830:threat-detection basic-threat
Line 2831:threat-detection statistics access-list
Line 2832:no threat-detection statistics tcp-intercept
Line 2911:prompt hostname context state
Line 2912:no call-home reporting anonymous

4- On my firewall I have site-to-site VPN but they are not imported into CSM.

Thanks.

0 Helpful
1 Reply 1

georgeburtz
Level 1
Level 1

‎04-18-2013 07:46 AM

4.4 is a big improvement over previous versions, but there are still a lot of commands it does not support. What I have had to do is when I do a discovery/import of a device, I save a copy of the report and create a flex-config with the unsupported CLI to be appended to the deployed config. We only use it for non critial ASA config due to that issue. No one trusts it enough to use it for the 5585s we have in the data center core. Multi context ASAs are work, but it seems a little kludgy.

VPNs are a bit tricky too. After discovering the device, you have to do a separate discovery for VPN policies and go through that rigamarole.

On the positive..

Image manager is excellent. You can create deployment packages w/ all the files you need (base code, asdm, anyconnect pkg files) and push them out w/ one click.

The event viewer is what we really bought it for. Being able to see all the traffic in one place is worth the cost of the product, IMO.

Cisco should really take a look at Checkpoints management server if they want to see it done right.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card