03-14-2013 07:19 AM - edited 02-21-2020 04:51 AM
Hi,
I am evaluating CSM 4.4 and have some questions, hope someone can answer them.
I imported the config of my most complicated firewall and have those issue:
1- CSM does not support eigrp
router eigrp 115
no auto-summary
distribute-list eigrpACL_Out out interface inside
distribute-list eigrpACL_In in interface inside
eigrp stub static
network x.x.x.x 255.255.255.192
passive-interface default
no passive-interface inside
2- This is not imported into CSM
access-list TNGCnat3 extended permit ip host x.x.x.x host y.y.y.y
static (inside,outside) z.z.z.z access-list TNGCnat3
3- When importing config those are not supported
Line 6:terminal width 170
Line 2358:ip audit signature 1000 disable
Line 2393:no asdm history enable
Line 2395:no arp permit-nonconnected
Line 2742:timeout tcp-proxy-reassembly 0:01:00
Line 2743:timeout floating-conn 0:00:00
Line 2754:service resetinbound
Line 2828:tls-proxy maximum-session 1000
Line 2830:threat-detection basic-threat
Line 2831:threat-detection statistics access-list
Line 2832:no threat-detection statistics tcp-intercept
Line 2911:prompt hostname context state
Line 2912:no call-home reporting anonymous
4- On my firewall I have site-to-site VPN but they are not imported into CSM.
Thanks.
04-18-2013 07:46 AM
4.4 is a big improvement over previous versions, but there are still a lot of commands it does not support. What I have had to do is when I do a discovery/import of a device, I save a copy of the report and create a flex-config with the unsupported CLI to be appended to the deployed config. We only use it for non critial ASA config due to that issue. No one trusts it enough to use it for the 5585s we have in the data center core. Multi context ASAs are work, but it seems a little kludgy.
VPNs are a bit tricky too. After discovering the device, you have to do a separate discovery for VPN policies and go through that rigamarole.
On the positive..
Image manager is excellent. You can create deployment packages w/ all the files you need (base code, asdm, anyconnect pkg files) and push them out w/ one click.
The event viewer is what we really bought it for. Being able to see all the traffic in one place is worth the cost of the product, IMO.
Cisco should really take a look at Checkpoints management server if they want to see it done right.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide