cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
309
Views
9
Helpful
6
Replies

Can anyone please let me know if there are any tools to do VPN Assessment, on Cisco Firewalls?

erssgss21
Level 1
Level 1

Hi All,

Can anyone please tell me, if there are any tools to do the VPN assessment on Cisco VPN Firewalls.

Same Firewall is configured with IPSec VPNs( LAN-to-LAN as well as Easy VPNs) and SSL VPN( Cisco Anyconnect as well as Web VPN).

Assessment tool should analyze the VPN configuration, that is done on the firewall.

We want to analyze if there are any security gaps wrt configuration. Please let me know if there any tools to do the Assessment.

Thank you.

regards,

Reddeppa Reddy

6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

Nothing like that in built into the firewall. I suggest review by a qualified engineer.

One small bit I do handle with a tool is to check your SSL VPN using the Qualys SSL testing site. It's quick and free and will tell you about your certificate setup and cipher support. 

Thank you for your response. 

I heard about Cisco Security Manager from a different channel. can this CSM be of any help? Please let me know.

CSM (a separate product) can help evaluate your ACL logic with its ability to do automatic conflict detection:

http://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/411/user/guide/CSMUserGuide/fwaccess.html?bookSearch=true#pgfId-363857

That covers things like are your rules conflicting with one another.

More important in that respect auditing-wise is are the rules current and justified by the business needs they are designed to meet.

CSM also does not give you an overall health check for security vulnerabilities, following best practices, etc. That requires a qualified engineer. 

It's also probably a bit more than what would be called for to look at a single firewall or two. It requires a server and the list price for the entry level package (L-CSMST5-4.12-K9 Cisco Security Manager 4.12 Standard - 5 Device Limit) is US$2000.

ok. Understood. Thank you so much for your time in responding to my queries.

regards,

Reddeppa Reddy

Can you please let me know if Cisco CLI analyzer will be of any help?

Thank you.

regards,

Reddeppa Reddy

Cisco CLI Analyzer will also do some checks for basic best practices and look for things like unused configuration bits like ACLs etc.

What exactly is the motivation for wanting to do "VPN Assessment"? If you explain your objectives, it is easier to assist you in meeting them.