ISO flow-based policy editor for PIX

Discussion in 'Cisco' started by Walter Roberson, Apr 27, 2005.

  1. I am searching for a flow-based policy editor / configuration
    generator suitable for use with PIX.

    For example, I would like to be able to say that group A in PIX#1
    can initiate SMTP connections to group B in PIX#2, and I would
    like the editor to have the smarts to know that that would mean
    that SMTP must be opened outwards on PIX#1 -and- that SMTP must
    be opened inward on PIX#2.

    Even better: if I say that group A in PIX#1 can initiate connections
    to a UDP port at group B on PIX#2 (oh, say UDP 518, ntalk), then
    as well as the obvious outward/inward ACL entries, the editor should
    have the ability to automatically generate the -reversed- entries
    to allow for the connection to resume after UDP timeouts. For example,

    access-list pix1_outwards permit udp object-group pix1_A object-group pix2_B eq 518
    access-list pix2_inwards permit udp object-group pix1_A object-group pix2_B eq 518
    access-list pix1_inwards permit udp object-group pix2_B eq 518 object-group pix2_A
    access-list pix2_outwards permit udp object-group pix2_B eq 518 object-group pix2_A

    The editor would ideally also know that if PIX#1 and PIX#2 are
    marked as connectable via VPN, that if necessary the appropriate
    crypto map entries should be generated, and that the crypto map match address
    ACL should if necessary be updated to allow the flow.

    The editor would, if I were fortunate, also know all about NAT and
    about allowed NAT exemptions, and would know to generate statics
    for outside access inward (and to skip the statics if all the
    access was over nat-exempted VPNs). In generating the statics and ACLs
    it would be good if it took into account how each location appears to
    the other. In the example above, if the objects in pix1_A were
    nat'd on the way out of PIX#1 towards PIX#2, then the outside ACL
    for PIX#2 (pix2_inwards in the above) should know to use the nat'd
    address rather than the internal address... unless nat exemption
    was in effect. [I could live without it knowing about policy NAT,
    at least for a couple of software releases.]

    And if the editor was able to handle VPN relaying (send traffic
    from A to C via B so as to avoid a filter between A and C), I'd be
    a happier camper.

    I have been evaluating CiscoWorks VMS (VPN Management Solution),
    and it does not do any flow management. One can define objects
    and have them apply to hierarchies of groups, but when one
    wants A to reach B, one has to click in the ACL entries against A
    and then go and click in the ACL entries against B.

    Cisco used to have CSM (Cisco Security Manager) but I believe that
    was discontinued... and it was certainly a nuisance to move
    subnets around in.

    My goal is to drastically reduce inconsistancies between the
    configurations of our (mostly meshed) PIXes. We have somewhere over 100
    internal flows, and over 1000 total flows (dang distributed Exchange
    servers), and when I add a new flow then I would rather not have to go
    through the O(N^2) adjustment process that can result.

    I wrote a config generation tool (almost completely in C Preprocessor!)
    which took me some time to get going right... but I'm the only
    one that understands it, and it is rule based rather than flow based
    so it doesn't know to generate matching or reversed flows automatically.
    The tool is -helping- but it still means looking through thousands
    of lines of config... and making the inevitable typos...
    Any sufficiently advanced bug is indistinguishable from a feature.
    -- Rich Kulawiec
    Walter Roberson, Apr 27, 2005
    1. Advertisements

  2. Walter Roberson

    Brian Guest

    Brian, Apr 27, 2005
    1. Advertisements

  3. In article <>,
    Brian <> wrote:

    :Take a look at Solsoft (

    Thanks, that was indeed a useful link. Their product appears to
    do pretty much everything I asked for in my post.

    I was puzzled, though, to see that they only have about 200
    customers... puzzled until I saw the prices, that is. :(
    I wonder if they give a noticable government discount? ;-)

    I suspect the only chance I have of getting those prices past
    our management is if we can convince other parts of our organization
    to join in. Unfortunately I would not consider that a particularily
    likely outcome.
    Usenet is like a slice of lemon, wrapped around a large gold brick.
    Walter Roberson, Apr 28, 2005
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Josh
  2. Cen
    Christoph Gartmann
    Oct 24, 2005
  3. Arthur Brain
    Arthur Brain
    Apr 27, 2007
  4. myselfimran

    PIX 515 Firewall Policy based Routing?

    myselfimran, Jul 3, 2007, in forum: Hardware
    Jul 3, 2007
  5. Giuen
    Sep 12, 2008