-
null
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
FlexConfig policies allow you to configure device commands that are not otherwise supported by Security Manager. By using Flexconfigs, you can extend Security Manager's control over a device configuration and take advantage of new device features before upgrading the product.
FlexConfig policies are made up of FlexConfig objects. These objects are essentially subroutines that can include scripting language commands, device commands, and variables. You can configure an object to be processed prior to applying the Security Manager configuration to a device, or you can have it processed after the configuration. Security Manager processes your objects in the order you specify so that you can create objects whose processing depends on the processing of another object. A FlexConfig policy object's contents can range from a single simple command string to elaborate CLI command structures that incorporate scripting and variables.
Understanding policies and objects is central to understanding and using FlexConfig policy objects. For more information on how Security Manager defines and uses polices, see Chapter 6, "Managing Policies" and for information on how Security Manager defines and uses objects, see Chapter 8, "Managing Policy Objects."
The following topics describe FlexConfig policies and policy objects and how to use them:
•Understanding FlexConfig Policies and Policy Objects
•Configuring FlexConfig Policies and Policy Objects
FlexConfig policy objects are used in FlexConfig policies. They allow you to configure device features that are not otherwise supported by Security Manager, or to otherwise fine-tune your device configurations. These policy objects include device configuration commands, variables, and optionally, scripting language instructions to control processing. FlexConfig objects are essentially programming routines to add content to the device configurations that Security Manager generates.
You can create FlexConfig policy objects from scratch or you can duplicate one of the objects that are included with Security Manager.
FlexConfig policies are simply an ordered list of FlexConfig policy objects. Your objects are processed in the order that you specify.
The following topics help you understand FlexConfig policy objects and by extension, FlexConfig policies. For more information about policy objects in general, see Chapter 8, "Managing Policy Objects."
•Using CLI Commands in FlexConfig Policy Objects
•Using Scripting Language Instructions
•Understanding FlexConfig Object Variables
•Predefined FlexConfig Policy Objects
The configuration commands that you enter into the FlexConfig Editor are actual CLI commands used to configure devices, such as PIX Firewalls and Cisco IOS Routers. You can include CLI commands that are not supported in Security Manager. You are responsible for knowing and implementing the command according to the proper syntax for the device type. See the command reference for the particular operating system for more information.
When you create a Flexconfig policy object, you determine whether the commands and instructions should be added to the beginning or end of the configuration that is generated from regular Security Manager policies:
•Prepended objects—FlexConfig objects that are processed at the beginning of the configurations. If Security Manager policies configure any of the same commands included in the object, the prepended commands are replaced when configuration files are deployed.
•Appended objects—FlexConfig objects that are processed at the end of the configurations, after all other commands in the configuration file and before the write mem command.
If the appended commands are already configured on the device, the device generates an error when you try to add them again. To resolve this, two workarounds are available:
–Enter the command that removes the configuration in question as an appended command. For example, if the command is xyz, enter the following two lines:
no xyz
xyz
–Change the setting that controls the action that the device will take to "warn." This is set under Tools > Security Administration > Deployment.
The setting change will affect the behavior of devices for all commands being deployed, not just those designated as appended commands.
Note If you are deploying to a device, you should remove most appended commands after the initial deployment. This is especially true for object groups, where any unbound object group is replaced in the Ending Command section during command generation, then re-sent each time the configuration is deployed to a device. The device displays an error because the firewall device shows that the object group already exists. If you are deploying to a file or AUS, the appended commands should remain.
You can use scripting language instructions in a FlexConfig policy object to control how the commands in the object are processed. Scripting language instructions are a subset of commands supported in the Velocity Template Engine, a Java-based scripting language that supports looping, if/else statements, and variables.
Security Manager supports all Velocity Template Engine commands except the include and parse commands. For information about additional supported commands supported, see the Velocity Template Engine documentation.
The following topics provide examples of the most commonly used functions:
•Scripting Language Example 1: Looping
•Scripting Language Example 2: Looping with Two-Dimensional Arrays
•Example 3: Looping with If/Else Statements
A plain old telephone service (POTS) dial peer enables incoming calls to be received by a telephony device by associating a telephone number to a voice port. The following example enables caller ID for a set of POTS dial peers.
Object Body
#foreach ($peer_id in ["2", "3", "4"])
dial-peer voice $peer_id pots
caller-id
#end
CLI Output
dial-peer voice 2 pots
caller-id
dial-peer voice 3 pots
caller-id
dial-peer voice 4 pots
caller-id
In this example, a set of phone numbers is associated to voice ports so that incoming calls can be received at a router.
Object Body
#foreach ($phone in [ [ "2000", "15105552000", "1/0/0" ], [ "2100",
"15105552100", "1/0/1" ], [ "2200", "15105552200", "1/0/2" ] ] )
dial-peer voice $phone.get(0) pots
destination-pattern $phone.get(1)
port $phone.get(2)
#end
CLI Output
dial-peer voice 2000 pots
destination-pattern 15105552000
port 1/0/0
dial-peer voice 2100 pots
destination-pattern 15105552100
port 1/0/1
dial-peer voice 2200 pots
destination-pattern 15105552200
port 1/0/2
In this example, a set of phone numbers is associated to voice ports so that incoming calls can be received at a router. In addition, another set of phone numbers is associated to IP addresses to enable Voice Over IP outgoing calls from the router.
Object Body
#foreach ( $phone in [ [ "2000", "15105552000", "1/0/0", "" ],
[ "2100", "15105552100", "1/0/1", "" ],
[ "2200", "15105552200", "", "ipv4:150.50.55.55"]
[ "2300", "15105552300", "", "ipv4:150.50.55.55"] ] )
dial-peer voice $phone.get(0) pots
destination-pattern $phone.get(1)
#if ( $phone.get(2) == "" )
session target $phone.get(3)
#else
port $phone.get(2)
#end
#end
CLI Output
dial-peer voice 2000 pots
destination-pattern 15105552000
port 1/0/0
dial-peer voice 2100 pots
destination-pattern 15105552100
port 1/0/1
dial-peer voice 2200 pots
destination-pattern 15105552000
session target ipv4:150.50.55.55
dial-peer voice 2300 pots
destination-pattern 15105552300
session target ipv4:150.50.55.55
Variables in FlexConfig policy objects start with the $ character. For example, in the following line, $inside is a variable:
interface $inside
There are three types of variables you can use in a FlexConfig policy object:
•Policy object variables—Static variables that reference a specific property. For example, Text objects are a type of policy object variable. They are a name and value pair, and the value can be a single string, a list of strings, or a table of strings. Their flexibility allows you to enter any type of textual data to be referenced and acted upon by any policy object.
There are three ways to add policy object variables to a FlexConfig policy object. First, move the cursor to the desired location, and then:
–Right-click and select Create Text Object. This command opens a dialog box where you can create a simple single-value text object and assign it a value. When you click OK, the variable is added to the object, and it is added to the list of defined Text objects in the Policy Object Manager window so that you can use it in other objects or edit its definition. For an example of creating simple text variables, see Example of FlexConfig Policy Object Variables.
–Right-click and select a policy object type from the Insert Policy Object sub-menu. These commands open a selector dialog box where you can select the specific policy object that contains the variable that you want to insert. After selecting the policy object, you are presented with the Property Selector dialog box, where you choose the specific property of the object that you want to use and optionally change the name of the variable associated with the property.
By using this technique, you can add a property from an existing policy object when you know that the property has the value that you want to use. For example, if you want to insert a variable that specifies the RADIUS protocol from the AAA Server Group policy object named RADIUS, you would right-click, select Insert Policy Object > AAA Server Group, select RADIUS in the AAA Server Group Selector dialog box, click OK, and then select Protocol in the Object Property field on the AAA Server Group Property Selector dialog box and click OK. The $protocol variable is inserted at the cursor, and the value for the property as defined in the selected object is added to the variables list.
–Type in a variable name. If you type in a variable, you cannot assign it a value until you click OK on the Add or Edit FlexConfig dialog box. You will be prompted that a variable is undefined, and given the opportunity to define its value. In the FlexConfig Undefined Variable dialog box, you can select the object type of the policy object that contains the desired value, which will prompt you to select the specific policy object and variable. This is essentially identical to the process for inserting policy object variables described above. The technique you use is a matter of personal preference; the end result is the same.
•System variables—Dynamic variables that reference a value during deployment when the configuration is generated. The values are obtained from either the target device or policies configured for the target device. You can declare system variables to be optional in FlexConfig policy objects, which means that the variables do not need to be assigned a value for it to be deployed to the device.
To insert a system variable into a FlexConfig policy object, move the cursor to the desired location, right-click, and select the variable from the Insert System Variable sub-menus. For a description of the available system variables, see FlexConfig System Variables.
•Local Variables—Variables that are local in the looping and assignment derivatives (the for each and set statements). Local variables get their values directly from the Velocity Template Engine. There is no need to supply values for the local variables.
To insert a local variable, simply type it in. When you click OK on the Add or Edit FlexConfig dialog box, you will be asked if you want to define the undefined variable. You can click No, or if you click Yes to define other variables, you can leave the object type of the local variable as Undefined.
Using CLI commands and variables, you can create a FlexConfig policy object to name the inside interface and crypto map on a Cisco router:
interface $inside
crypto map $mapname
The following example shows how to create a FlexConfig policy object that adds these commands and configures the value of $inside as serial0 and $mapname as my_crypto.
When you add the FlexConfig policy object to a device, and the configuration is generated, the following output is created:
interface serial0
crypto map my_crypto
Step 1 Select Tools > Policy Object Manager to open the Policy Object Manager (see Policy Object Manager Window, page F-1).
Step 2 Select FlexConfigs from the table of contents. The table in the right pane lists the existing FlexConfig objects.
Step 3 Right-click in the table and select New Object. The Add FlexConfig dialog box appears (see Add or Edit FlexConfig Dialog Box, page F-48).
Step 4 Enter a name and optionally a description for the object.
Tip You can also enter a group name. Groups help you find FlexConfig objects if you create a lot of them. Either type in a group name, or select an existing one from the drop-down list.
Step 5 Keep Appended for Type so that the commands are added at the end of the device configuration.
Step 6 Create the content of the object:
a. Click in the FlexConfig edit box (the large white box) and type in interface followed by a space.
b. Right-click and select Create Text Object.
c. In the Create Text Object dialog box, enter inside as the name and serial0 as the value. Click OK to add the variable.
d. Press Enter to move to the next line and type crypto map followed by a space.
e. Right-click and select Create Text Object.
f. In the Create Text Object dialog box, enter mapname as the name and my_crypto as the value. Click OK to add the variable.
Step 7 Click the Validate FlexConfig icon button above the edit box to check the integrity and deployability of the object. If any errors are identified, fix them.
Step 8 Click OK to save the policy object. You can now add the object to a device's local or shared FlexConfig policy.
System variables reference values during deployment when commands are generated. Security Manager provides a set of defined system variables for you to use in defining FlexConfig policy objects. The values come from the policies you create for the target devices. The values for these variables are required unless otherwise noted. For information about these variables, see the following tables:
•Device system variables—Table 18-1. For more information about discovering or configuring devices to obtain values for these variables, see Chapter 5, "Managing the Device Inventory."
•Firewall system variables—Table 18-2. For more information about firewall policies, see Chapter 16, "Managing IPS Devices" and Chapter 11, "Managing Firewall Services."
•Router platform system variables—Table 18-3. For more information about router policies, see Chapter 12, "Managing IPS Services."
•VPN system variables—Table 18-4. For more information about VPN policies, see Chapter 9, "Managing Site-to-Site VPNs."
•Remote access system variables—Table 18-5. For more information about remote access policies, see Chapter 10, "Managing Remote Access VPNs."
|
|
|
---|---|---|
Variables related to the VPN in which a device participates. For more information, see Using the Create VPN Wizard, page 9-14. Configure VPNs to generate values for these variables. |
||
SYS_VPN_TOPOLOGY |
1 |
Virtual private network (VPN) topology type. Possible values are HUB_AND_SPOKE, POINT_TO_POINT, and FULL_MESH. |
SYS_VPN_TOPOLOGY_NAME |
1 |
Name of the VPN topology in which the device participates. |
SYS_VPN_TOPOLOGY_ROLE |
1 |
Details about the role of the device in the VPN. Possible values are PEER, HUB, and SPOKE. |
Variables related to devices in the VPN in which a device participates. For more information, see Using the Create VPN Wizard, page 9-14. Configure VPNs to generate values for these variables. |
||
SYS_VPN_HOST_NAME |
1 |
Device hostname. |
SYS_VPN_LOCAL_PREFIXES |
2 |
Interface and network IP addresses of protected networks. |
SYS_VPN_PRIVATE_INTERFACES |
2 |
Private interface names. |
SYS_VPN_PRIVATE_TUNNEL_ENDPT_IP |
1 |
Interface tunnel IP address. |
SYS_VPN_PUBLIC_INTERFACES |
2 |
Public interface names. |
SYS_VPN_TUNNEL_ENDPT_INTERFACE_IP |
1 |
IP address of the VPN endpoint. In IPSec, the endpoint is the VPN interface; in GRE, it is the tunnel source. |
SYS_VPN_TUNNEL_ENDPT_ INTERFACE_NAME |
1 |
Name of the VPN endpoint. In IPSec, the endpoint is the VPN interface; in GRE, it is the tunnel source. |
SYS_VPN_VPNSM_PUBLIC_IFC |
2 |
Export port names for Catalyst 6000 series switches. |
Variables related to remote peers in which a device participates. For more information, see Using the Create VPN Wizard, page 9-14. Configure VPNs to generate values for these variables. |
||
SYS_VPN_REM_PEER_BAK_ LOGICAL_PRIVATE_IP |
3 |
Interface tunnel IP addresses of remote peers of failover hubs. This value is used in DMVPN for next hop resolution protocol (NHRP). |
SYS_VPN_REM_PEER_BAK_PREFIX |
3 |
Protected networks (interface and network IP addresses) of remote peers of failover hubs. |
SYS_VPN_REM_PEER_BAK_PUBLIC_IP |
3 |
Public interface names of remote peers of failover hubs. |
SYS_VPN_REM_PEER_BAK_TUNNEL_SRC |
3 |
IP address of the VPN endpoint of remote peers. In IPSec, the endpoint is the VPN interface; in GRE, it is the tunnel source. |
SYS_VPN_REM_PEER_DEVICE_NAME |
2 |
Device hostnames of remote peers. |
SYS_VPN_REM_PEER_LOGICAL_ PRIVATE_IP |
2 |
Interface tunnel IP addresses of remote peers. This value is used in DMVPN for next hop resolution protocol (NHRP). |
SYS_VPN_REM_PEER_PREFIX |
3 |
Protected networks (interface and network IP addresses) of remote peers. |
SYS_VPN_REM_PEER_PRIVATE_IP |
2 |
Private interface names of remote peers. |
SYS_VPN_REM_PEER_PUBLIC_IP |
2 |
Public interface names of remote peers. |
SYS_VPN_REM_PEER_TUNNEL_SRC |
2 |
Tunnel sources (if included in the interface tunnel of remote peers). |
Variables related to IPSec Proposal policies. For more information, see Configuring IPsec Proposals, page 9-51 and Configuring High Availability in Your VPN Topology, page 9-41. Configure the IPSec Proposal policy to generate values for these variables. |
||
SYS_VPN_CRYPTO_MAP_TYPE |
1 |
Crypto map type. Possible values are STATIC and DYNAMIC. |
SYS_VPN_DYNAMIC_CRYPTO_NAME |
1 |
Dynamic crypto map name. |
SYS_VPN_DYNAMIC_CRYPTO_NUM |
1 |
Dynamic crypto map number. |
SYS_VPN_STATIC_CRYPTO_NAME |
1 |
Static crypto map name. |
SYS_VPN_STATIC_CRYPTO_NAME_BAK |
1 |
Static crypto map name of failover hubs. |
SYS_VPN_STATIC_CRYPTO_NUM |
2 |
Static crypto map number. |
SYS_VPN_STATIC_CRYPTO_NUM_BAK |
2 |
Static crypto map number of failover hubs. |
Variables related to Preshared Key and IKE Proposal policies. For more information, see Configuring Preshared Key Policies, page 9-57. |
||
SYS_VPN_IKE_AUTHENTICATION_MODE |
1 |
Authentication method of the IKE policy. Possible values are pre-share, rsa-sig, rsa-encr, dsa-sig. Configure an IKE Proposal policy to generate values for this variable. |
SYS_VPN_IKE_PRIORITY |
1 |
Priority number of the IKE policy Configure an IKE Proposal policy to generate values for this variable. |
SYS_VPN_NEGOTIATION_MODE |
1 |
Negotiation method. Possible values are MAIN_ADDRESS, MAIN_HOST, and AGGRESSIVE. Configure a Preshared Key policy to generate values for this variable. |
Variables related to GRE Modes policies. For more information, see Configuring GRE or GRE Dynamic IP Policies, page 9-65. |
||
SYS_VPN_BAK_TUNNEL_IFC |
2 |
Interface tunnel number of remote peers of failover hubs, for example, tunnel0. Configure VPNs to generate values for this variable. |
SYS_VPN_SIGP_PROCESS_NUMBER |
1 |
Process number of the interior gateway protocol (IGP). Configure GRE Modes policies to generate values for this variable. |
SYS_VPN_SIGP_ROUTING_PROTOCOL |
1 |
Type of secured interior gateway protocol (IGP) used. Possible values are STATIC, OSPF, EIGRP, RIPV2, BGP, and ODR. Configure GRE Modes policies to generate values for this variable. |
SYS_VPN_SPOKE_TO_SPOKE_ CONN |
1 |
Whether DMVPN is configured for spoke-to-spoke connectivity. Possible values are true or false. Configure GRE Modes policies to generate values for this variable. |
SYS_VPN_TUNNEL_IFC |
2 |
Interface tunnel number of remote peers, for example, tunnel0. Configure VPNs to generate values for this variable. |
Variables related to virtual routing and forwarding (VRF). For more information, see Configuring VRF-Aware IPsec Settings, page 9-38. Configure VPN VRF settings to generate values for these variables. |
||
SYS_VPN_VRF_AREA_ID |
1 |
Area ID numbers if the OSPF process number was chosen. |
SYS_VPN_VRF_MPLS_INTERFACE_IP |
1 |
Multiprotocol label switching (MPLS) interface IP addresses. |
SYS_VPN_VRF_MPLS_INTERFACE_NAME |
1 |
Multiprotocol label switching (MPLS) interface names. |
SYS_VPN_VRF_NAME |
1 |
VRF names. |
SYS_VPN_VRF_PROCESS_NUMBER |
1 |
Interior gateway protocol (IGP) process numbers. |
SYS_VPN_VRF_RD |
1 |
RD values. |
SYS_VPN_VRF_ROUTING_PROTOCOL |
1 |
Interior gateway protocol (IGP) values. IGP is used for routing the IPSec aggregator toward the Provider Edge (PE)/Multiprotocol Label Switching (MPLS) network. Possible values are STATIC, OSPF, EIGRP, RIPV2, and BGP. |
SYS_VPN_VRF_SOLUTION |
1 |
Virtual routing and forwarding (VRF) solution. Possible values are 1BOX and 2BOX. |
Variables related to certificate authority policies. For more information, see Configuring Public Key Infrastructure Policies, page 9-61. |
||
SYS_VPN_CA_NAME |
2 |
Certificate authority (CA) names. Configure PKI policies to generate values for this variable. |
Variables related to EZVPN. For more information, see Understanding Easy VPN, page 9-71. |
||
SYS_VPN_EZVPN_GROUP_NAME |
2 |
User group names. Configure User Group policies to generate values for this variable. |
Variables related to dial backup configurations. For more information, see Configuring Dial Backup, page 9-29. |
||
SYS_VPN_RTR_WATCH |
1 |
The rtr/watch number. Configure dial backup to generate values for this variable. |
Variables related to Group Encrypted Transport (GET) VPN. For more information, see Understanding Group Encrypted Transport (GET) VPNs, page 9-82. |
||
SYS_GDOI_GROUP_NAME |
1 |
Name of the Group Domain of Interpretation (GDOI) group. Configure the Group Encryption policy to generate values for this variable (Tools > Site-to-Site VPN Manager > Group Encryption Policy > Group Settings). |
SYS_GM_GET_ENABLED_INTF_NAME |
1 |
VPN-enabled outside interface to the provider edge (PE). Traffic originating or terminating on this interface is evaluated for encryption or decryption, as appropriate. Configure group members to generate values for this variable (Tools > Site-to-Site VPN Manager > Group Members). |
SYS_IPSEC_PROFILE_NAME |
1 |
Name of the profile that defines the parameters to be used for IPsec encryption between two group members. Configure the Group Encryption policy to generate values for this variable (Tools > Site-to-Site VPN Manager > Group Encryption Policy > Security Associations). |
SYS_KS_REG_INTERFACE |
0 |
Interface on the key server assigned to handle group domain of interpretation (GDOI) registrations. If no registration interface is specified, GDOI registrations can occur on any interface. Configure key servers to generate values for this variable (Tools > Site-to-Site VPN Manager > Key Servers). |
Security Manager provides predefined FlexConfig policy objects for you to use. These policy objects have predefined commands and scripting.
Predefined FlexConfig policy objects are read-only objects. To edit these predefined FlexConfig policy objects, duplicate the desired object, make changes to the copy, and save it with a new name. This way, the original predefined FlexConfigs remain unchanged. For lists of these predefined policy objects and further information on each, see the following tables:
•Predefined ASA FlexConfig Policy Objects—Table 18-8
•Predefined Catalyst FlexConfig Policy Objects—Table 18-7
•Predefined Cisco IOS FlexConfig Policy Objects—Table 18-8
•Predefined PIX Firewall FlexConfig Policy Objects—Table 18-9
•Predefined Router FlexConfig Policy Objects—Table 18-10
You create and manage FlexConfig policy objects in the same way that you create other policy objects. The following topics describe how to create FlexConfig policies and policy objects. For information on other tasks you can perform with FlexConfig policy objects (such as deleting them), see Working with Policy Objects—Basic Procedures, page 8-3.
•A FlexConfig Creation Scenario
•Creating FlexConfig Policy Objects
This scenario takes you through the steps to set up Media Gateway Control Protocol (MGCP) for an ASA device using one of the predefined FlexConfig policy objects that are shipped with Security Manager. MGCP is used by the call agent application to control media gateways (devices that convert telephone circuit audio to data packets). Security Manager does not support MGCP configuration, but you can use a FlexConfig policy object to provide a configuration. This illustrates how FlexConfigs enable you to customize, for your network, what is not otherwise supported in Security Manager.
In this scenario, you do the following:
1. Create a policy object by duplicating an existing policy object.
2. Assign the policy object to a device.
3. Preview the configuration to verify that it is correct.
4. Share the policy object with another device.
5. Deploy the configuration to the devices.
You can use this scenario as an example to implement other features by creating copies of and modifying predefined FlexConfig policy objects or by creating your own objects.
Before You Begin
Add two ASA devices to Security Manager for this scenario.
Step 1 Duplicate the FlexConfig policy object by doing the following:
a. Select Tools > Policy Object Manager to open the Policy Object Manager (see Policy Object Manager Window, page F-1).
b. Select FlexConfigs from the table of contents. The table in the right pane lists the existing FlexConfig objects.
c. Right-click ASA_MGCP FlexConfig and select Create Duplicate. The Add FlexConfig dialog box appears (see Add or Edit FlexConfig Dialog Box, page F-48).
d. Enter a name for the new FlexConfig object, for this example, MyASA_MGCP.
e. Enter a new group name and a description of the object.
Tip The group name and description are optional. We recommend you establish descriptions and groups for objects you create.
f. Click OK. The new FlexConfig object appears in the list.
Step 2 Duplicate and edit the $callAgentList text object.
The original ASA_MGCP FlexConfig object uses the variable $callAgentList, which is a text object. The text object is read-only and cannot be edited. Duplicating the text object enables you to edit the duplicate object to apply to your network settings.
a. Select Text Objects from the table of contents.
b. Right-click callAgentList and select Create Duplicate. The Add Text Object dialog box appears.
c. Edit the name of the text object. For this example change it to mycallAgentList.
d. Double-click the first value in column A and enter the IP address for a call agent in your network. For this example, change the value to 10.10.10.10.
e. Double-click the first value in column B and enter the port number for a call agent in your network. For this example, change the value to 105.
f. Change the IP address and port number values for another call agent. For this example, change the IP address to 20.20.20.20 and the port number to 106. Or, if you have only one call agent in your network, you could remove the second row in the table by decreasing the number in the Number of Rows field. Similarly, if you have more than two call agents, you can add rows by increasing the number in this field.
This concept is similar for increasing and decreasing the number of columns by increasing or decreasing the Number of Columns field.
g. Click OK. The new text object appears in the list of text objects.
Step 3 Edit the new FlexConfig policy object to use the new variable by doing the following:
a. Select FlexConfigs from the table of contents.
b. Double-click MyASA_MGCP. The Edit FlexConfig dialog box appears.
c. Edit $callAgentList to read $mycallAgentList.
d. Click OK.
A warning appears that reads: "The following variables are undefined: mycallAgentList Define them now?"
e. Click Yes to the warning.
The FlexConfig Undefined Variables dialog box appears with mycallAgentList listed in the Variable Name column.
f. From the Object Type list, select Text Objects. The Text Objects window appears.
g. Select mycallAgentList from the Available Text Objects list and click OK.
h. In the FlexConfig Undefined Variables window, click OK.
The mycallAgentList variable appears in the Variables list of the Edit FlexConfig dialog box.
i. In the Edit FlexConfig dialog box, click OK.
j. Close the Policy Object Manager window.
Step 4 Assign the new FlexConfig policy object to a device by doing the following:
a. From the Device view, select the device for which you want to set up MGCP.
b. Select FlexConfigs from the Policy selector. The FlexConfigs Policy page appears.
c. Click the Add button. The FlexConfigs Selector dialog box appears.
d. Select the new MyASA_MGCP FlexConfig policy object and click >> to add the policy object to the Selected FlexConfigs column.
You can select multiple policy objects at one time by holding either the Ctrl (for multiple selections) or Shift (for multiple continuous selections) keys while selecting.
e. Click OK.
The MyASA_MGCP policy object is added to the Appended FlexConfigs table, because the object is set to be appended to the configuration. You configure FlexConfig policy objects that you want added to the beginning of the configuration as prepended policy objects.
f. Click Save.
Step 5 Preview the commands before they are generated and sent to the device by doing the following:
a. From the FlexConfigs Policy page, select the MyASA_MGCP policy object.
b. Click Preview.
The commands that are generated with this FlexConfig policy object and the values assigned to the selected device appear. Note the changed values:
class-map sj_mgcp_class
match access-list mgcp_list
exit
mgcp-map inbound_mgcp
call-agent 10.10.10.10 105
call-agent 20.20.20.20 106
gateway 10.10.10.115 101
gateway 10.10.10.116 102
command-queue 150
exit
policy-map inbound_policy
class sj_mgcp_class
inspect mgcp inbound_mgcp
exit
exit
service-policy inbound_policy interface outside
Step 6 If you have additional ASA devices that require MGCP, you can share this policy with them by doing the following:
a. Right-click FlexConfigs in the Policy selector and select Share Policy.
The Share Policy dialog box appears.
b. Enter a name for the policy and click OK. For this example, enter MyShared_ASA_MGCP.
The banner above the FlexConfigs policy now shows that the device is using a shared policy and displays the name of the policy.
c. In the FlexConfigs banner, click the link in the Assigned To field. In this example, the link should be labeled 1 Device, which indicates that this shared policy is assigned to one device (the device you are viewing).
Clicking the link opens the Shared Policy Assignments dialog box. Using this dialog box, you can select the other devices that should use this policy in the Available Devices list, and click >> to add them to the list of devices that are assigned the policy.
d. Click OK. The Shared Policy Assignments dialog box closes, and the additional devices you selected are configured to use the shared policy. The link in the banner changes to indicate the number of devices that now use this policy (in this example, 2 Devices).
Tip You can also share policies from Policy view. Select View > Policy View, select FlexConfigs in the policy type selector, select the MyShared_ASA_MGCP policy, click the Assignments tab, select the devices to which you want to assign the policy, click>>, and then Save.
Step 7 Submit your changes and deploy the configurations to the devices. For information about deploying configurations, see Working with Deployment and the Configuration Archive, page 17-15.
You can create FlexConfig policy objects to configure features on devices that are not supported by Security Manager. For more information about FlexConfig objects, see Understanding FlexConfig Policies and Policy Objects.
Tip You can also create FlexConfig policy objects when defining policies or objects that use this object type. For more information, see Selecting Objects for Policies, page 8-2.
Before You Begin
Ensure that your commands do not conflict in any way with the VPN or firewall configuration on the devices.
Keep the following in mind:
•Security Manager does not manipulate or validate your commands; it simply deploys them to the devices.
•If there is more than one set of commands for an interface, only the last set of commands is deployed. Therefore, we recommend you not use beginning and ending commands to configure interfaces.
•When editing FlexConfig objects that involve route-maps (for example, OSPF or multicast route-maps), you must define the corresponding access control lists (ACLs) before the route-maps. This is a device requirement. If you do not define ACLs before route-maps, you will get a deployment error.
Related Topics
•A FlexConfig Creation Scenario
•Working with Policy Objects—Basic Procedures, page 8-3
•Creating Policy Objects, page 8-4
•Chapter 6, "Managing Policies"
Step 1 Select Tools > Policy Object Manager to open the Policy Object Manager window (see Policy Object Manager Window, page F-1).
Step 2 Select FlexConfigs from the Policy Object Type selector.
Step 3 Right-click inside the work area and select New Object.
The Add FlexConfig Object dialog box appears (see Add or Edit FlexConfig Dialog Box, page F-48).
Step 4 Enter a name for the object and optionally a description. Other optional informational fields include:
•Group—Select an existing group name or type in a new one. These names can help you identify the use of an object.
•Negate For—If this FlexConfig object is designed to negate another, enter the name of the FlexConfig object whose commands are undone by this object.
Step 5 In the Type field, select whether commands in the object are to be prepended (put at the beginning) or appended (put at the end) of the configurations generated from Security Manager policies.
Step 6 In the object body area, enter the commands and instructions to produce the desired configuration file output. You can type in the following types of data:
•Scripting commands to control processing. For more information, see Using Scripting Language Instructions.
•CLI commands that are supported by the operating system running on the devices to which you will deploy the FlexConfig policy object. For more information, see Using CLI Commands in FlexConfig Policy Objects.
•Variables. You can insert variables using the right-click menu, which allows you to create simple single-value text variables (Create Text Object), select variables from existing policy objects (Insert Policy Object), or select system variables (Insert System Variable). For more information, see Understanding FlexConfig Object Variables.
Tip If you want to remove a variable, select it in the object body and click the Cut button or press the Backspace or Delete key. When you click OK to save your changes, the variable is removed from the list of variables.
Step 7 Click the Validate FlexConfig icon button above the object body to check the integrity and deployability of the object.
Step 8 Click OK to save the object.
You can assign FlexConfig policies to devices using either Device view or Policy view (for shared policies) by selecting FlexConfigs from the policy selector. You can deploy configurations containing these policies as you would deploy any configuration generated by Security Manager. For a scenario that takes you through setting up a FlexConfig policy object and creating a shared FlexConfig policy, see A FlexConfig Creation Scenario.
When you edit a FlexConfig policy, you can perform the following actions:
•Add FlexConfig objects—To add a FlexConfig object to a policy, click the Add icon button and select the desired object. You can also create new objects from the object selector dialog box. The objects are added to the prepended or appended list depending on how the objects themselves are defined.
•Remove FlexConfig objects—If you no longer want to include an object in the policy, select it and click the Remove icon button. This action removes the object from the policy, but it does not delete the object from Security Manager. For information on deleting objects, see Deleting Objects, page 8-8.
•Change the order of the objects—Objects are processed in the order you specify. If an object depends on the processing of another object, it is important that you order them correctly. Select the object whose order you want to change and click the Up or Down arrow buttons until the object is in the desired location.
When changing the order of FlexConfig objects that involve route-maps (for example, OSPF or multicast route-maps), make sure that the corresponding access control lists (ACLs) are defined before the route-maps. This is a device requirement. If you do not define ACLs before route-maps, you will get a deployment error.
• Change the values assigned to the variables used in a policy object—If you want to configure a variable with a different value for a particular device, creating a device-level override for the object, select the object and click Values. In the Values Assignment dialog box, click in the Values cell to change the value. For more information, see Values Assignment Dialog Box.
•Preview the CLI that will be generated for a policy object—In Device view, you can view the CLI that will be generated for a policy object by selecting the object and clicking Preview. This is especially useful for checking that the CLI commands generated are what you intend to implement on the device.
Note During deployment, when the FlexConfig policy objects are compiled on the Security Manager server, the correct system variable values and settings are used to generate commands. However, because the Preview function does not have access to these values the way it normally would during deployment, it might not display some CLI commands. In addition, because the Preview function generates CLI commands on the client, some macros used in FlexConfig policy objects reflect client settings instead of server settings.
Related Topics
•Understanding FlexConfig Policies and Policy Objects
•Creating FlexConfig Policy Objects
•Chapter 6, "Managing Policies"
•Chapter 17, "Managing Deployment"
Use the FlexConfig Policy page to create FlexConfig policies. FlexConfig policies contain ordered lists of FlexConfig policy objects, which are subroutines that allow you to extend the ability of Security Manager to configure your devices. For more information on FlexConfig policy objects, see Understanding FlexConfig Policies and Policy Objects.
Navigation Path
•(Device view) Select FlexConfigs from the Policy selector.
•(Policy view) Select FlexConfigs from the Policy Type selector and select an existing policy or click the Create a Policy button to create a new one.
Related Topics
•Creating FlexConfig Policy Objects
•Chapter 18 "Managing FlexConfigs"
Field Reference
|
|
---|---|
Prepended FlexConfigs |
The FlexConfig policy objects that are added to the beginning of the configuration. The objects are processed in the order shown. |
Appended FlexConfigs |
The FlexConfig policy objects that are added to the end of the configuration. The objects are processed in the order shown. |
Values button |
Click this button to view, modify, or validate the values assigned to the variables used in the selected FlexConfig policy object using the Values Assignment Dialog Box. |
Preview button (Device view only.) |
Click this button to view the CLI commands that will be generated for the selected FlexConfig policy object. In Policy view, you can preview CLI by first clicking Values, selecting a device in the Values Assignment dialog box, and clicking Preview. |
Up/Down arrow buttons |
Click these buttons to move the selected object up or down in the list. The objects are processed in the displayed order, so it is important that an object whose processing depends on the processing of another object comes after the object it depends on. |
Add button |
Click this button to add a FlexConfig policy object to the policy. The object itself defines whether it will be added to the prepended or appended list. You can create new FlexConfig objects or select existing ones. |
Edit button |
Click this button to edit the selected FlexConfig policy object. Your changes affect all devices that use the edited object; your changes are not local policy object overrides for the device. Note If you selected a predefined FlexConfig policy object packaged with Security Manager, or an object for which you do not have edit permission, you are allowed only to view the object definition. |
Remove button |
Click this button to remove the selected object from the policy The object is not deleted from Security Manager; it is simply removed from the FlexConfig policy. |
Use the Values Assignment dialog box to view the variables used in a FlexConfig policy object, validate the object, or preview the CLI generated from the object. For more information, see Understanding FlexConfig Object Variables.
Navigation Path
Select an object and click Values from the FlexConfig Policy Page.
Field Reference
|
|
---|---|
Assigned Devices (Policy view only) |
The devices to which the shared FlexConfig policy has been assigned. Select the device for which you want to display variable values. |
Name |
The name of the variable. |
Value |
The value to use for the variable. To change the value, double-click the cell. When you change this value, Security Manager creates a device-level override for the policy object. If the policy object is configured so that its values cannot be overridden, you cannot edit the value. If there is no default value for the variable, you must provide a value unless it is an optional variable. |
Default Value |
The value assigned to the variable in the policy object. Double-click this cell to view the definition of the policy object that defines the variable's value. |
Override |
Whether you can override the value of the variable. You can edit the value of only those variables that have a checkmark in this column. |
Object Property |
The property of the object. For a detailed explanation, see Add or Edit FlexConfig Dialog Box. |
Dimension |
The structure of the data in the variable: •0—scalar (a single string) •1—one-dimensional array (a list of strings) •2—two-dimensional table (a table of strings) |
Optional |
Whether the variable value can be empty. |
Description |
A description of the variable. |
Validate button |
Click this button to validate the Velocity Template Language syntax and make sure that all required variables have values, that variables do not start with SYS_, and that referenced policy objects exist. |
Preview button |
Click this button to display the generated CLI commands for the selected FlexConfig policy object. |
Use the FlexConfig Preview dialog box to view the generated CLI commands based on the variables of the selected object defined in the FlexConfig policy.
Navigation Path
To open the FlexConfig Policy Preview dialog box, do one of the following:
•In the Values Assignment Dialog Box, click Preview. In Policy view, you must first select a device.
•(Device view) Select a device and click FlexConfig (see FlexConfig Policy Page). Select an object in the FlexConfig policy and click Preview.