29-12
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 29 Managing Remote Access VPNs: The Basics
Discovering Remote Access VPN Policies
Discovering Remote Access VPN Policies
Security Manager allows you to import the configurations of remote access IPSec VPN policies during
policy discovery. You can also discover SSL VPN policies on ASA devices, but not on IOS devices. To
discover remote access VPN policies, select the RA VPN Policies option in the Discover Device settings
when adding the device to the inventory or when discovering policies on a device already in the
inventory. For more information on adding devices or discovering policies, see the following topics:
Adding Devices to the Device Inventory, page 3-6
Discovering Policies on Devices Already in Security Manager, page5-15
You can discover configurations on devices that are already deployed in your remote access VPN
network, so that Security Manager can manage them. These configurations are imported into Security
Manager as remote access VPN policies. Remote access VPN policy discovery can be performed by
importing the configuration of a live device or by importing a configuration file. However, SSL VPN
policies that refer to files in flash storage cannot be discovered from configuration files, therefore, we
recommend that you do not discover SSL VPNs from configuration files.
When you initiate policy discovery on a device in a remote access VPN, the system analyzes the
configuration on the device and then translates this configuration into Security Manager policies so that
the device can be managed. Warnings are displayed if the imported configuration completes only a
partial policy definition. If additional settings are required, you must go to the relevant page in the
Security Manager interface to complete the policy definition. You can also rediscover the configurations
of devices that are already managed with Security Manager.
When discovering SSL VPN policies, files residing in flash storage that are referenced in SSL VPN
policies are copied to the Security Manager server to be stored in the /csm directory on the target device
when policies are deployed from Security Manager. If the flash storage contains files that you want to
use, but they are not referenced by an SSL VPN policy, either configure commands that refer to them or
manually copy them to the Security Manager server. Policy discovery fails if an SSL VPN policy on the
device refers to a file that has been deleted from flash; in this case, either fix the configuration directly
before discovering the device, or deselect the RA VPN Policies option when adding the device and
create the desired SSL VPN configuration in Security Manager.
Tips
You should perform deployment immediately after you discover the policies on a device before you
make any changes to policies or unassign policies from the device; otherwise, the changes that you
configure in Security Manager might not be deployed to the device.
For ASA and PIX 7.0+ devices, the default connection profiles and group policy are discovered and
added to the Connection Profiles and Group Policies policy. You can modify these default profiles
and group, but you cannot delete them:
DefaultRAGroup—The default connection profile for remote access IPsec VPNs.
DefaultWEBVPNGroup—The default connection profile for SSL VPNs. This connection
profile is discovered only for ASA 8.0+ devices.
DfltGrpPolicy—The default group policy, which is used by the default connection profiles.
When discovered, Security Manager uses the name <device_display_name>DfltGrpPolicy.
However, when you deploy configurations, the device display name is stripped off and
DfltGrpPolicy is used.
This naming convention is necessary because group policies are modeled as shared policy
objects, and you might have modified the default group policy differently on your devices.
However, the naming convention does not prevent you from using shared policies that
incorporate the default group policy; the device display name is stripped from the object name