Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Cisco Security Appliances

 

To integrate JSA Risk Manager with your network devices, ensure that you review the requirements for the Cisco Security Appliances adapter.

The following features are available with the Cisco Security Appliances adapter:

  • Neighbor data support

  • Static NAT

  • SNMP discovery

  • EIGRP and OSPF dynamic routing

  • Static routing

  • IPSEC tunneling

  • Telnet and SSH connection protocols

The Cisco Security Appliances adapter collects device configurations by backing up Cisco family devices. The Cisco Security Appliances adapter supports the following firewalls:

  • Cisco Adaptive Security Appliances (ASA) 5500 series

  • Firewall Service Module (FWSM)

  • Module in a Catalyst chassis

  • Established Private Internet Exchange (PIX) device.

Note

Cisco ASA transparent contexts cannot be placed in the JSA Risk Manager topology, and you cannot do path searches across these transparent contexts.

The following table describes the integration requirements for the Cisco Security Appliances adapter.

Table 1: Integration Requirements for the Cisco Security Appliances Adapter

Integration requirement

Description

Versions

ASA:

8.2 to 9.13

Minimum User Access Level

privilege level 5

You can back up devices with privilege level 5 access level. For example, you can configure a level 5 user that uses local database authentication by running the following commands:

aaa authorization command LOCAL

aaa authentication enable console LOCAL

privilege cmd level 5 mode exec command terminal

privilege cmd level 5 mode exec command changeto (multi-context only)

privilege show level 5 mode exec command running-config

privilege show level 5 mode exec command startup-config

privilege show level 5 mode exec command version

privilege show level 5 mode exec command shun

privilege show level 5 mode exec command names

privilege show level 5 mode exec command interface

privilege show level 5 mode exec command pager

privilege show level 5 mode exec command arp

privilege show level 5 mode exec command route

privilege show level 5 mode exec command context

privilege show level 5 mode exec command mac-address-table

SNMP discovery

Matches PIX or Adaptive Security Appliance or Firewall Service Module in SNMP sysDescr.

Required credential parameters

To add credentials in JSA log in as an administrator and use Configuration Source Management on the Admin tab.

Username

Password

Enable Password

Supported connection protocols

To add protocols in JSA, log in as an administrator and use Configuration Source Management on the Admin tab.

Use any one of the following supported connection protocols:

Telnet

SSH

SCP

Required commands that the adapter requires to log in and collect data

changeto context <context>

changeto system

show running-config

show startup-config

show arp

show context

show interface

show mac-address-table

show names

show ospf neighbor

show route

show shun

show version

terminal pager 0

show interface detail

show crypto ipsec sa

show eigrp topology

show eigrp neighbors

show firewall

show dns

The changeto context <context> command is used for each context on the ASA device.

The changeto system command detects whether the system has multi-context configurations and determines the admin-context.

The changeto context command is required if the changeto system command has a multi-context configuration or admin-configuration context.

The terminal pager command is used to turn off paging behavior.