A FlexConfig Creation Scenario
This scenario takes you through the steps to set up Media Gateway Control Protocol (MGCP) for an ASA device using one of the predefined FlexConfig policy objects that are shipped with Security Manager. MGCP is used by the call agent application to control media gateways (devices that convert telephone circuit audio to data packets). Security Manager does not support MGCP configuration, but you can use a FlexConfig policy object to provide a configuration. This illustrates how FlexConfigs enable you to customize, for your network, what is not otherwise supported in Security Manager.
In this scenario, you do the following:
1. Create a policy object by duplicating an existing policy object.
2. Assign the policy object to a device.
3. Preview the configuration to verify that it is correct.
4. Share the policy object with another device.
5. Deploy the configuration to the devices.
You can use this scenario as an example to implement other features by creating copies of and modifying predefined FlexConfig policy objects or by creating your own objects.
Before You Begin
Add two ASA devices to Security Manager for this scenario.
Step 1 Duplicate the FlexConfig policy object by doing the following:
Manage > Policy Objects
to open the Policy Object Manager (see Policy Object Manager).
from the table of contents. The table in the right pane lists the existing FlexConfig objects.
c. Right-click ASA_MGCP FlexConfig and select
. The Add FlexConfig dialog box appears (see Add or Edit FlexConfig Dialog Box).
d. Enter a name for the new FlexConfig object, for this example, MyASA_MGCP.
e. Enter a new group name and a description of the object.
Tip The group name and description are optional. We recommend you establish descriptions and groups for objects you create.
. The new FlexConfig object appears in the list.
Step 2 Duplicate and edit the $callAgentList text object.
The original ASA_MGCP FlexConfig object uses the variable $callAgentList, which is a text object. The text object is read-only and cannot be edited. Duplicating the text object enables you to edit the duplicate object to apply to your network settings.
from the table of contents.
. The Add Text Object dialog box appears.
c. Edit the name of the text object. For this example change it to mycallAgentList.
d. Double-click the first value in column A and enter the IP address for a call agent in your network. For this example, change the value to 10.10.10.10.
e. Double-click the first value in column B and enter the port number for a call agent in your network. For this example, change the value to 105.
f. Change the IP address and port number values for another call agent. For this example, change the IP address to 220.127.116.11 and the port number to 106. Or, if you have only one call agent in your network, you could remove the second row in the table by decreasing the number in the Number of Rows field. Similarly, if you have
than two call agents, you can add rows by increasing the number in this field.
This concept is similar for increasing and decreasing the number of columns by increasing or decreasing the Number of Columns field.
. The new text object appears in the list of text objects.
Step 3 Edit the new FlexConfig policy object to use the new variable by doing the following:
from the table of contents.
b. Double-click MyASA_MGCP. The Edit FlexConfig dialog box appears.
c. Edit $callAgentList to read $mycallAgentList.
A warning appears that reads: “The following variables are undefined: mycallAgentList Define them now?”
to the warning.
The FlexConfig Undefined Variables dialog box appears with mycallAgentList listed in the Variable Name column.
f. From the Object Type list, select
. The Text Objects window appears.
from the Available Text Objects list and click
h. In the FlexConfig Undefined Variables window, click
The mycallAgentList variable appears in the Variables list of the Edit FlexConfig dialog box.
i. In the Edit FlexConfig dialog box, click
j. Close the Policy Object Manager window.
Step 4 Assign the new FlexConfig policy object to a device by doing the following:
a. From the Device view, select the device for which you want to set up MGCP.
from the Policy selector. The FlexConfigs Policy page appears.
c. Click the
button. The FlexConfigs Selector dialog box appears.
d. Select the new MyASA_MGCP FlexConfig policy object and click
to add the policy object to the Selected FlexConfigs column.
You can select multiple policy objects at one time by holding either the Ctrl (for multiple selections) or Shift (for multiple continuous selections) keys while selecting.
The MyASA_MGCP policy object is added to the Appended FlexConfigs table, because the object is set to be appended to the configuration. You configure FlexConfig policy objects that you want added to the beginning of the configuration as prepended policy objects.
Step 5 Preview the commands before they are generated and sent to the device by doing the following:
a. From the FlexConfigs Policy page, select the MyASA_MGCP policy object.
The commands that are generated with this FlexConfig policy object and the values assigned to the selected device appear. Note the changed values:
match access-list mgcp_list call-agent 10.10.10.10 105 call-agent 18.104.22.168 106 policy-map inbound_policy inspect mgcp inbound_mgcp service-policy inbound_policy interface outside
Step 6 If you have additional ASA devices that require MGCP, you can share this policy with them by doing the following:
in the Policy selector and select
The Share Policy dialog box appears.
b. Enter a name for the policy and click
. For this example, enter MyShared_ASA_MGCP.
The banner above the FlexConfigs policy now shows that the device is using a shared policy and displays the name of the policy.
c. In the FlexConfigs banner, click the link in the Assigned To field. In this example, the link should be labeled
, which indicates that this shared policy is assigned to one device (the device you are viewing).
Clicking the link opens the Shared Policy Assignments dialog box. Using this dialog box, you can select the other devices that should use this policy in the Available Devices list, and click
to add them to the list of devices that are assigned the policy.
. The Shared Policy Assignments dialog box closes, and the additional devices you selected are configured to use the shared policy. The link in the banner changes to indicate the number of devices that now use this policy (in this example,
Tip You can also share policies from Policy view. Select View > Policy View, select FlexConfigs in the policy type selector, select the MyShared_ASA_MGCP policy, click the Assignments tab, select the devices to which you want to assign the policy, click>>, and then Save.
Step 7 Submit your changes and deploy the configurations to the devices. For information about deploying configurations, see Working with Deployment and the Configuration Archive.
Creating FlexConfig Policy Objects
You can create FlexConfig policy objects to configure features on devices that are not supported by Security Manager. For more information about FlexConfig objects, see Understanding FlexConfig Policies and Policy Objects.
Tip You can also create FlexConfig policy objects when defining policies or objects that use this object type. For more information, see Selecting Objects for Policies.
Before You Begin
Ensure that your commands do not conflict in any way with the VPN or firewall configuration on the devices.
Keep the following in mind:
Security Manager does not manipulate or validate your commands; it simply deploys them to the devices.
If there is more than one set of commands for an interface, only the last set of commands is deployed. Therefore, we recommend you not use beginning and ending commands to configure interfaces.
When editing FlexConfig objects that involve route-maps (for example, OSPF or multicast route-maps), you must define the corresponding access control lists (ACLs) before the route-maps. This is a device requirement. If you do not define ACLs before route-maps, you will get a deployment error.
Step 1 Select
Manage > Policy Objects
to open the Policy Object Manager window (see Policy Object Manager).
Step 2 Select
from the Policy Object Type selector.
Step 3 Right-click inside the work area and select
The Add FlexConfig Object dialog box appears (see Add or Edit FlexConfig Dialog Box).
Step 4 Enter a name for the object and optionally a description. Other optional informational fields include:
Group—Select an existing group name or type in a new one. These names can help you identify the use of an object.
Negate For—If this FlexConfig object is designed to negate another, enter the name of the FlexConfig object whose commands are undone by this object.
Step 5 In the Type field, select whether commands in the object are to be prepended (put at the beginning) or appended (put at the end) of the configurations generated from Security Manager policies.
Step 6 In the object body area, enter the commands and instructions to produce the desired configuration file output. You can type in the following types of data:
Scripting commands to control processing. For more information, see Using Scripting Language Instructions.
CLI commands that are supported by the operating system running on the devices to which you will deploy the FlexConfig policy object. For more information, see Using CLI Commands in FlexConfig Policy Objects.
Variables. You can insert variables using the right-click menu, which allows you to create simple single-value text variables (
Create Text Object
), select variables from existing policy objects (
Insert Policy Object
), or select system variables (
Insert System Variable
). For more information, see Understanding FlexConfig Object Variables.
Tip If you want to remove a variable, select it in the object body and click the Cut button or press the Backspace or Delete key. When you click OK to save your changes, the variable is removed from the list of variables.
Step 7 Click the
icon button above the object body to check the integrity and deployability of the object.
Step 8 Click
to save the object.