I'm evaluating NCM for a requirement to manage ACLs and migrate VPN devices from one VPN head end FW to a new site, I believe that NCM can do this however I'm hitting a few roadblocks in my knowledge to prove this;
For example;
(IP addresses are bogus)
Our VPN head end firewall at the main office is 94.23.231.89, our VPN head end firewall at the London site 34.201.33.101
Node details
Public IP address 82.34.231.99
VLAN 1 IP address 10.130.5.1
Node network variable has to be 10.130.5.0
NCM would need to connect via it's WAN address, 82.34.231.99, as the three ACLs and the VPN configuration it has to change will kill the VPN connection.
As it’s changing the VPN configuration it cannot use the node's VLAN1 IP address 10.130.5.1 as this WILL become unavailable, however it needs to know the VLAN1 IP address to create the Node network variable
To complicate matters, we use 3 different VPN devices for our estate, PIX 501, ASA 5505 and 881G routers (all cisco products), PIX 501 and ASA's refer to VLAN1 as “inside” whilst the 881G routers use VLAN1, so I suspect I will need at least two templates.
As I see it, NCM connects to the device using it's WAN IP address, enumerates the interfaces to find the interface with name/desc including VLAN1 / Inside, finds the right interface and creates the node network ( i.e setoctect(<node vlan1 ip address>, 4, 0) variable to use in building the ACLs.
Template then wipes the 3 ACLs and rebuilds them, and then adds the VPN config. It would be up to the analyst running the template to then change routing within our network (as I guess that a CCT cannot work on one node, then update our core route to change the routes).
What I am not sure on is the macro variables I need to look at, I've read the template on setting VLAN attributes via interface description but not sure how this translates to pulling the IP address of the right interface out.
Thanks in advance for any assistance 
Nigel
