topic find duplicate ACLs in Network Security

find duplicate ACLs

LionKin1984 — Tue, 12 Mar 2019 03:47:00 GMT

Hello there

is there a way to find duplicate ACLs on cisco ASA?

I have just restored running-config (nearly 800 ACLs) onto our new ASA and it threw out a message :WARNING: ACL-name found duplicate element

the model we have is 5512-x, I googled it online but no success so far,

Rdgs!

find duplicate ACLs

Jouni Forss — Tue, 18 Feb 2014 10:22:43 GMT

Hi,

I kind of wonder what the actual situation is.

I would think that the WARNING message means that you were trying to enter a single ACL rule (= ACE) that already existed in the ACL.

To my understanding the only way you can have identical ACEs in a single ACL when you have one ACE using a simple permit statement mentioning the IPs/ports in the command and when you have the same done with "object-group". In this situation to my understanding the ASA will actually have 2 identical rules (even though configured differently)

For example

access-list TEST permit tcp host 1.1.1.1 host 2.2.2.2 eq 80

object-group network SOURCE

network-object host 1.1.1.1

object-group network DESTINATION

network-object host 2.2.2.2

access-list TEST permit tcp object-group SOURCE object-group DESTINATION eq 80

This will produce the following ACL

access-list TEST extended permit tcp host 1.1.1.1 host 2.2.2.2 eq www

access-list TEST extended permit tcp object-group SOURCE object-group DESTINATION eq www

When we look at the ACL in opened form we see that the actual rules are identical

access-list TEST; 2 elements; name hash: 0xd37fdb2b

access-list TEST line 1 extended permit tcp host 1.1.1.1 host 2.2.2.2 eq www (hitcnt=0) 0xd82b1952

access-list TEST line 2 extended permit tcp object-group SOURCE object-group DESTINATION eq www 0xbcf2cfe7

access-list TEST line 2 extended permit tcp host 1.1.1.1 host 2.2.2.2 eq www (hitcnt=0) 0xd82b1952

Yet you say that you were moving an previous configuration to the device so it should be valid configuration as it was already used on an ASA.

Are you sure that you have not just copy/pasted same lines again or perhaps used somekind of "show access-list" output as the base of some configuration? That what I was thinking with the above example I mentioned that the access-list output might have identical rules even though the configuration format is different.

- Jouni

Re: find duplicate ACLs

johnlloyd_13 — Tue, 18 Feb 2014 10:33:57 GMT

Hi,

If you're familiar with ASDM, you can use the filtering feature to help with your search.

Sent from Cisco Technical Support iPhone App

find duplicate ACLs

LionKin1984 — Tue, 18 Feb 2014 11:05:47 GMT

Hi Jouni

Thanks for you reply

What I did was I did all the configuration on notepad, and then 'copy tftp running-config' onto the firewall.

one of the duplicated ACL looks like: -

access-list Outside_access_in extended permit ip host 1.1.1.1 object MYSERVER

Cheers

find duplicate ACLs

LionKin1984 — Tue, 18 Feb 2014 11:07:36 GMT

Hi Johnlloyd

I am OK with ASDM, I have always been using it for ASA configuration. I will try the filtering features

Cheers

find duplicate ACLs

LionKin1984 — Tue, 18 Feb 2014 11:34:05 GMT

I have found a way around this problem, instead of finding duplicates on ASA, I created a little script (.bat) file to find and remove duplicate in notepad, then 'copy tftp running-config' onto the firewall.

thanks guys anyway

Hi LionKin 1984,

aashu21392 — Mon, 18 Apr 2016 15:22:59 GMT

Hi LionKin 1984,

Do you have the script which you used ?

Regards