cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3161
Views
0
Helpful
4
Replies

ACL duplicates removal

aashu21392
Level 1
Level 1

Hi,

I use a file to add ACL to my ASA. The file contains set of rules (both inbound and outbound traffic). I run this file on my ASA using conf net command. Now because of a huge list (~1.7MB file) and having many duplicates the file takes longer time to execute. I want to remove these duplicate entries from the ASA and from the file. Is there any way (any script) to find out the duplicates and remove it. 

Please find few examples for duplicate types which are there in on my ASA

Exp 1.

access-list NEW extended permit tcp host 1.1.1.1 host 2.2.2.2 eq https

object-group network Cloud

network-object host 2.2.2.2

access-list NEW extended permit tcp host 1.1.1.1 object-group Cloud eq https

Exp 2.

access-list NEW extended permit tcp 1.1.0.0 255.255.0.0 host 2.2.2.2 eq https

access-list NEW extended permit tcp host 1.1.1.23 host 2.2.2.2 eq https

Please help me to get this resolved.

Regards,

Ashish

4 Replies 4

Pulkit Saxena
Cisco Employee
Cisco Employee

Hi Ashu,

Unfortunately there is no such command on cisco ASA which can help you find duplicate ACL's.

This is more of a manual work that needs to be done and is very important for ASA's improved performance.

However, you can try and use "Notepad++" where you can try and find the duplicate ACL's but again it will just point to the duplicate ACL but removal will again be manual.

-

Pulkit

_

Pulkit

Thank Pulkit

As a said above I run this from a file. So I guess i need to find a script for this and edit the file accordingly and the run it on ASA for the removal. 

Regards 

Ashish 

Ashish,

That will be great if you could find such script, please do share the same too bu creating your own document as that can help in lot of such scenarios.

-

Pulkit

Hi!

https://www.youtube.com/watch?v=e31Uz46AKn0

A utility with which you can optimize the access list. There is a search function for conflicting rules. Designed for routers, but there is a way to use for ASA lists.

 

Review Cisco Networking for a $25 gift card