Solved: If its a per-interface acl

anurag.sharma · ‎03-14-2017

Hi,

I have Cisco 5520 Firewall and have multiple VLANs on it. Due to some reason, I need to shut down 2 VLANs and set up two other. I have already set up 2 VLANs and now I need to move the ACL config of 2 former VLANs to the newer ones that I have created.

I know it can be manually done through ASDM by adding each rule for each interface one by one making a replica of the former ones. I am looking for a way that can copy the whole ACL config of the existing VLANs to the newer one (New VLANs are on the new IP, obviously).

This might sound a silly question but I am struggling to find a way to do that.

Thanks

Anurag

jacobhoegh · ‎03-15-2017

If its a per-interface acl then you can assign it to more than one interface

Example that will apply the same acl to two interfaces
access-group NAME in interface vlan1
access-group NAME in interface vlan2

Example that will move the acl to the new interface
no access-group NAME in interface vlan1
access-group NAME in interface vlan2

You can also reconfigure all your interface acl's to one big access-list (global acl) but you then need to make sure you understand what this means for you and that you have all source and destination set correct, so that you don't opening up to much

BTW. you can use the asdm menu Tools > Commandline interface

or simply use your browser to get cli access

(you might need to write %20 for spaces eg. https://192.168.0.1/exec/sh%20run%20|%20i%20access-group)

https://[ASA IP ADDRESS]/exec/sh run | i access-group

https://[ASA IP ADDRESS]/exec/no access-group NAME in interface vlan1
https://[ASA IP ADDRESS]/exec/access-group NAME in interface vlan2

View solution in original post

Dennis Mink · ‎03-14-2017

Probably best use the CLI to do this, as its essentially a flat text config its easier to edit.

Please remember to rate useful posts, by clicking on the stars below.

jacobhoegh · ‎03-15-2017