cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2673
Views
5
Helpful
3
Replies

Copy ACL config from one interface to another in CISCO ASA 5520 Firewall

anurag.sharma
Level 1
Level 1

Hi,

I have Cisco 5520 Firewall and have multiple VLANs on it. Due to some reason, I need to shut down 2 VLANs and set up two other. I have already set up 2 VLANs and now I need to move the ACL config of 2 former VLANs to the newer ones that I have created. 

I know it can be manually done through ASDM by adding each rule for each interface one by one making a replica of the former ones. I am looking for a way that can copy the whole ACL config of the existing VLANs to the newer one (New VLANs are  on the new IP, obviously).

This might sound a silly question but I am struggling to find a  way to do that.

Thanks

Anurag

1 Accepted Solution

Accepted Solutions

If its a per-interface acl then you can assign it to more than one interface

Example that will apply the same acl to two interfaces
access-group NAME in interface vlan1
access-group NAME in interface vlan2

Example that will move the acl to the new interface
no access-group NAME in interface vlan1
access-group NAME in interface vlan2
You can also reconfigure all your interface acl's to one big access-list (global acl) but you then need to make sure you understand what this means for you and that you have all source and destination set correct, so that you don't opening up to much
BTW. you can use the asdm menu Tools > Commandline interface
or simply use your browser to get cli access
(you might need to write %20 for spaces eg. https://192.168.0.1/exec/sh%20run%20|%20i%20access-group)
https://[ASA IP ADDRESS]/exec/sh run | i access-group   

https://[ASA IP ADDRESS]/exec/no access-group NAME in interface vlan1
https://[ASA IP ADDRESS]/exec/access-group NAME in interface vlan2

View solution in original post

3 Replies 3

Dennis Mink
VIP Alumni
VIP Alumni

Probably best use the CLI to do this, as its essentially a flat text config its easier to edit.

Please remember to rate useful posts, by clicking on the stars below.

If its a per-interface acl then you can assign it to more than one interface

Example that will apply the same acl to two interfaces
access-group NAME in interface vlan1
access-group NAME in interface vlan2

Example that will move the acl to the new interface
no access-group NAME in interface vlan1
access-group NAME in interface vlan2
You can also reconfigure all your interface acl's to one big access-list (global acl) but you then need to make sure you understand what this means for you and that you have all source and destination set correct, so that you don't opening up to much
BTW. you can use the asdm menu Tools > Commandline interface
or simply use your browser to get cli access
(you might need to write %20 for spaces eg. https://192.168.0.1/exec/sh%20run%20|%20i%20access-group)
https://[ASA IP ADDRESS]/exec/sh run | i access-group   

https://[ASA IP ADDRESS]/exec/no access-group NAME in interface vlan1
https://[ASA IP ADDRESS]/exec/access-group NAME in interface vlan2

Thank You so much Jacob.

I could copy the whole config by this command. That was really helpful. I highly appreciate it :)

Thank You!

Anurag

Review Cisco Networking for a $25 gift card