02-18-2014 01:43 AM - edited 03-11-2019 08:47 PM
Hello there
is there a way to find duplicate ACLs on cisco ASA?
I have just restored running-config (nearly 800 ACLs) onto our new ASA and it threw out a message :WARNING: ACL-name found duplicate element
the model we have is 5512-x, I googled it online but no success so far,
Rdgs!
02-18-2014 02:22 AM
Hi,
I kind of wonder what the actual situation is.
I would think that the WARNING message means that you were trying to enter a single ACL rule (= ACE) that already existed in the ACL.
To my understanding the only way you can have identical ACEs in a single ACL when you have one ACE using a simple permit statement mentioning the IPs/ports in the command and when you have the same done with "object-group". In this situation to my understanding the ASA will actually have 2 identical rules (even though configured differently)
For example
access-list TEST permit tcp host 1.1.1.1 host 2.2.2.2 eq 80
or
object-group network SOURCE
network-object host 1.1.1.1
object-group network DESTINATION
network-object host 2.2.2.2
access-list TEST permit tcp object-group SOURCE object-group DESTINATION eq 80
This will produce the following ACL
access-list TEST extended permit tcp host 1.1.1.1 host 2.2.2.2 eq www
access-list TEST extended permit tcp object-group SOURCE object-group DESTINATION eq www
When we look at the ACL in opened form we see that the actual rules are identical
access-list TEST; 2 elements; name hash: 0xd37fdb2b
access-list TEST line 1 extended permit tcp host 1.1.1.1 host 2.2.2.2 eq www (hitcnt=0) 0xd82b1952
access-list TEST line 2 extended permit tcp object-group SOURCE object-group DESTINATION eq www 0xbcf2cfe7
access-list TEST line 2 extended permit tcp host 1.1.1.1 host 2.2.2.2 eq www (hitcnt=0) 0xd82b1952
Yet you say that you were moving an previous configuration to the device so it should be valid configuration as it was already used on an ASA.
Are you sure that you have not just copy/pasted same lines again or perhaps used somekind of "show access-list" output as the base of some configuration? That what I was thinking with the above example I mentioned that the access-list output might have identical rules even though the configuration format is different.
- Jouni
02-18-2014 03:05 AM
Hi Jouni
Thanks for you reply
What I did was I did all the configuration on notepad, and then 'copy tftp running-config' onto the firewall.
one of the duplicated ACL looks like: -
access-list Outside_access_in extended permit ip host 1.1.1.1 object MYSERVER
Cheers
02-18-2014 02:33 AM
Hi,
If you're familiar with ASDM, you can use the filtering feature to help with your search.
Sent from Cisco Technical Support iPhone App
02-18-2014 03:07 AM
Hi Johnlloyd
I am OK with ASDM, I have always been using it for ASA configuration. I will try the filtering features
Cheers
02-18-2014 03:34 AM
I have found a way around this problem, instead of finding duplicates on ASA, I created a little script (.bat) file to find and remove duplicate in notepad, then 'copy tftp running-config' onto the firewall.
thanks guys anyway
04-18-2016 08:22 AM
Hi LionKin 1984,
Do you have the script which you used ?
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide