We have multiple failover clusters that we would like to sync the DAP's/Group Policies/ACL's between. I understand that there are 2 components that are combined for, say, a DAP -- the config lines, and the dap.xml.
What I would like to do is establish a standard procedure for replicating the policies across each cluster so that our VPN users have the same portal experience wherever they terminate -- obviously some things like that are unique to each cluster like IP's, routing, and crypto maps must stay the same so its not as easy as just doing an ASDM/CLI full backup and restore.
I have successfully done this a couple of times but mostly through trial and error, by using ASDM to export some information and then importing it manually, but I`d like to script this out so doing this via command line would be key. Any suggestions? Thanks for any help!
I guess I will post what we are doing so far:
Use a common prefix for all of your DAP-related ACL's -- so for us we use DAP_
access-list DAP_URL_ORACLE_SHTERM webtype permit url html://:8080 log default
Grab all of your CLI that relates to "dynamic-access-policy-record" + your DAP acl's.
Then, use the ASDM to backup the DAP and bookmarks only.
We then import the CLI config (ACL + the dynamic-access-policy-record) and restore the ASDM backup, in that order. We chose not to sync Group Policies, Tunnel / Connection profiles anbd the rest because they differ from gateway to gateway -- but at least this helps to provide a somewhat similar experience for the end users. You may want to think about syncing customizations and such as well.
I would like to do the same thing you described.
I understand procedure is:
1)backup dap with asdm
2)copy dynamic-access-policy-record lines
3)paste dynamic-access-policy-record lines on the new ASA
4)restore zip file with dap.xml and Version.properties with ASDM on the new ASA
Do you confirm?
I don't need to reload anything, do I?