Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Access-list after upgrading ASA to 8.4

Dear All,

I have ASA 5520 which was running on software version 8.2, I have upgraded it to 8.4.7.

Migration process completed successfully and seems everything went good, I just got one weird issue related to the ACLs associated to object group, below is the explanation before and after the migration:

on the old configs I had something like the below configs:

object-group network Remote_FW
 description Threadneedle remote firewalls
 network-object object FW01
 network-object object FW02
 network-object object FW03
 network-object object FW04


object-group network Internal_Net
 description Internal Networks
 network-object 10.10.102.0 255.255.255.0
 network-object 10.10.104.0 255.255.255.0
 network-object 10.10.105.0 255.255.255.0
 network-object 10.10.122.0 255.255.255.0


access-list outside-in extended permit tcp object-group Remote_FW object-group Internal_Net eq ftp log

 

After the upgrade to 8.4, I got the access list like:

same objects are there but the access-list becomes:

access-list outside-in remark Migration, ACE (line 3) expanded: permit tcp object-group Remote_FW eq ftp
access-list outside-in extended permit tcp object FW01 10.10.102.0 255.255.255.0 eq ftp log
access-list outside-in extended permit tcp object FW01 10.10.104.0 255.255.255.0 eq ftp log
access-list outside-in extended permit tcp object FW01 10.10.105.0 255.255.255.0 eq ftp log
access-list outside-in extended permit tcp object FW01 10.10.122.0 255.255.255.0 eq ftp log

access-list outside-in extended permit tcp object FW02 10.10.102.0 255.255.255.0 eq ftp log
access-list outside-in extended permit tcp object FW02 10.10.104.0 255.255.255.0 eq ftp log
access-list outside-in extended permit tcp object FW02 10.10.105.0 255.255.255.0 eq ftp log
access-list outside-in extended permit tcp object FW02 10.10.122.0 255.255.255.0 eq ftp log

access-list outside-in extended permit tcp object FW03 10.10.102.0 255.255.255.0 eq ftp log
access-list outside-in extended permit tcp object FW03 10.10.104.0 255.255.255.0 eq ftp log
access-list outside-in extended permit tcp object FW03 10.10.105.0 255.255.255.0 eq ftp log
access-list outside-in extended permit tcp object FW03 10.10.122.0 255.255.255.0 eq ftp log

access-list outside-in extended permit tcp object FW04 10.10.102.0 255.255.255.0 eq ftp log
access-list outside-in extended permit tcp object FW04 10.10.104.0 255.255.255.0 eq ftp log
access-list outside-in extended permit tcp object FW04 10.10.105.0 255.255.255.0 eq ftp log
access-list outside-in extended permit tcp object FW04 10.10.122.0 255.255.255.0 eq ftp log

 

so it seems to make a separate line for each source against each destination of the objects !!

at the beginning, I though this is the behaviour of the new OS, but I have noticed in different access-list it is using the same object without any issue !!

Any idea why is that ?!

Everyone's tags (1)
4 REPLIES

so what is the problemo

so what is the problemo ?

access-list is working

New Member

access-list is working, but

access-list is working, but instead of having a single line access-list, I got more than 2500 lines which makes it very long running configs !!

 

 

Hi Eng.Bader, I would try to

Hi Eng.Bader,

 

I would try to remove it and reapply it. If you would do that please try this:

 

clear configure access-list outside-in

access-list outside-in extended permit tcp object-group Remote_FW object-group Internal_Net eq ftp log

 

Please note that if you are going to do that remotely and you are connected to the outside interface you will be locked out as soon as you remove the access list, so you should do it from inside network.

 

Regards,

Aref

Cisco Employee

Hi,This is expected when

Hi,

This is expected when upgrading to the broad view [8.3+] versions.

I would request you to use this command to compress this ACL and any other expanded ACL:-

object-group-search access-control

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/o.html#pgfId-1866962

Thanks and Regards,

Vibhor Amrodia

94
Views
0
Helpful
4
Replies
CreatePlease to create content