Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4607
Views
0
Helpful
6
Replies

find duplicate ACLs

LionKin1984
Level 1
Level 1

‎02-18-2014 01:43 AM - edited ‎03-11-2019 08:47 PM

Hello there

is there a way to find duplicate ACLs on cisco ASA?

I have just restored running-config (nearly 800 ACLs) onto our new ASA and it threw out a message :WARNING: ACL-name found duplicate element

the model we have is 5512-x, I googled it online but no success so far, 

Rdgs!                  

Labels:
0 Helpful
6 Replies 6

Jouni Forss
VIP Alumni
VIP Alumni

‎02-18-2014 02:22 AM

Hi,

I kind of wonder what the actual situation is.

I would think that the WARNING message means that you were trying to enter a single ACL rule (= ACE) that already existed in the ACL.

To my understanding the only way you can have identical ACEs in a single ACL when you have one ACE using a simple permit statement mentioning the IPs/ports in the command and when you have the same done with "object-group". In this situation to my understanding the ASA will actually have 2 identical rules (even though configured differently)

For example

access-list TEST permit tcp host 1.1.1.1 host 2.2.2.2 eq 80

or

object-group network SOURCE

network-object host 1.1.1.1

object-group network DESTINATION

network-object host 2.2.2.2

access-list TEST permit tcp object-group SOURCE object-group DESTINATION eq 80

This will produce the following ACL

access-list TEST extended permit tcp host 1.1.1.1 host 2.2.2.2 eq www

access-list TEST extended permit tcp object-group SOURCE object-group DESTINATION eq www

When we look at the ACL in opened form we see that the actual rules are identical

access-list TEST; 2 elements; name hash: 0xd37fdb2b

access-list TEST line 1 extended permit tcp host 1.1.1.1 host 2.2.2.2 eq www (hitcnt=0) 0xd82b1952

access-list TEST line 2 extended permit tcp object-group SOURCE object-group DESTINATION eq www 0xbcf2cfe7

  access-list TEST line 2 extended permit tcp host 1.1.1.1 host 2.2.2.2 eq www (hitcnt=0) 0xd82b1952

Yet you say that you were moving an previous configuration to the device so it should be valid configuration as it was already used on an ASA.

Are you sure that you have not just copy/pasted same lines again or perhaps used somekind of "show access-list" output as the base of some configuration? That what I was thinking with the above example I mentioned that the access-list output might have identical rules even though the configuration format is different.

- Jouni

0 Helpful

LionKin1984
Level 1
Level 1
In response to Jouni Forss

‎02-18-2014 03:05 AM

Hi Jouni

Thanks for you reply

What I did was I did all the configuration on notepad, and then 'copy tftp running-config' onto the firewall.

one of the duplicated ACL looks like: -

access-list Outside_access_in extended permit ip host 1.1.1.1 object MYSERVER

Cheers

0 Helpful

johnlloyd_13
Level 9
Level 9

‎02-18-2014 02:33 AM

Hi,

If you're familiar with ASDM, you can use the filtering feature to help with your search.


Sent from Cisco Technical Support iPhone App

0 Helpful

LionKin1984
Level 1
Level 1
In response to johnlloyd_13

‎02-18-2014 03:07 AM

Hi Johnlloyd

I am OK with ASDM, I have always been using it for ASA configuration. I will try the filtering features

Cheers

0 Helpful

LionKin1984
Level 1
Level 1

‎02-18-2014 03:34 AM

I have found a way around this problem, instead of finding duplicates on ASA, I created a little script (.bat) file to find and remove duplicate in notepad, then 'copy tftp running-config' onto the firewall.

thanks guys anyway

0 Helpful

aashu21392
Level 1
Level 1
In response to LionKin1984

‎04-18-2016 08:22 AM

Hi LionKin 1984,

Do you have the script which you used ?

Regards

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card