Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

find duplicate ACLs

Hello there

is there a way to find duplicate ACLs on cisco ASA?

I have just restored running-config (nearly 800 ACLs) onto our new ASA and it threw out a message :WARNING: ACL-name found duplicate element

the model we have is 5512-x, I googled it online but no success so far, 

Rdgs!                  

Everyone's tags (3)
6 REPLIES
Super Bronze

find duplicate ACLs

Hi,

I kind of wonder what the actual situation is.

I would think that the WARNING message means that you were trying to enter a single ACL rule (= ACE) that already existed in the ACL.

To my understanding the only way you can have identical ACEs in a single ACL when you have one ACE using a simple permit statement mentioning the IPs/ports in the command and when you have the same done with "object-group". In this situation to my understanding the ASA will actually have 2 identical rules (even though configured differently)

For example

access-list TEST permit tcp host 1.1.1.1 host 2.2.2.2 eq 80

or

object-group network SOURCE

network-object host 1.1.1.1

object-group network DESTINATION

network-object host 2.2.2.2

access-list TEST permit tcp object-group SOURCE object-group DESTINATION eq 80

This will produce the following ACL

access-list TEST extended permit tcp host 1.1.1.1 host 2.2.2.2 eq www

access-list TEST extended permit tcp object-group SOURCE object-group DESTINATION eq www

When we look at the ACL in opened form we see that the actual rules are identical

access-list TEST; 2 elements; name hash: 0xd37fdb2b

access-list TEST line 1 extended permit tcp host 1.1.1.1 host 2.2.2.2 eq www (hitcnt=0) 0xd82b1952

access-list TEST line 2 extended permit tcp object-group SOURCE object-group DESTINATION eq www 0xbcf2cfe7

  access-list TEST line 2 extended permit tcp host 1.1.1.1 host 2.2.2.2 eq www (hitcnt=0) 0xd82b1952

Yet you say that you were moving an previous configuration to the device so it should be valid configuration as it was already used on an ASA.

Are you sure that you have not just copy/pasted same lines again or perhaps used somekind of "show access-list" output as the base of some configuration? That what I was thinking with the above example I mentioned that the access-list output might have identical rules even though the configuration format is different.

- Jouni

New Member

find duplicate ACLs

Hi Jouni

Thanks for you reply

What I did was I did all the configuration on notepad, and then 'copy tftp running-config' onto the firewall.

one of the duplicated ACL looks like: -

access-list Outside_access_in extended permit ip host 1.1.1.1 object MYSERVER

Cheers

Re: find duplicate ACLs

Hi,

If you're familiar with ASDM, you can use the filtering feature to help with your search.


Sent from Cisco Technical Support iPhone App

New Member

find duplicate ACLs

Hi Johnlloyd

I am OK with ASDM, I have always been using it for ASA configuration. I will try the filtering features

Cheers

New Member

find duplicate ACLs

I have found a way around this problem, instead of finding duplicates on ASA, I created a little script (.bat) file to find and remove duplicate in notepad, then 'copy tftp running-config' onto the firewall.

thanks guys anyway

New Member

Hi LionKin 1984,

Hi LionKin 1984,

Do you have the script which you used ?

Regards

1263
Views
0
Helpful
6
Replies
CreatePlease to create content