Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Migrating Router ACL to FWSM

I have been tasked with migrating a couple routers with ACLs to FWSMs on a 7600.

My question is - except for the interface IDs can I just copy the existing ACLs from the Router to the FWSM? Will that work? Or do I have to create a brand new rule set?



  • Firewalling
Hall of Fame Super Blue

Re: Migrating Router ACL to FWSM

Firstly the router acls will probably be using inverse masks

eg. permit tcp host eq www

Pix rulesets don't use inverse masks so it would be

permit tcp host eq www.

Secondly it also depends on what lines are actually in your acl. If there are lines with the established keyword for example you wouldn't need this on the FWSM as you are now dealing with a fully stateful firewall.

You also need to be aware of the NAT statements you may well need but without knwoing your topology it is difficult to comment.


New Member

Re: Migrating Router ACL to FWSM


Thank you. That is good advice.

So, other than those caveats, I should be able to copy them over and go?

Hall of Fame Super Blue

Re: Migrating Router ACL to FWSM

yes you should be fine.

I would stress that you may well need NAT statements on the FWSM (if you are running it in routed mode) otherwise access will denied.

To apply the access-list to the interface you use a slightly different command -

access-group "access-list name" in interface "interface name".

By the way HTH is shorthand for Hope this Helps :-)

New Member

Re: Migrating Router ACL to FWSM

I think 3.1(4) allows you to disable using NAT. It might even be disabled by default.

This widget could not be displayed.