IOS 12.x and FWSMs, many contexts: some imported configs fail to import, how to debug

Reply
Highlighted

IOS 12.x and FWSMs, many contexts: some imported configs fail to import, how to debug

I'm busy moving a large network on which security is done by FWSMs and IOS 12.x switches with basic and extended ACLs.

The FWSM configs seem to import, at least show some results that look plausible.

The IOS imports seem to fail.  Not in the sense that a failure is reported, but nevertheless no data is shown even though they contain numerous access lists, nearly all extended, but a handful of basic ACLs.

I can't see why.  How do I diagnose this?

Re: IOS 12.x and FWSMs, many contexts: some imported configs fail to import, how to debug

By the way, these ACL files are quite large; over 10.000 lines, and nearly 400KB.

Re: IOS 12.x and FWSMs, many contexts: some imported configs fail to import, how to debug

... and even when stripping the config files to

* contain ACLs only

* extended ACLs only

* a single extended ACL only

... I see no result.  Did support for IOS config files get dropped?  I saw no mention of that.

Re: IOS 12.x and FWSMs, many contexts: some imported configs fail to import, how to debug

Migration Tool 2.5 makes nothing of these IOS ACLs either.

L7 Applicator

Re: IOS 12.x and FWSMs, many contexts: some imported configs fail to import, how to debug

Hi,

We always recommend to extract configs by context to store them in a separate files. Then you can start to import one by one into your project or create a zip file with all them and upload the zip file.

If you are not getting anything is because the tool checks for the access-group command. In the Routers this command is applied into the interface instead of a global parameter, Can you try to create at the end of one config the command like

access-group nameofoneaccesslist in interface thenameofhteinterface

access-group acl_inside in interface inside

Re: IOS 12.x and FWSMs, many contexts: some imported configs fail to import, how to debug

Hi Alberto,

Thanks for your swift reply.

The config file has the access list applied to the interface, indeed.  We added these access-group statements, but alas, to no avail: still silent failure, with empty result... any more ideas, perhaps?

Snippet:

ip access-list extended from_xxx

deny   ip 10.0.0.0 0.255.255.255 any

deny   ip 172.16.0.0 0.15.255.255 any

deny   ip 192.168.0.0 0.0.255.255 any

deny   ip 169.254.0.0 0.0.255.255 any

deny   ip 127.0.0.0 0.255.255.255 any

!

! [...]

!

interface TenGigabitEthernet4/1

ip address x.x.x.x 255.255.255.252

ip access-group from_xxx in

ip access-group to_xxx out

!

! [...]

!

access-group from_xxx in interface TenGigabitEthernet4/1

access-group to_xxx out interface TenGigabitEthernet4/1



L7 Applicator

Re: IOS 12.x and FWSMs, many contexts: some imported configs fail to import, how to debug

Hi,

sorry the problem is the format, we still didnt add the support for IOS 12 and ASA 9.4 where there is an access-list and then inside the access-list there are the other acl...

ip access-list extended from_xxx

deny   ip 10.0.0.0 0.255.255.255 any


Sorry for the confusion.


Re: IOS 12.x and FWSMs, many contexts: some imported configs fail to import, how to debug

Hi A.,

Not sure I understand that.  The latest "access-group" statements were added manually per your suggestion, and I don't see how there are other acls inside an acl here.

Any suggestion on a workaround?  I can work a bit of sed-, awk-, perl-, ruby- or whatever-fu to massage them into something MT3 will grok if need be, but I don't think I've seen a specification out there what (or how) MT3 parses.

L7 Applicator

Re: IOS 12.x and FWSMs, many contexts: some imported configs fail to import, how to debug

Hi,

If you can change the rules from

ip access-list extended from_xxx

deny   ip 10.0.0.0 0.255.255.255 any

deny   ip 172.16.0.0 0.15.255.255 any

deny   ip 192.168.0.0 0.0.255.255 any

deny   ip 169.254.0.0 0.0.255.255 any


TO

access-list from_xxx extended deny ip 10.0.0.0 0.255.255.255 any

access-list from_xxx extended deny ip 172.16.0.0 0.15.255.255 any

access-list from_xxx extended deny ip 192.168.0.0 0.0.255.255 any

access-list from_xxx extended deny ip 169.254.0.0 0.0.255.255 any


and the access-group at the end as well

Re: IOS 12.x and FWSMs, many contexts: some imported configs fail to import, how to debug

Hi Alberto,

I'll give that a go.  I've written a little script that does this, haphazardy, see below  I'll give it a go ASAP.

#!/usr/bin/env perl

use strict "subs"; use warnings;

my $acl=''; my $ifc='';

while(<>) {

    $acl=$1 if (/^\s*ip access-list extended\s+(\S+)\s*$/);

    $ifc=$1 if (/^\s*interface\s+(\S+)\s*$/);

    if (/^\s*((allow)|(deny))/) {

        print "access-list $acl extended $_" ;

    } elsif (/ip access-group\s+(\S+)\s+((in)|(out))\s*$/)  {

        print "access-group $1 $2 interface $ifc\n" ;

    } else {

        print;

    }

}

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!