Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Timothy_Morty
Participant

SmartMove cannot find interface assigned to ACL group during ASA conversion

Evening all

 

Hoping someone can point me in the right direction here. Bear in mind, I am not a Cisco expert but I'm working with existing ASA config that is working in production...

 

SmartMove parses the config fed to it (ASA Version 9.1(4) after converting 8.2 config via fwm.cisco.com online conversion tools). I've cleaned up all of the commands I could, i.e. Skipped commands, Unknown commands, etc)  but I'm left with 9 lines as commands with conversion error:

 

Cannot find interface assigned to ACL group

[7142] Interface details: EXAMPLE1.

and so on.

 

Each interface is named and has an IP address. Each access-group correctly references the ifname value in each interface definition.

 

access-group outside_access_in in interface EXAMPLE1

 

interface GigabitEthernet0/0.123
vlan 123
nameif EXAMPLE1
security-level 0
ip address x.x.x.x 255.255.255.240 standby x.x.x.x

 

I've reviewed the definitions on 2 separate configs and both are consistent and both fail conversion with similar messages.

 

Due to this mismatch, it's not matching access-list entries to access-groups and so can't create the layers and sub-rules.

 

I'd really like to use SmartMove to achieve the conversion, neatly and quickly, as I want to use layered policies for this migration, but at this point, I'm potentially going to have to convert 5000+ ACL entries by hand if I can't resolve this.

5 Replies
Robert_Decker
Advisor

Hi Timothy,

I'll check this on Sunday at work and inform you.

It seems like a configuration file formatting issue.

Wait meanwhile, doesn't worth to manually convert.

Robert.

Timothy_Morty
Participant

Thanks Robert. Appreciate the feedback.

Timothy_Morty
Participant

Morning Robert.

Did you have a chance to look at this on Sunday?

Regards,

Tim

0 Kudos
Robert_Decker
Advisor

yes.

as i've suspected, this is due to a wrong config file formatting.

interface info must be indented as follows - 

interface GigabitEthernet0/0.123
vlan 123
nameif EXAMPLE1
security-level 0
ip address x.x.x.x 255.255.255.240 standby x.x.x.x

interface command is a parent command, and vlan/nameif/security-level/ip address are child commands and must be indented.

robert.

Timothy_Morty
Participant

Thanks Robert. That seems to have done the job. It's seeing the interfaces now and although I have other errors, I can see that they're to do with the use of named objects.

Appreciate the assistance and thanks again.

Upcoming Events

    CheckMates Events