This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Timothy_Morty
Participant
‎2018-08-02 11:09 AM

SmartMove cannot find interface assigned to ACL group during ASA conversion

Evening all

 

Hoping someone can point me in the right direction here. Bear in mind, I am not a Cisco expert but I'm working with existing ASA config that is working in production...

 

SmartMove parses the config fed to it (ASA Version 9.1(4) after converting 8.2 config via fwm.cisco.com online conversion tools). I've cleaned up all of the commands I could, i.e. Skipped commands, Unknown commands, etc)  but I'm left with 9 lines as commands with conversion error:

 

Cannot find interface assigned to ACL group

[7142] Interface details: EXAMPLE1.

and so on.

 

Each interface is named and has an IP address. Each access-group correctly references the ifname value in each interface definition.

 

access-group outside_access_in in interface EXAMPLE1

 

interface GigabitEthernet0/0.123
vlan 123
nameif EXAMPLE1
security-level 0
ip address x.x.x.x 255.255.255.240 standby x.x.x.x

 

I've reviewed the definitions on 2 separate configs and both are consistent and both fail conversion with similar messages.

 

Due to this mismatch, it's not matching access-list entries to access-groups and so can't create the layers and sub-rules.

 

I'd really like to use SmartMove to achieve the conversion, neatly and quickly, as I want to use layered policies for this migration, but at this point, I'm potentially going to have to convert 5000+ ACL entries by hand if I can't resolve this.

5 Replies
Robert_Decker
Advisor
‎2018-08-02 11:38 AM

Hi Timothy,

I'll check this on Sunday at work and inform you.

It seems like a configuration file formatting issue.

Wait meanwhile, doesn't worth to manually convert.

Robert.

Timothy_Morty
Participant
‎2018-08-02 11:49 AM
In response to Robert_Decker

Thanks Robert. Appreciate the feedback.

Timothy_Morty
Participant
‎2018-08-05 10:06 PM
In response to Robert_Decker

Morning Robert.

Did you have a chance to look at this on Sunday?

Regards,

Tim

0 Kudos
Robert_Decker
Advisor
‎2018-08-06 12:36 AM
In response to Timothy_Morty

yes.

as i've suspected, this is due to a wrong config file formatting.

interface info must be indented as follows - 

interface GigabitEthernet0/0.123
 vlan 123
 nameif EXAMPLE1
 security-level 0
 ip address x.x.x.x 255.255.255.240 standby x.x.x.x

interface command is a parent command, and vlan/nameif/security-level/ip address are child commands and must be indented.

robert.

Timothy_Morty
Participant
‎2018-08-06 12:51 AM
In response to Robert_Decker

Thanks Robert. That seems to have done the job. It's seeing the interfaces now and although I have other errors, I can see that they're to do with the use of named objects.

Appreciate the assistance and thanks again.

Upcoming Events

    Sort by:
    CheckMates Events