Cisco Cisco ASA 5515-X Adaptive Security Appliance - No Payload Encryption Installation Guide
13
Cisco ASA 5500 Migration to Version 8.3
OL-22176-01
Real IP Addresses in Access List Migration
Error Message During migration of access-list <name> expanded this object-group ACE.
Explanation
Access lists needed to be created for each address in an object group. See the “Object Group expansion”
migration example.
Error Message Failed to create acl element to track during migration.
Explanation
Internal error condition.
Error Message INFO: Note that identical IP addresses or overlapping IP ranges on different interfaces
are not detectable by automated Real IP migration. If your deployment contains such scenarios,
are not detectable by automated Real IP migration. If your deployment contains such scenarios,
please verify your migrated configuration is appropriate for those overlapping addresses/ranges.
Please also refer to the ASA 8.3 migration guide for a complete explanation of the automated
migration process.
Explanation
In some cases, you can change the access rules to accommodate the overlapping addresses (see the following
example). If you cannot change the access rules, you might need to use a new IP addressing scheme for the overlapping
networks.
networks.
For example, the following pre-migration configuration includes two static rules where the IP address 192.168.1.1 on two
inside interfaces (group1 and group2) is mapped separately when it goes to the outside interface:
inside interfaces (group1 and group2) is mapped separately when it goes to the outside interface:
static (group1,outside) 10.10.1.1 192.168.1.1
static (group2,outside) 10.10.2.1 192.168.1.1
The following ACEs, when used in an access-group command applied to the outbound direction of the outside interface,
permit the group1 mapped address (10.10.1.1) to exit the outside interface, but deny the group2 mapped address
(10.10.2.1):
permit the group1 mapped address (10.10.1.1) to exit the outside interface, but deny the group2 mapped address
(10.10.2.1):
access-list out_acl extended permit ip host 10.10.1.1 any
access-list out_acl extended deny ip host 10.10.2.1 any
access-group out_acl out interface outside
However, when the ACEs are converted to real IP addresses, both the 10.10.1.1 and 10.10.2.1 mapped addresses are
changed to the 192.168.1.1 real address; because the first ACE permits traffic to 192.168.1.1, the deny ACE will never
be hit, and traffic will go to both the group1 and group2 hosts:
changed to the 192.168.1.1 real address; because the first ACE permits traffic to 192.168.1.1, the deny ACE will never
be hit, and traffic will go to both the group1 and group2 hosts:
object foo
host 192.168.1.1
nat (group1,outside) static 10.10.1.1
object bar
host 192.168.1.1
nat (group2,outside) static 10.10.2.1
access-list out_acl extended permit ip object foo any
access-list out_acl extended deny ip object bar any <----This ACE will never be hit
access-group out_acl out interface outside
Recommended Action
In this case, you can alter the access rule as follows:
access-list out_acl1 extended permit ip object foo any
access-list out_acl2 extended deny ip object bar any
access-group out_acl1 in interface group1
access-group out_acl2 in interface group2
Table 2
Real IP Address Migration Messages (continued)
Message and Description