12.4(20)T object-group/ACL/crypto map on 3825

Unanswered Question
Aug 27th, 2008

hi all,

I just upgraded into 12.4(20)T my router because of new object-group fonction that I already use on all my PIX.

Bad thing is : sounds not work

I use object-group to define all my LAN networks for my VPNs

After that I apply ACL in using object-group => no problem

problem appears when I apply ACL on crypto-map. A simple "sh crypto-map" shows me that's false : it finds "permit ip any any" whereas that should be all mashed lan description.

Is it a problem on new IOS or I missed something



PS : in using ACL with network addresses, that works like a charm, so just when I put object-group in ACL, that doesn't work

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Wed, 08/27/2008 - 09:25

Hello Nicolas,

looking at feature description


Known restrictions are:

Restrictions for Object Groups for ACLs

•You can use object groups only in extended and named (not numbered) ACLs.

•Object group-based ACLs support only IPv4 addresses.

•Object group-based ACLs support only Layer 3 interfaces (such as routed interfaces and VLAN interfaces). Object group-based ACLs do not support Layer 2 features such as VLAN ACLs (VACLs) or port ACLs (PACLs).

The feature is new and they declare support only on L3 interfaces.

You could try to open a TAC case to ask information for the feature road-map.

Hope to help



This Discussion