12.4(20)T object-group/ACL/crypto map on 3825

Unanswered Question
Aug 27th, 2008

hi all,

I just upgraded into 12.4(20)T my router because of new object-group fonction that I already use on all my PIX.

Bad thing is : sounds not work

I use object-group to define all my LAN networks for my VPNs

After that I apply ACL in using object-group => no problem

problem appears when I apply ACL on crypto-map. A simple "sh crypto-map" shows me that's false : it finds "permit ip any any" whereas that should be all mashed lan description.

Is it a problem on new IOS or I missed something

Regards

Nicolas

PS : in using ACL with network addresses, that works like a charm, so just when I put object-group in ACL, that doesn't work

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Wed, 08/27/2008 - 12:05

Can you post the configuration?

The feature was just released, so it could be bug prone also, or maybe this is one of the restrictions/limitations.

Regards

Farrukh

nvanhaute Thu, 08/28/2008 - 00:10

hello,

maybe related to that : http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_object_group_acl.html

about my config, just a part of it on how I use object-group :

object-group network clermont

172.30.80.0 255.255.240.0

192.168.6.0 255.255.255.0

!

object-group network test-clermont

172.31.127.0 255.255.255.0

!

crypto map VPN-edu 10 ipsec-isakmp

set peer xxxxxxxxxxxxx

set transform-set ESP-AES-256-MD5

match address crypt-clermont

!

ip access-list extended crypt-clermont

permit ip object-group test-clermont object-group clermont

Regards

Nicolas

Farrukh Haroon Thu, 08/28/2008 - 00:24

Your config seeems OK to me. Maybe others can comment.

Regards

Farrukh

Intersting to see that the IOS is using subnet masks now :)

Actions

This Discussion