12.4(20)T object-group/ACL/crypto map on 3825

Unanswered Question
Aug 27th, 2008

hi all,

I just upgraded into 12.4(20)T my router because of new object-group fonction that I already use on all my PIX.

Bad thing is : sounds not work

I use object-group to define all my LAN networks for my VPNs

After that I apply ACL in using object-group => no problem

problem appears when I apply ACL on crypto-map. A simple "sh crypto-map" shows me that's false : it finds "permit ip any any" whereas that should be all mashed lan description.

Is it a problem on new IOS or I missed something



PS : in using ACL with network addresses, that works like a charm, so just when I put object-group in ACL, that doesn't work

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Farrukh Haroon Wed, 08/27/2008 - 12:05

Can you post the configuration?

The feature was just released, so it could be bug prone also, or maybe this is one of the restrictions/limitations.



nvanhaute Thu, 08/28/2008 - 00:10


maybe related to that : http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_object_group_acl.html

about my config, just a part of it on how I use object-group :

object-group network clermont


object-group network test-clermont


crypto map VPN-edu 10 ipsec-isakmp

set peer xxxxxxxxxxxxx

set transform-set ESP-AES-256-MD5

match address crypt-clermont


ip access-list extended crypt-clermont

permit ip object-group test-clermont object-group clermont



Farrukh Haroon Thu, 08/28/2008 - 00:24

Your config seeems OK to me. Maybe others can comment.



Intersting to see that the IOS is using subnet masks now :)


This Discussion