12.4(20)T object-group/ACL/crypto map on 3825

Unanswered Question
Aug 27th, 2008
User Badges:

hi all,


I just upgraded into 12.4(20)T my router because of new object-group fonction that I already use on all my PIX.


Bad thing is : sounds not work


I use object-group to define all my LAN networks for my VPNs

After that I apply ACL in using object-group => no problem


problem appears when I apply ACL on crypto-map. A simple "sh crypto-map" shows me that's false : it finds "permit ip any any" whereas that should be all mashed lan description.


Is it a problem on new IOS or I missed something


Regards


Nicolas


PS : in using ACL with network addresses, that works like a charm, so just when I put object-group in ACL, that doesn't work

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Wed, 08/27/2008 - 12:05
User Badges:
  • Red, 2250 points or more

Can you post the configuration?


The feature was just released, so it could be bug prone also, or maybe this is one of the restrictions/limitations.


Regards


Farrukh

nvanhaute Thu, 08/28/2008 - 00:10
User Badges:

hello,


maybe related to that : http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_object_group_acl.html


about my config, just a part of it on how I use object-group :


object-group network clermont

172.30.80.0 255.255.240.0

192.168.6.0 255.255.255.0

!

object-group network test-clermont

172.31.127.0 255.255.255.0

!

crypto map VPN-edu 10 ipsec-isakmp

set peer xxxxxxxxxxxxx

set transform-set ESP-AES-256-MD5

match address crypt-clermont

!

ip access-list extended crypt-clermont

permit ip object-group test-clermont object-group clermont



Regards


Nicolas



Farrukh Haroon Thu, 08/28/2008 - 00:24
User Badges:
  • Red, 2250 points or more

Your config seeems OK to me. Maybe others can comment.


Regards


Farrukh


Intersting to see that the IOS is using subnet masks now :)

Actions

This Discussion