12.4(20)T object-group/ACL/crypto map on 3825

nvanhaute · ‎08-27-2008

hi all,

I just upgraded into 12.4(20)T my router because of new object-group fonction that I already use on all my PIX.

Bad thing is : sounds not work

I use object-group to define all my LAN networks for my VPNs

After that I apply ACL in using object-group => no problem

problem appears when I apply ACL on crypto-map. A simple "sh crypto-map" shows me that's false : it finds "permit ip any any" whereas that should be all mashed lan description.

Is it a problem on new IOS or I missed something

Regards

Nicolas

PS : in using ACL with network addresses, that works like a charm, so just when I put object-group in ACL, that doesn't work

Farrukh Haroon · ‎08-27-2008

Can you post the configuration?

The feature was just released, so it could be bug prone also, or maybe this is one of the restrictions/limitations.

Regards

Farrukh

nvanhaute · ‎08-28-2008

hello,

maybe related to that : http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_object_group_acl.html

about my config, just a part of it on how I use object-group :

object-group network clermont

172.30.80.0 255.255.240.0

192.168.6.0 255.255.255.0

!

object-group network test-clermont

172.31.127.0 255.255.255.0

!

crypto map VPN-edu 10 ipsec-isakmp

set peer xxxxxxxxxxxxx

set transform-set ESP-AES-256-MD5

match address crypt-clermont

!

ip access-list extended crypt-clermont

permit ip object-group test-clermont object-group clermont

Regards

Nicolas

Farrukh Haroon · ‎08-28-2008

Your config seeems OK to me. Maybe others can comment.

Regards

Farrukh

Intersting to see that the IOS is using subnet masks now :)

TimpoSpawar724 · ‎11-19-2008

Right now the object groups are not supported with IPSec.