08-27-2008 04:59 AM - edited 02-20-2020 09:40 PM
hi all,
I just upgraded into 12.4(20)T my router because of new object-group fonction that I already use on all my PIX.
Bad thing is : sounds not work
I use object-group to define all my LAN networks for my VPNs
After that I apply ACL in using object-group => no problem
problem appears when I apply ACL on crypto-map. A simple "sh crypto-map" shows me that's false : it finds "permit ip any any" whereas that should be all mashed lan description.
Is it a problem on new IOS or I missed something
Regards
Nicolas
PS : in using ACL with network addresses, that works like a charm, so just when I put object-group in ACL, that doesn't work
08-27-2008 12:05 PM
Can you post the configuration?
The feature was just released, so it could be bug prone also, or maybe this is one of the restrictions/limitations.
Regards
Farrukh
08-28-2008 12:10 AM
hello,
maybe related to that : http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_object_group_acl.html
about my config, just a part of it on how I use object-group :
object-group network clermont
172.30.80.0 255.255.240.0
192.168.6.0 255.255.255.0
!
object-group network test-clermont
172.31.127.0 255.255.255.0
!
crypto map VPN-edu 10 ipsec-isakmp
set peer xxxxxxxxxxxxx
set transform-set ESP-AES-256-MD5
match address crypt-clermont
!
ip access-list extended crypt-clermont
permit ip object-group test-clermont object-group clermont
Regards
Nicolas
08-28-2008 12:24 AM
Your config seeems OK to me. Maybe others can comment.
Regards
Farrukh
Intersting to see that the IOS is using subnet masks now :)
11-19-2008 02:31 AM
Right now the object groups are not supported with IPSec.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide