08-27-2008 04:59 AM - edited 02-20-2020 09:40 PM
hi all,
I just upgraded into 12.4(20)T my router because of new object-group fonction that I already use on all my PIX.
Bad thing is : sounds not work
I use object-group to define all my LAN networks for my VPNs
After that I apply ACL in using object-group => no problem
problem appears when I apply ACL on crypto-map. A simple "sh crypto-map" shows me that's false : it finds "permit ip any any" whereas that should be all mashed lan description.
Is it a problem on new IOS or I missed something
Regards
Nicolas
PS : in using ACL with network addresses, that works like a charm, so just when I put object-group in ACL, that doesn't work
08-27-2008 12:05 PM
Can you post the configuration?
The feature was just released, so it could be bug prone also, or maybe this is one of the restrictions/limitations.
Regards
Farrukh
08-28-2008 12:10 AM
hello,
maybe related to that : http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_object_group_acl.html
about my config, just a part of it on how I use object-group :
object-group network clermont
172.30.80.0 255.255.240.0
192.168.6.0 255.255.255.0
!
object-group network test-clermont
172.31.127.0 255.255.255.0
!
crypto map VPN-edu 10 ipsec-isakmp
set peer xxxxxxxxxxxxx
set transform-set ESP-AES-256-MD5
match address crypt-clermont
!
ip access-list extended crypt-clermont
permit ip object-group test-clermont object-group clermont
Regards
Nicolas
08-28-2008 12:24 AM
Your config seeems OK to me. Maybe others can comment.
Regards
Farrukh
Intersting to see that the IOS is using subnet masks now :)
11-19-2008 02:31 AM
Right now the object groups are not supported with IPSec.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: