Service Object-group not always working

Unanswered Question
Sep 30th, 2009

Hello all,On Cisco 2821 12.4(24)T1, this service Object-group in ACE lines 10 or 20 should be enough to filter IPsec activity

I had to add lines 30 - 65 to get it working.

Why line 30 or 35 see some isakmp packets ?

Extended IP access list Acl_Outside

10 permit object-group OGs_VPN any host x.x.x.x (4836797 matches)

20 permit object-group OGs_VPN any host y.y.y.y (208 matches)

30 permit udp any host x.x.x.x eq isakmp (255 matches)

35 permit udp any host y.y.y.y eq isakmp (2 matches)

40 permit udp any host x.x.x.x eq non500-isakmp

45 permit udp any host y.y.y.y eq non500-isakmp

50 permit esp any host x.x.x.x

55 permit esp any host y.y.y.y

60 permit tcp any host x.x.x.x eq 10000 log

65 permit tcp any host y.y.y.y eq 10000 log

70 permit icmp any any (180 matches)

80 deny ip any any log (358 matches)

C2821#sh object-group OGs_VPN

Service object group OGs_VPN

Description ** VPN **

udp eq isakmp

udp eq non500-isakmp

tcp eq 10000

esp

Best regards

Alain

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
falain Thu, 10/01/2009 - 04:44

hello Peter,

Thank you again for your quick answer.

I am looking for this document but I can't open your link.

I don't understand all:

This acl is not only done for IPsec and it is not applied in a crypto map

It is just to filter incoming traffic of my vpn gateway.

And almost any time it works (look at counters)

I added a log statement in lines 30 & 40 and I get :

list Acl_Outside permitted udp (0) -> (0), 1 packet

and other protocols like esp, udp/4500 are correctly detected in service Object-group

It sounds much more like a bug.

Best regards,

Alain

falain Thu, 10/01/2009 - 04:53

Hello again Peter,

found doc at

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_object_group_acl.html

it specifies :

"You can use object group-based ACLs with quality of service (QoS) match criteria, Cisco IOS Firewall, IPSec, Dynamic Host Configuration Protocol (DHCP), and any other features that use extended ACLs. In addition, you can use object group-based ACLs with multicast traffic"

May be all not implemented in my current release ?

Best regards

Alain

Actions

This Discussion