cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
547
Views
0
Helpful
3
Replies

Service Object-group not always working

falain
Level 1
Level 1

Hello all,On Cisco 2821 12.4(24)T1, this service Object-group in ACE lines 10 or 20 should be enough to filter IPsec activity

I had to add lines 30 - 65 to get it working.

Why line 30 or 35 see some isakmp packets ?

Extended IP access list Acl_Outside

10 permit object-group OGs_VPN any host x.x.x.x (4836797 matches)

20 permit object-group OGs_VPN any host y.y.y.y (208 matches)

30 permit udp any host x.x.x.x eq isakmp (255 matches)

35 permit udp any host y.y.y.y eq isakmp (2 matches)

40 permit udp any host x.x.x.x eq non500-isakmp

45 permit udp any host y.y.y.y eq non500-isakmp

50 permit esp any host x.x.x.x

55 permit esp any host y.y.y.y

60 permit tcp any host x.x.x.x eq 10000 log

65 permit tcp any host y.y.y.y eq 10000 log

70 permit icmp any any (180 matches)

80 deny ip any any log (358 matches)

C2821#sh object-group OGs_VPN

Service object group OGs_VPN

Description ** VPN **

udp eq isakmp

udp eq non500-isakmp

tcp eq 10000

esp

Best regards

Alain

3 Replies 3

Peter Paluch
Cisco Employee
Cisco Employee

Hello Alain,

According to the document

http://www.cisco.com/en/US/partner/docs/ios/sec_data_plane/configuration/guide/sec_object_group_acl.html#wp1058359

the object group-based ACLs are not supported with IPsec.

Best regards,

Peter

hello Peter,

Thank you again for your quick answer.

I am looking for this document but I can't open your link.

I don't understand all:

This acl is not only done for IPsec and it is not applied in a crypto map

It is just to filter incoming traffic of my vpn gateway.

And almost any time it works (look at counters)

I added a log statement in lines 30 & 40 and I get :

list Acl_Outside permitted udp (0) -> (0), 1 packet

and other protocols like esp, udp/4500 are correctly detected in service Object-group

It sounds much more like a bug.

Best regards,

Alain

Hello again Peter,

found doc at

http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_object_group_acl.html

it specifies :

"You can use object group-based ACLs with quality of service (QoS) match criteria, Cisco IOS Firewall, IPSec, Dynamic Host Configuration Protocol (DHCP), and any other features that use extended ACLs. In addition, you can use object group-based ACLs with multicast traffic"

May be all not implemented in my current release ?

Best regards

Alain

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: