Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Defining interesting traffic with network Object-Groups


I'm configuring a site to site VPN with  Cisco 881 and Asa 5510. To define hots that involve Interesting traffic on Cisco 881 I've created network object-groups.

I also created an inbound access list to accept management and monitoring (ssh, icmp) traffic towards Cisco 881 wan interface from a management host that is not involved on the interesting traffic.

When I use network object groups management traffic is not allowed but if I stop using object groups and set host by host on the interesting traffic access-list for the VPN , the management traffic is allowed.

I seems like working with object groups and VPNs makes acls not to work properly. I don't have this problem when using object groups for acls that are not associated to interesting traffic on a VPN. Is there a way to solve this problem ? Its more neat to use network object groups on acl config.


CreatePlease to create content