https://community.cisco.com/t5/network-security/ipsec-object-group/m-p/1981829#M440795 <HTML><HEAD></HEAD><BODY><P>If you need to add one more IP to the object group for the crypto ACL, you would need to add the same on the remote VPN peer as crypto ACL needs to mirror image between the 2 sites.</P><P></P><P>Once changes has been done, you would need to clear the tunnel as the SA for the new IP will only be built during the negotiation.</P></BODY></HTML> Fri, 15 Jun 2012 13:25:57 GMT Jennifer Halim 2012-06-15T13:25:57Z https://community.cisco.com/t5/network-security/ipsec-object-group/m-p/1981828#M440794 <P>Hello and thank you in advance</P><P></P><P></P><P>I have a ipsec tunnel setup with the use of object groups. This ipsec tunnel is active and in production.&nbsp; If I need to add one more IP to that object group will I need to do anything for it to take effect or that will be done automatically?</P><P></P><P></P><P>Sorry for a stupid question.</P> Mon, 11 Mar 2019 23:19:50 GMT https://community.cisco.com/t5/network-security/ipsec-object-group/m-p/1981828#M440794 vburshteyn 2019-03-11T23:19:50Z https://community.cisco.com/t5/network-security/ipsec-object-group/m-p/1981829#M440795 <HTML><HEAD></HEAD><BODY><P>If you need to add one more IP to the object group for the crypto ACL, you would need to add the same on the remote VPN peer as crypto ACL needs to mirror image between the 2 sites.</P><P></P><P>Once changes has been done, you would need to clear the tunnel as the SA for the new IP will only be built during the negotiation.</P></BODY></HTML> Fri, 15 Jun 2012 13:25:57 GMT https://community.cisco.com/t5/network-security/ipsec-object-group/m-p/1981829#M440795 Jennifer Halim 2012-06-15T13:25:57Z https://community.cisco.com/t5/network-security/ipsec-object-group/m-p/1981830#M440796 <HTML><HEAD></HEAD><BODY><P>Thank you for responce.</P><P></P><P>Just to double check (sorry I am a server tech not cisco)</P><P></P><P>add the IP to that object-group on both ends</P><P></P><P>then </P><P>clear ipsec sa peer x.x.x.x </P><P></P><P>and that should be it?&nbsp; No need to touch NAT?</P></BODY></HTML> Fri, 15 Jun 2012 13:40:49 GMT https://community.cisco.com/t5/network-security/ipsec-object-group/m-p/1981830#M440796 vburshteyn 2012-06-15T13:40:49Z https://community.cisco.com/t5/network-security/ipsec-object-group/m-p/1981831#M440797 <HTML><HEAD></HEAD><BODY><P>Ahh, you got me, yes, you would also need to add that IP to the NONAT (NAT exemption) ACL if you have one configured.</P><P></P><P>So, it should be:</P><P>1) Add IP to both ends of crypto ACL</P><P>2) Add IP to NAT exemption on both end</P><P>3) Clear tunnel</P></BODY></HTML> Fri, 15 Jun 2012 13:44:27 GMT https://community.cisco.com/t5/network-security/ipsec-object-group/m-p/1981831#M440797 Jennifer Halim 2012-06-15T13:44:27Z