Hello all,On Cisco 2821 12.4(24)T1, this service Object-group in ACE lines 10 or 20 should be enough to filter IPsec activity
I had to add lines 30 - 65 to get it working.
Why line 30 or 35 see some isakmp packets ?
Extended IP access list Acl_Outside
10 permit object-group OGs_VPN any host x.x.x.x (4836797 matches)
20 permit object-group OGs_VPN any host y.y.y.y (208 matches)
30 permit udp any host x.x.x.x eq isakmp (255 matches)
35 permit udp any host y.y.y.y eq isakmp (2 matches)
40 permit udp any host x.x.x.x eq non500-isakmp
45 permit udp any host y.y.y.y eq non500-isakmp
50 permit esp any host x.x.x.x
55 permit esp any host y.y.y.y
60 permit tcp any host x.x.x.x eq 10000 log
65 permit tcp any host y.y.y.y eq 10000 log
70 permit icmp any any (180 matches)
80 deny ip any any log (358 matches)
C2821#sh object-group OGs_VPN
Service object group OGs_VPN
Description ** VPN **
udp eq isakmp
udp eq non500-isakmp
tcp eq 10000
According to the document
the object group-based ACLs are not supported with IPsec.
Thank you again for your quick answer.
I am looking for this document but I can't open your link.
I don't understand all:
This acl is not only done for IPsec and it is not applied in a crypto map
It is just to filter incoming traffic of my vpn gateway.
And almost any time it works (look at counters)
I added a log statement in lines 30 & 40 and I get :
list Acl_Outside permitted udp
and other protocols like esp, udp/4500 are correctly detected in service Object-group
It sounds much more like a bug.
Hello again Peter,
found doc at
it specifies :
"You can use object group-based ACLs with quality of service (QoS) match criteria, Cisco IOS Firewall, IPSec, Dynamic Host Configuration Protocol (DHCP), and any other features that use extended ACLs. In addition, you can use object group-based ACLs with multicast traffic"
May be all not implemented in my current release ?