you are correct.
access-list thorman extended permit ip object-group thorman-local object-group thorman-remote
access-list thorman extended permit ip any4 object-group thorman-remote
the above statement match two rule in one. where ip any4 and object-group thorman.
what you can do if you dont want to apply the new rules. do show access-list and check what number is giving from ASA to these ACLs.
Here is the output from the ;show Access List' command. The problem is still we cannot ping from 192.168.142.0/24 (Thorman) to 10.20.4.0/24 (Noverton). The confusing thing is I'm seeing a lot of hits against the Thorman ACL but 0 hits against the Noverton ACL.
access-list thorman line 1 extended permit ip 10.20.4.0 255.255.255.0 192.168.142.0 255.255.255.0 (hitcnt=173550) 0x6d3eca4e
access-list 126.96.36.199_Noverton line 2 extended permit ip 192.168.142.0 255.255.255.0 10.20.4.0 255.255.255.0 (hitcnt=0) 0x43b23a2a
There are several things I would comment on:
- both access lists for the vpn have a line that permits any to the remote subnet. For Thorman the more specific entry for the local subnet to the remote subnet comes first and has hitcount of 173550 and then the permit any entry has hitcount of 123. So you are trying to send 123 items over the vpn that do not match your real criteria. The same issue exists for Noverton but the order of statements is reversed. So we see hitcount of 55025 for permit any and hitcount of 0 for local subnet to remote subnet. I suggest that you remove both statements that have permit any.
- I see in the config that 192.168.142.0 is the subnet for Noverton. That network also appears as the local network for Beverly and for Sherman. Is that really the case? And if so is it possibly related to the problem?
- I see in the config that the set peer statement in Thorman crypto map has 2 peer addresses. Can you verify which of the peers is active? Could you then switch over to the other peer and see if the behavior changes?