cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6119
Views
13
Helpful
4
Replies

IOS 15 - VPN Site to Site ACL's (object-groups)

rgreville666
Level 1
Level 1

I’ve been playing with IOS 15 Site to site VPN configurations and found a couple of issues, can someone confirm my thinking is correct.

If I configure object-groups (Router IOS not ASA/FWSM/PIX) can I match VPN traffic? When I look at the ipsec SA the SRC and DST is 0.0.0.0/0

However if I use object-groups in a NAT ACL it works fine. Here are some examples...

VPN

object-group network  SITEA

192.168.1.0 255.255.255.0

!

object-group network  SITEB

192.168.2.0 255.255.255.0

!

ip access-list extended SITEA-SITEB-VPN-ACL

permit ip object-group SITEA object-group SITEB

!

Crypto map VPNMAP ipsec-isakmp

match address SITEA-SITEB-VPN-ACL

~Removed unneeded config

With this config I see the following..

ROUTER#sh cry ipsec sa

interface: Dialer1
     Crypto map tag: VPNMAP, local addr X.X.X.X

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
    remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

    current_peer X.X.X.X port 500
      PERMIT, flags={origin_is_acl,}
     #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
     #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
     #pkts compressed: 0, #pkts decompressed: 0
     #pkts not compressed: 0, #pkts compr. failed: 0
     #pkts not decompressed: 0, #pkts decompress failed: 0
     #send errors 22, #recv errors 0

Clearly this stops all traffic from passing as it tries to encrypt everything!

However this works...

NAT


object-group network  SITEA

192.168.1.0 255.255.255.0

!

object-group network  RFC1918

192.168.0.0 255.255.255.0

172.16.0.0 255.240.0.0

10.0.0.0 255.0.0.0

!

ip access-list extended NAT-ACL

deny ip object-group SITEA object-group RFC1918

permit ip object-group SITEA any

!

ip nat inside source list NAT-ACL interface XXXX overload

!

I love object-groups as they really simplify configurations but am I right in thinking they can't be used with Crypto map ACL's???

Any help would be greatly appreciated.

Grev

4 Replies 4

Does any one knows, is there any plans to implement this feature? Maybe some new releases has it? Didn't found in CFN.

Do not use object-groups in ipsec permit statements. You will notice immediately after applying object-groups to your ipsec statement ACL you will no longer be able to access the outside interface using SSH or other. Also, the tunnel will become unstable or have moments of instability.  I recommend using the conventional IP address to IP address standard or extended ACLs.

 

 

Anu M Chacko
Cisco Employee
Cisco Employee

This is being tracked by the enhancement request CSCsq33560.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: