03-20-2013 09:35 AM
Hello all,
recentry I've had some issues with my 892 router and maybe I can find the answer here.
I have two network object-groups:
object-group network net1
192.168.1.0 255.255.255.0
object-group network net2
192.168.2.0 255.255.255.0
Two acl's:
ip access-list extended acl-net12
permit ip object-group net1 object-group net2
ip access-list extended acl-net12-new
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
One crypto map:
crypto map vpn 1 ipsec-isakmp
description network2
set peer xx.xx.xx.xx
set security-association lifetime seconds 28800
set transform-set 3des-sha
match address acl-net12
When match address is set to acl-net12, I can't ping my router on external interface and tunnel is working very bad (15%-20% packet loss).
If I change match address from acl-net12 to acl-net12-new then I can ping my router on external interface and vpn si working fine.
I have also an acl (set on external interface) which allow ping but it seems that is not working when acl-net12 is used on crypto map
ip access-list extended outside_acl
remark allow ping
permit icmp any any echo
permit icmp any any echo-reply
What I am doing wrong ?
Maybe someone can help me.
Thank you.
Solved! Go to Solution.
03-20-2013 09:49 AM
On my last tests with object-groups in crypto-acl it was that the content was changed to "permit ip any any" which is typically not a desired config. I assume that it's a bug or a feature that is not yet implemented.
Until that is fixed you should configure VPNs without object-groups. BTW: Which IOS-version are you running? I didn't test it with the newest 15.2-releases.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
03-20-2013 09:51 AM
Particulary this says that it's not supported feature when it comes to ipsec:
03-20-2013 09:49 AM
On my last tests with object-groups in crypto-acl it was that the content was changed to "permit ip any any" which is typically not a desired config. I assume that it's a bug or a feature that is not yet implemented.
Until that is fixed you should configure VPNs without object-groups. BTW: Which IOS-version are you running? I didn't test it with the newest 15.2-releases.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
03-20-2013 09:52 AM
Oh, it seems that this is the reason of local and remote 0.0.0.0/0.0.0.0 in my show crypto.
My IOS version: Version 15.1(1)T
03-20-2013 09:51 AM
Particulary this says that it's not supported feature when it comes to ipsec:
03-20-2013 09:58 AM
Now a stupid question:
If I have two object groups:
object-group network net1
192.168.1.0 255.255.255.0
192.168.2.0 255.255.255.0
192.168.3.0 255.255.255.0
object-group network net2
192.168.10.0 255.255.255.0
192.168.11.0 255.255.255.0
192.168.12.0 255.255.255.0
how do I transform this into a normal acl
ip access-list extended acl-net12
permit ip 192.168.1.0 0.0.0.255 ip 192.168.10.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 ip 192.168.11.0 0.0.0.255
.
.
.
or for every remote network should I add the local network ?
03-20-2013 10:08 AM
If each network in net1 should be able to communicate with each network in net2, then you have to comebine them all:
permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.11.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.12.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.11.0 0.0.0.255
permit ip 192.168.2.0 0.0.0.255 192.168.12.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 192.168.11.0 0.0.0.255
permit ip 192.168.3.0 0.0.0.255 192.168.12.0 0.0.0.255
You could optimize that a little bit by changing the masks, but as the networks are not alligned to subnet-borders I would use the combination of networks above.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
03-20-2013 10:15 AM
Thank you very much.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide