Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1256
Views
0
Helpful
6
Replies

object-group network

Go to solution
brendorfer
Level 1
Level 1

‎03-20-2013 09:35 AM

Hello all,

recentry I've had some issues with my 892 router and maybe I can find the answer here.

I have two network object-groups:

object-group network net1

192.168.1.0 255.255.255.0

object-group network net2

192.168.2.0 255.255.255.0

Two acl's:

ip access-list extended acl-net12

permit ip object-group net1 object-group net2

ip access-list extended acl-net12-new

permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

One crypto map:

crypto map vpn 1 ipsec-isakmp

description network2

set peer xx.xx.xx.xx

set security-association lifetime seconds 28800

set transform-set 3des-sha

match address acl-net12

When match address is set to acl-net12, I can't ping my router on external interface and tunnel is working very bad (15%-20% packet loss).

If I change match address from acl-net12 to acl-net12-new then I can ping my router on external interface and vpn si working fine.

I have also an acl (set on external interface) which allow ping but it seems that is not working when acl-net12 is used on crypto map

ip access-list extended outside_acl

remark allow ping

permit icmp any any echo

permit icmp any any echo-reply

What I am doing wrong ?

Maybe someone can help me.

Thank you.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎03-20-2013 09:49 AM

On my last tests with object-groups in crypto-acl it was that the content was changed to "permit ip any any" which is typically not a desired config. I assume that it's a bug or a feature that is not yet implemented.

Until that is fixed you should configure VPNs without object-groups. BTW: Which IOS-version are you running? I didn't test it with the newest 15.2-releases.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful

Go to solution
Andrew Phirsov
Level 7
Level 7

‎03-20-2013 09:51 AM

Particulary this says that it's not supported feature when it comes to ipsec:

http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_object_group_acl.html#wp1132617

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Karsten Iwen
VIP
VIP

‎03-20-2013 09:49 AM

On my last tests with object-groups in crypto-acl it was that the content was changed to "permit ip any any" which is typically not a desired config. I assume that it's a bug or a feature that is not yet implemented.

Until that is fixed you should configure VPNs without object-groups. BTW: Which IOS-version are you running? I didn't test it with the newest 15.2-releases.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
brendorfer
Level 1
Level 1
In response to Karsten Iwen

‎03-20-2013 09:52 AM

Oh, it seems that this is the reason of local and remote 0.0.0.0/0.0.0.0 in my show crypto.

My IOS version: Version 15.1(1)T

0 Helpful

Go to solution
Andrew Phirsov
Level 7
Level 7

‎03-20-2013 09:51 AM

Particulary this says that it's not supported feature when it comes to ipsec:

http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_object_group_acl.html#wp1132617

0 Helpful

Go to solution
brendorfer
Level 1
Level 1
In response to Andrew Phirsov

‎03-20-2013 09:58 AM

Now a stupid question:

If I have two object groups:

object-group network net1

192.168.1.0 255.255.255.0

192.168.2.0 255.255.255.0

192.168.3.0 255.255.255.0

object-group network net2

192.168.10.0 255.255.255.0

192.168.11.0 255.255.255.0

192.168.12.0 255.255.255.0

how do I transform this into a normal acl

ip access-list extended acl-net12

permit ip 192.168.1.0 0.0.0.255 ip 192.168.10.0 0.0.0.255

permit ip 192.168.2.0 0.0.0.255 ip 192.168.11.0 0.0.0.255

.

.

.

or for every remote network should I add the local network ?

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to brendorfer

‎03-20-2013 10:08 AM

If each network in net1 should be able to communicate with each network in net2, then you have to comebine them all:

permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 192.168.11.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 192.168.12.0 0.0.0.255

permit ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255

permit ip 192.168.2.0 0.0.0.255 192.168.11.0 0.0.0.255

permit ip 192.168.2.0 0.0.0.255 192.168.12.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 192.168.10.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 192.168.11.0 0.0.0.255

permit ip 192.168.3.0 0.0.0.255 192.168.12.0 0.0.0.255

You could optimize that a little bit by changing the masks, but as the networks are not alligned to subnet-borders I would use the combination of networks above.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
brendorfer
Level 1
Level 1
In response to Karsten Iwen

‎03-20-2013 10:15 AM

Thank you very much.

0 Helpful
Customers Also Viewed These Support Documents