PIX 7.0: Using object-group with crypto map


i'm not sure but it seems that there's something wrong with my VPN configuration:

I've defined some object groups for addresses inside a VPN tunnel using ASDM. Now it seems that the PIX only matches the first address in the object group. Config looks like this:

... name VPN_Remote_IP1 name VPN_Remote_IP2 name VPN_Local_IP name ... VPN_Remote_GW ... object-group network VPN_Remote network-object VPN_Remote_IP1 network-object VPN_Remote_IP2 ... access-list outside_cryptomap_100 extended permit ip host VPN_Local_IP object-group VPN_Remote ... crypto map outside_map 100 match address outside_cryptomap_100 crypto map outside_map 100 set pfs crypto map outside_map 100 set peer VPN_Remote_GW crypto map outside_map 100 set transform-set ESP-3DES-SHA crypto map outside_map 100 set nat-t-disable crypto map outside_map interface outside

ping to works fine, but is unreachable.

pigw1# show crypto ipsec sa peer VPN_Remote_GW peer address: VPN_Remote_GW Crypto map tag: outside_map, local addr: xxxx

local ident (addr/mask/prot/port): (VPN_Local_IP/ remote ident (addr/mask/prot/port): (VPN_Remote_IP1/ current_peer: VPN_Remote_GW

-> I wonder why there's only VPN_Remote_IP1 in "remote ident". Is this correct? Shouldn't there be another entry for VPN_Remote_IP2?

#pkts encaps: 753, #pkts encrypt: 753, #pkts digest: 753 #pkts decaps: 753, #pkts decrypt: 753, #pkts verify: 753

When doing ping to counters here increase, when doing ping to they don't. This means to me, that the PIX doesn't encrypt these packets - but why?

Regards, Markus

Reply to
Markus Marquardt
Loading thread data ...

Self solved:

There is one sa entry per local/remote address tupel, of course. Works now.

Regards, Markus

Reply to
Markus Marquardt

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.