Hi,
i'm not sure but it seems that there's something wrong with my VPN configuration:
I've defined some object groups for addresses inside a VPN tunnel using ASDM. Now it seems that the PIX only matches the first address in the object group. Config looks like this:
... name 10.1.2.3 VPN_Remote_IP1 name 10.1.2.4 VPN_Remote_IP2 name 192.168.0.1 VPN_Local_IP name ... VPN_Remote_GW ... object-group network VPN_Remote network-object VPN_Remote_IP1 255.255.255.255 network-object VPN_Remote_IP2 255.255.255.255 ... access-list outside_cryptomap_100 extended permit ip host VPN_Local_IP object-group VPN_Remote ... crypto map outside_map 100 match address outside_cryptomap_100 crypto map outside_map 100 set pfs crypto map outside_map 100 set peer VPN_Remote_GW crypto map outside_map 100 set transform-set ESP-3DES-SHA crypto map outside_map 100 set nat-t-disable crypto map outside_map interface outside
ping to 10.1.2.3 works fine, but 10.1.2.4 is unreachable.
pigw1# show crypto ipsec sa peer VPN_Remote_GW peer address: VPN_Remote_GW Crypto map tag: outside_map, local addr: xxxx
local ident (addr/mask/prot/port): (VPN_Local_IP/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (VPN_Remote_IP1/255.255.255.255/0/0) current_peer: VPN_Remote_GW
-> I wonder why there's only VPN_Remote_IP1 in "remote ident". Is this correct? Shouldn't there be another entry for VPN_Remote_IP2?
#pkts encaps: 753, #pkts encrypt: 753, #pkts digest: 753 #pkts decaps: 753, #pkts decrypt: 753, #pkts verify: 753
When doing ping to 10.1.2.3 counters here increase, when doing ping to
10.1.2.4 they don't. This means to me, that the PIX doesn't encrypt these packets - but why?Regards, Markus