I have a 2800 setup running a number of VPN tunnels. the box has one outside interface and one inside interface. I set up static routes to remote LANs and they are redistributed over to switches etc:
ip route [remote lan] [netmask] interface fa0/0.xxx
I have a crypto map with few entries in it, applied to the outside interface. I am locking down all the vpn traffic with crypto-map ACLs:
crypto map example 10 ipsec-isakmp
set ip access-group xx2 in
set ip access-group xx3 out
access-list xx2 permit ....
access-list xx3 permit ....
OK, this works fine, my outgoing VPN traffic hits these ACLs before it gets encrypted, and the incoming VPN traffic hits these before it goes further down my network. This is very convenient, as I have separate ACLs for every tunnel (some of them are massive) and they're easy to maintain.
Now, I want to secure the public interface with a global "ip access-group xxx in" - a normal transit ACL.
The problem is that the decrypted incoming VPN traffic originates from the same public interface, so it hits the 'global' ACL before it hits the crypto-map ACLs. I want to have a global ACL that only allows legitimate returning traffic plus [ahp/esp/udp isakmp/udp non500-isakmp/icmp echo] from a certain list of VPN peers. I also want to add a few entries that deny possible spoofed traffic (sourced from private/special use/dhcp/multicast addresses).
Currently it is not possible to do this, as I would have to include the same traffic in the main ACL that already is in the crypto-map ACLs.
The crypto map uses local address (identity) of the public interface, so I should be able to apply this map say to a loopback interface and then set up my routes to that interface and it should work. The problem is that for 90% of the VPN tunnels I use NAT because a certain source address is required - so I would have to set the loopback to "ip nat outside". When I took the crypto map off the public interface, applied it to the loopback interface, set it to "ip nat outside", took "ip nat outside" of the public interface and directed the VPN traffic to the loopback interface, it didn't work: NAT translations did not appear.
So to separate the VPN traffic from remote LANs from actual internet traffic (including IPsec transit), what's the best solution?
I know that ASAs and PIX's have a "vpn filter" feature which is basically what I want to achieve. Is there any way to 'bypass' the global ACLs for certain traffic?
Can a loopback be used for "ip nat outside"?
Maybe I should forward the IPsec traffic (ip nat inside...) from the public interface to the loopback?
I'll be grateful for any ideas.