- Bronze, 100 points or more
I'm installing 3G HWICs into my branch routers for backup IPSEC connectivity in the event primary MPLS link is down.
I have a requirement that users NOT be allowed to access the internet via the 3G connection when the primary link is offline, because this would bypass enterprise security protections. Also, due to IP source validation in use on the 3G network, I can't just NAT-exclude and send that traffic into the wild 3G yonder. If anything does escape, Verizon kills the PPP session. I think I have all my router-generated packets sourced from the Fa0/0.1 interface (Logging source, snmp trap source, ntp source, TACACS+ source, etc).
My overall goal is to ONLY allow VPN-bound traffic through the Cellular interface and drop the rest.
Here's my config currently, using NAT:
ip address negotiated
ip access-group 199 out
ip nat outside
dialer idle-timeout 600
dialer string cdma
async mode interactive
crypto map GreenMAP
ip nat inside source route-map NONAT interface Cellular0/3/0 overload
route-map NONAT, permit, sequence 10
ip address (access-lists): 180
Policy routing matches: 0 packets, 0 bytes
Extended IP access list 180
40 deny ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.255.255
60 deny ip 10.10.7.0 0.0.0.255 10.10.0.0 0.0.255.255
80 deny ip 10.10.7.0 0.0.0.255 192.168.101.0 0.0.0.255
100 permit ip 192.168.7.0 0.0.0.255 any
ip nat inside
description Data VLAN
ip nat inside
description Voice VLAN
Extended IP access list 199
10 permit udp any any eq isakmp
20 permit esp any any (1145 matches)
30 deny ip any any
The current setup would seem to keep anything from escaping the interface un-NAT'd, but
I'd like to take the NON-VPN traffic and not even NAT it to C0/3/0 if possible, just dump it. With the route-map that's mentioned in my NAT statement, can I add a "set ip next-hop null0" statement to the existing route-map and achieve the same thing?? Or can I not use a set statement with the route-map being used in a NAT statement.