11-05-2009 08:10 AM - edited 03-04-2019 06:37 AM
Hi All,
I'm installing 3G HWICs into my branch routers for backup IPSEC connectivity in the event primary MPLS link is down.
I have a requirement that users NOT be allowed to access the internet via the 3G connection when the primary link is offline, because this would bypass enterprise security protections. Also, due to IP source validation in use on the 3G network, I can't just NAT-exclude and send that traffic into the wild 3G yonder. If anything does escape, Verizon kills the PPP session. I think I have all my router-generated packets sourced from the Fa0/0.1 interface (Logging source, snmp trap source, ntp source, TACACS+ source, etc).
My overall goal is to ONLY allow VPN-bound traffic through the Cellular interface and drop the rest.
Here's my config currently, using NAT:
interface Cellular0/3/0
ip address negotiated
ip access-group 199 out
ip nat outside
ip virtual-reassembly
encapsulation ppp
load-interval 30
dialer in-band
dialer idle-timeout 600
dialer string cdma
dialer-group 1
async mode interactive
crypto map GreenMAP
ip nat inside source route-map NONAT interface Cellular0/3/0 overload
route-map NONAT, permit, sequence 10
Match clauses:
ip address (access-lists): 180
Set clauses:
Policy routing matches: 0 packets, 0 bytes
Extended IP access list 180
40 deny ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.255.255
60 deny ip 10.10.7.0 0.0.0.255 10.10.0.0 0.0.255.255
80 deny ip 10.10.7.0 0.0.0.255 192.168.101.0 0.0.0.255
100 permit ip 192.168.7.0 0.0.0.255 any
Interface FastEthernet0/0.1
ip nat inside
description Data VLAN
Interface FastEthernet0/0.2
ip nat inside
description Voice VLAN
Extended IP access list 199
10 permit udp any any eq isakmp
20 permit esp any any (1145 matches)
30 deny ip any any
The current setup would seem to keep anything from escaping the interface un-NAT'd, but
I'd like to take the NON-VPN traffic and not even NAT it to C0/3/0 if possible, just dump it. With the route-map that's mentioned in my NAT statement, can I add a "set ip next-hop null0" statement to the existing route-map and achieve the same thing?? Or can I not use a set statement with the route-map being used in a NAT statement.
11-06-2009 07:53 AM
Hello Ryan,
you should be able to use
set interface null0
in the route-map combining PBR and NAT
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide