Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
836
Views
0
Helpful
1
Replies

NAT to null?? or other traffic dropping option.

rtjensen4
Level 4
Level 4

‎11-05-2009 08:10 AM - edited ‎03-04-2019 06:37 AM

Hi All,

I'm installing 3G HWICs into my branch routers for backup IPSEC connectivity in the event primary MPLS link is down.

I have a requirement that users NOT be allowed to access the internet via the 3G connection when the primary link is offline, because this would bypass enterprise security protections. Also, due to IP source validation in use on the 3G network, I can't just NAT-exclude and send that traffic into the wild 3G yonder. If anything does escape, Verizon kills the PPP session. I think I have all my router-generated packets sourced from the Fa0/0.1 interface (Logging source, snmp trap source, ntp source, TACACS+ source, etc).

My overall goal is to ONLY allow VPN-bound traffic through the Cellular interface and drop the rest.

Here's my config currently, using NAT:

interface Cellular0/3/0

ip address negotiated

ip access-group 199 out

ip nat outside

ip virtual-reassembly

encapsulation ppp

load-interval 30

dialer in-band

dialer idle-timeout 600

dialer string cdma

dialer-group 1

async mode interactive

crypto map GreenMAP

ip nat inside source route-map NONAT interface Cellular0/3/0 overload

route-map NONAT, permit, sequence 10

Match clauses:

ip address (access-lists): 180

Set clauses:

Policy routing matches: 0 packets, 0 bytes

Extended IP access list 180

40 deny ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.255.255

60 deny ip 10.10.7.0 0.0.0.255 10.10.0.0 0.0.255.255

80 deny ip 10.10.7.0 0.0.0.255 192.168.101.0 0.0.0.255

100 permit ip 192.168.7.0 0.0.0.255 any

Interface FastEthernet0/0.1

ip nat inside

description Data VLAN

Interface FastEthernet0/0.2

ip nat inside

description Voice VLAN

Extended IP access list 199

10 permit udp any any eq isakmp

20 permit esp any any (1145 matches)

30 deny ip any any

The current setup would seem to keep anything from escaping the interface un-NAT'd, but

I'd like to take the NON-VPN traffic and not even NAT it to C0/3/0 if possible, just dump it. With the route-map that's mentioned in my NAT statement, can I add a "set ip next-hop null0" statement to the existing route-map and achieve the same thing?? Or can I not use a set statement with the route-map being used in a NAT statement.

Labels:
0 Helpful
1 Reply 1

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎11-06-2009 07:53 AM

Hello Ryan,

you should be able to use

set interface null0

in the route-map combining PBR and NAT

Hope to help

Giuseppe

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card