10-29-2013 08:53 PM - edited 03-04-2019 09:27 PM
Hi,
We have a Cisco 881 setup with outside world connection via Fa4. On the same unit we have a 3G connection configured.
Does anybody know if there is a way to set the router up to simultaneously allow use of the 3G and the wired WAN? Not looking for a fail-over type of set-up. I want the traffic from the LAN to external destinations to pass via Fa4 but I would like to be able to SSH into the router from the internet via the 3G for maintenance purposes. We currently have our default gateway (gateway of last resort) set as the upstream router connected to Fa4.
Any ideas?
Thanks,
Dave.
10-30-2013 02:51 AM
Hi,
configure 2 default routes with same AD so the device can be administered on both external interfaces.
configure NAT on fa4 only and force transit traffic through this interface with a PBR policy like this:
access-list 199 permit ip 192.168.1.0 0.0.0.255 any
route-map TRANSIT
match ip address 199
set ip next-hop x.x.x.x where x.x.x.x is the default-gateway out fa4
int vlan1 your inside interface
ip nat inside
ip policy route-map TRANSIT
int fa4
ip nat outside
Now if you only want ssh from 3G network you can use another ACL and call it in a VTY access-class like this:
access-list 99 permit 200.20.20.0 0.0.0.255 this is your 3G network
access-list 99 permit host 192.168.1.x the internal IP of the admin PC
line vty 0 15
access-class 99 in
Regards
Alain
Don't forget to rate helpful posts.
10-31-2013 02:53 AM
Hello, David.
I would say that if you want only to access the roouter via 3G by SSH and nothing else, then much simpler is to configure local PBR for source address match 3G card's ip-address and use "set interface C0/0/0".
route-map LOCAL_TRAFFIC permit 10
match ip address 3G_ACCESS
set interface C0/0/0 Null0
(Null0 is required to drop traffic in case C0/0/0 is down)
ip policy route-map LOCAL_TRAFFIC
there are several options for 3G_ACCESS ACL to be configured:
1. ip access-l sta 3G_ACCESS
permit host <3G interface IP-address>
2. ip access-l ext 3G_ACCESS
permit tcp host <3G interface IP-address> eq 22 any
3. ip access-l ext 3G_ACCESS
deny ip
deny ip host
permit tcp any eq 22 any
4. and etc.
Surely the best practice is to use access-class command under line vty if you always use static public address to connect with if not, then I would recommend to use login delay and telnet quiet-mode.
Ps: the best practice is to use dialer interface instead of direct configuration under C0/0/0; in this case set interface should be dialerX.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide