Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Cisco 881 with WAN and 3G simultaneously


We have a Cisco 881 setup with outside world connection via Fa4.  On the same unit we have a 3G connection configured.

Does anybody know if there is a way to set the router up to simultaneously allow use of the 3G and the wired WAN?  Not looking for a fail-over type of set-up.  I want the traffic from the LAN to external destinations to pass via Fa4 but I would like to be able to SSH into the router from the internet via the 3G for maintenance purposes.  We currently have our default gateway (gateway of last resort) set as the upstream router connected to Fa4.

Any ideas?



Everyone's tags (2)

Cisco 881 with WAN and 3G simultaneously


configure 2 default routes with same AD so the device can be administered on both external interfaces.

configure NAT on fa4 only and force transit traffic through this interface with a PBR policy like this:

access-list 199 permit ip any

route-map TRANSIT

match ip address 199

set ip next-hop x.x.x.x   where x.x.x.x is the default-gateway out fa4

int vlan1    your inside interface

ip nat inside

ip policy route-map TRANSIT

int fa4

ip nat outside

Now if you only want ssh from 3G network you can use another ACL and call it in a VTY access-class like this:

access-list 99 permit  this is your 3G network

access-list 99 permit host 192.168.1.x the internal IP of the admin PC

line vty 0 15

access-class 99 in



Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Community Member

Cisco 881 with WAN and 3G simultaneously

Hello, David.

I would say that if you want only to access the roouter via 3G by SSH and nothing else, then much simpler is to configure local PBR for source address match 3G card's ip-address and use "set interface C0/0/0".

route-map LOCAL_TRAFFIC permit 10

match ip address 3G_ACCESS

set interface C0/0/0 Null0

(Null0 is required to drop traffic in case C0/0/0 is down)

ip policy route-map LOCAL_TRAFFIC

there are several options for 3G_ACCESS ACL to be configured:

1. ip access-l sta 3G_ACCESS

     permit host <3G interface IP-address>

2. ip access-l ext 3G_ACCESS

     permit tcp host <3G interface IP-address> eq 22 any

3. ip access-l ext 3G_ACCESS

     deny ip any

     deny ip host

     permit tcp any eq 22 any

4. and etc.

Surely the best practice is to use access-class command under line vty if you always use static public address to connect with if not, then I would recommend to use login delay and telnet quiet-mode.

Ps: the best practice is to use dialer interface instead of direct configuration under C0/0/0; in this case set interface should be dialerX.

CreatePlease to create content