Thanks much Edison. I will try this towards the end of the day when the office thins out. Good to know I wasn't too far off base. I was setting next-hop which didn't seem to want to work.

I will report back on how things turned out.

It worked beautifully to stop my hopping across public but with one caveat. It more or less broke my VPN. For some reason I could not pass about every other packet in a ping.

So I added a route for the VPN network to get it to work and it seemed like it did, but now its not again. Its very random in terms of passing packets reliably.

Suggestions appreciated.

Please post config.

I will as soon as I have 5 seconds.... I'm sure it will help to see the 'actual' config.

Thanks for your patience and assistance.

The config below works as far as keeping NAT instances from hopping over and out another public once

they get to their NAT outside interface, however it breaks access to other local subnets connected the

router for ANY interface with ip policy applied. It also causes about 50% or more packet loss across my VPN tunnel.

Hopefully I didn't leave anything out that is applicable to review, which I sincerely appreciate.

Assume for my example, our subnet we hit via VPN is 8.8.0.0/16, and again 2.2.2.2 is my Multilink IP which

my tunnel is set up on.

It might be as simple as adding a few routes or some minor ACL tweaks but have not been able to do

much more testing since I have a full office of people using the network.

!

ip dhcp pool LAN-USERS

network 6.6.6.0 255.255.255.0

dns-server 6.6.6.1

default-router 6.6.6.1

!

ip dhcp pool WIRELESS-USERS

network 7.7.7.0 255.255.255.0

dns-server 7.7.7.1

default-router 7.7.7.1

!

!

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key address

!

!

crypto ipsec transform-set MY-transform-set esp-3des esp-md5-hmac

!

crypto map MY-tunnel-515e 10 ipsec-isakmp

set peer

set transform-set MY-transform-set

match address 110

!

!

interface Multilink1

description BONDED 2xT1

ip address 2.2.2.2 255.255.255.252

ip access-group 120 in <-to block port scans

ip nat outside

ip virtual-reassembly

rate-limit input access-group 105 256000 65536 65536 conform-action set-prec-transmit 5 exceed-action set-prec-continue 5

ip route-cache flow

no ip mroute-cache

ppp multilink

ppp multilink fragment disable

ppp multilink group 1

crypto map MY-tunnel-515e

service-policy output policy1

!

interface FastEthernet0/0

description LAN-USERS

ip address 6.6.6.1 255.255.255.0

ip nat inside

ip virtual-reassembly

no ip route-cache cef

ip route-cache flow

ip policy route-map NAT-CNTRL

no ip mroute-cache

duplex full

speed 100

!

interface Dialer0

description DSL

bandwidth inherit

ip address negotiated

ip nat outside

no ip virtual-reassembly

encapsulation ppp

ip route-cache flow

no ip mroute-cache

dialer pool 1

ppp pap sent-username password 0

!

interface FastEthernet0/1

description WIRELESS-USERS

ip address 7.7.7.1 255.255.255.0

ip nat inside

ip virtual-reassembly

no ip route-cache cef

ip route-cache flow

ip policy route-map NAT-CNTRL

no ip mroute-cache

duplex full

speed 100

!

!

!! VOIP/PBX COMES IN VIA HERE FROM

!! A 16 PORT PoE module

interface GigabitEthernet1/0

description RTR-to-SW-Interconnect

ip address 255.255.255.252

ip nat inside

ip virtual-reassembly

ip route-cache flow

ip policy route-map NAT-CNTRL

no ip mroute-cache

!

ip classless

ip route 0.0.0.0 0.0.0.0 Multilink1

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 6.6.6.0 255.255.255.0 FastEthernet0/0

ip route 7.7.7.0 255.255.255.0 FastEthernet0/1

ip route 255.255.255.0

ip route 255.255.255.0

ip nat inside source list LAN-MULTI interface Multilink1 overload

ip nat inside source list WIFI-DSL interface Dialer0 overload

ip nat inside source static udp 5060 interface Loopback66 5060

ip nat inside source static tcp 5060 interface Loopback66 5060

!

ip access-list standard WIFI-DSL

permit 7.7.7.0 0.0.0.255

!

!

ip access-list extended LAN-MULTI

deny ip 6.6.6.0 0.0.0.255 8.8.0.0 0.0.255.255

permit ip 6.6.6.0 0.0.0.255 any

permit ip host any

deny ip any any

!

access-list 110 remark CRYPTO-list for VPN-office-tunnel-Serial

access-list 110 permit ip host 2.2.2.2 host

access-list 110 permit ip 6.6.6.0 0.0.0.255 8.8.0.0 0.0.255.255

route-map NAT-CNTRL permit 10

match ip address WIFI-DSL

set interface Dialer0

!

route-map NAT-CNTRL permit 20

match ip address LAN-MULTI

set interface Multilink1

If you have other networks in addition to 6.6.6.0/24 sitting behind this router, you need to add then in the LAN-MULTI ACL with a deny statement similar to deny ip 6.6.6.0 0.0.0.255 8.8.0.0 0.0.255.255

__

Edison.

Edison:

You are a gentleman and a scholar. I got everything working exactly as planned this weekend based on your initial post. Just was a little rusty on policy routing, and a few things gave me grief in terms of the right combo of routes and policy statements.

Thanks for your help!

Glad to be of help and remember to rate helpful posts :)

__

Edison.

By setting interface I now also effectively break routing between my internal subnets. My goal was only to isolate the NAT instances so one inside subnet doesn't get to its public only to hop over to the other public out the other link, not make it so internal subnets can't reach each other.

Is it impossible for me to isolate 2 NAT instances and still be able to do that?

Thanks again.

You can add the internal src/dst networks in the route-map as a deny hence they won't be affected by the PBR.

Posting the config will also help.