Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

PBR, NAT on a stick for two VPN tunnels problem

Unanswered Question
Jul 28th, 2009
User Badges:


I have two sites.

My primary site router is terminating an ipsec vpn tunnel to another remote site.

The users are natted at the firewall to the router with /24 i.e the remote site has this route on their routing table. they go via the VPN tunnel and everything is working fine here.

My secondary site now needs to connect to the remote site. I have created another ipsec tunnel from the primary site to the secondary site So that users from the secondary site will access the remote site via two tunnels.

new site----> site 1---> remote site

because of the routing at the remote site I have no choice but to nat the new users to the same IP range.

I created a loopback and give an ip address of

I used an access list to match ( Test PC ) going to the destination ( Remote server) and route traffic to the loopback interface ,comming from the interface connecting to the internet,using PBR.

loopback 0 is nat outside overload and the internet interface is nat inside.

The problem is that I can see traffic being matched by the acl for the route-map but no traffic lands on the loopback interface and not being natted.

Please have a look at the configuration and show outputs .

Will be very tahnkful for any help

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Tue, 07/28/2009 - 03:48
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Sanjay,

PBR works on inbound traffic not outbound you should apply it on internal interface.

However, it is enough a static route using the loop as outgoing interface + the crypto map applied to loopback to create the desired recursion:

something like

int loop0

ip address

crypto map your.crypto2

ip route remote-vpn-site-subnet mask loop0

and public interface has the primary crypto

int f0/0

ip addr x.x.x.x

cypto map your.vpn1

We use it in this way for a backup vpn connection because you need a different interface to apply second crypto map.

And this works.

Hope to help


sanjay.ccie Tue, 07/28/2009 - 08:20
User Badges:

I think I understand what you are suggesting ! but on this VPN router I have another 20 VPN tunnels , if I have the route as suggested via the looop will that effect other traffic ? I can't straight away put that cause its on a production network.

the primary crypto map is already on th external interface but will the map on the loopback override the primary crypto map?

I have never tried this so I am confused!


This Discussion