Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN change broke NAT Loopback on RV320

A change to a VPN configuration caused NAT loopback to stop working on the RV320 router I call RV320_Branch.

Here's the network configuration; a vertical bar (|) is an Ethernet network.  The branch where I am located is connected to the main office by a pair of RV320 routers with an IPsec VPN over the Internet.

Client|Router|RV320_Main-(Ipsec VPN over Internet)-RV320_Branch|Server

Client and Router (and other systems) share network

Router and RV320_Main (and other systems) share network

RV320_Branch and Server (and other systems) share network

In the old configuration, the Client on the left could reach systems on, but not systems on  To change that, we set up some static routes in the Router and made a change to the VPN configuration.

Old VPN configuration:
Local Group
Remote Grp
Local Group
Remote Grp

New VPN configuration:
Local Group
Remote Grp
Local Group
Remote Grp

This change to the VPN configuration, along with the changes in 'Router', enabled Client (on the left above) to reach Server (on the right above).  Great, so far.

There are a limited set of services on the Server which can be accessed from the Internet via port forwarding.

The problem is that when we made this change, NAT loopback stopped working on the RV320_Branch router.  That is, systems on the network could formerly reach resources on the server by specifying the external IP address of the RV320_Branch router.  That was convenient, because that allowed laptops to reference resources by DNS names, and it worked anywhere. After the VPN change, that stopped working.  When we changed the VPN configuration back to the original values, NAT loopback started working again.

Does anyone know of a workaround to this problem?

Everyone's tags (2)

Hi Ken, I can see from the

Hi Ken, 

I can see from the new vpn configuration you have the Local Group and Remote group are overlapping is from --until -- is contain network.

If you can test to change the network to should work or just to choose another Class of IP such 192.x.x.x/24  or 172.x.x.x/24



Please rate the post or mark as answered to help other Cisco Customers


Best Regards



New Member

 Yes, the local and remote


Yes, the local and remote groups overlap.  That is intentional.  That is what makes the routing of packets from to work.  And in fact that routing _does_ work, as it should.

The default route to the ISP ( overlaps the route for the local network of, but that is not a problem; it does not keep NAT loopback from working.

IP renumbering (non-trivial, in this case) as a solution to what should be a legitimate route configuration is not the kind of workaround I was hoping for.

I note that your reply does not mention NAT Loopback, the feature that is broken.


New Member

I replaced the RV320 with the

I replaced the RV320 with the RV42 we had used previously.  The RV42 works with the configuration described above, including NAT Loopback.

This is not a great long-term solution, as we may someday have upstream internet connection that is faster than the RV42.  (This RV42 has had its capacitors replaced, and is hooked up using a 3rd party regulated power supply, so it may work for some time yet. :-) ) 

CreatePlease login to create content