Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

PBR, NAT on a stick for two VPN tunnels problem


I have two sites.

My primary site router is terminating an ipsec vpn tunnel to another remote site.

The users are natted at the firewall to the router with /24 i.e the remote site has this route on their routing table. they go via the VPN tunnel and everything is working fine here.

My secondary site now needs to connect to the remote site. I have created another ipsec tunnel from the primary site to the secondary site So that users from the secondary site will access the remote site via two tunnels.

new site----> site 1---> remote site

because of the routing at the remote site I have no choice but to nat the new users to the same IP range.

I created a loopback and give an ip address of

I used an access list to match ( Test PC ) going to the destination ( Remote server) and route traffic to the loopback interface ,comming from the interface connecting to the internet,using PBR.

loopback 0 is nat outside overload and the internet interface is nat inside.

The problem is that I can see traffic being matched by the acl for the route-map but no traffic lands on the loopback interface and not being natted.

Please have a look at the configuration and show outputs .

Will be very tahnkful for any help

Hall of Fame Super Silver

Re: PBR, NAT on a stick for two VPN tunnels problem

Hello Sanjay,

PBR works on inbound traffic not outbound you should apply it on internal interface.

However, it is enough a static route using the loop as outgoing interface + the crypto map applied to loopback to create the desired recursion:

something like

int loop0

ip address

crypto map your.crypto2

ip route remote-vpn-site-subnet mask loop0

and public interface has the primary crypto

int f0/0

ip addr x.x.x.x

cypto map your.vpn1

We use it in this way for a backup vpn connection because you need a different interface to apply second crypto map.

And this works.

Hope to help


Community Member

Re: PBR, NAT on a stick for two VPN tunnels problem

I think I understand what you are suggesting ! but on this VPN router I have another 20 VPN tunnels , if I have the route as suggested via the looop will that effect other traffic ? I can't straight away put that cause its on a production network.

the primary crypto map is already on th external interface but will the map on the loopback override the primary crypto map?

I have never tried this so I am confused!

CreatePlease to create content