5 Replies Latest reply on Jun 11, 2012 1:31 PM by chrisw

    Route traffic to certain address through VPN

    chrisw New Member


      I have a Netvanta 3448 at the main office with several 3120's connected by VPN at branch locations.  There's certain customers that we connect to on the Internet that have whitelisted our public IP's at our headquarters office but not the public IP's at the branch offices.  From the branch office I'd like to route all traffic to these customers through the VPN tunnel and out the wan connection at headquarters.  But I'm having trouble creating a route to do this with a VPN as the gateway.  I suspect that I need to use policy based routes instead but I can't figure out how that out either.


      Any pointers to get me in the right direction?





        • Re: Route traffic to certain address through VPN



          Thanks for posting your question on the forum!


          Traffic that goes over a VPN tunnel is determined by the traffic specified in the traffic selectors for that particular VPN, also known as VPN selectors. There is no need to add any additional routes or configure policy-based routing. The VPN tunnel uses the branch office's internet connection so it will use the default route. However, we can choose which traffic goes over the VPN tunnel by specifying it in the VPN selectors.


          Configuration modifications will need to be made on the branch router as well as the main router for this application to work. The instructions below will use an example where the branch office has a LAN of /24 and HQ has a LAN of /24.  The HQ's WAN IP is . You have a customer that has an IP address of You would like to route traffic coming from the branch office destined for your customer at across the VPN tunnel to HQ and then routed out HQ's internet connection.


          Branch Office

          The branch office will need its VPN selectors defined as the following:

               ip access-list ext BranchVPN

                    permit ip     <- For branch to HQ traffic

                    permit ip host                   <- For branch to customer traffic



          HQ will need its VPN selectors defined as the following:

               ip access-list ext HQVPN

                    permit ip     <- For HQ to branch traffic

                    permit ip host                    <- For customer to branch traffic


          You will also need to configure an additional ACL and make an additional change in HQ's public policy-class/security zone:


          ip access-list extended Branch2Customer   

               permit ip host


          ip policy-class Public

             nat source list Branch2Customer address overload   <- This will NAT Branch to customer traffic to go out HQ internet connection

             allow reverse list HQVPN stateless


          You will also need to disable RPF check for the Public policy-class. This can be done with the following command:

          no ip policy-class Public rpf-check

          Please do not hesitate to let me know if you have any questions.




            • Re: Route traffic to certain address through VPN
              chrisw New Member

              Hi Noor,


              Thanks for the info. This all makes sense so I gave this a try but no luck.  This is the relevant portions of my config.  The lines in red are the lines that I added.  I replaced the public IP's with and for posting to the forum.


              Am I missing something?






              Branch Office router


              ip access-list extended VPN-10-vpn-selectors

                  permit ip   

                  permit ip  host   



              HQ Router


              ip access-list extended VPN-70-vpn-selectors1

                  permit ip   

                  permit ip host   


              ip access-list extended RemoteSitesStaticRoutes

                 permit ip host  


              ip policy-class Public-2

                 nat source list RemoteSitesStaticRoutes address overload

                nat destination list OUTSIDE-Numonyx pool POOL-Numonyx

                allow list ADTRAN

                allow list
                web-acl-19 self

                nat destination list web-acl-20-Comcast address

                nat destination list web-acl-28-Comcast address

                nat destination list web-acl-30-Comcast address

                nat destination list web-acl-32-Comcast address

                nat destination list web-acl-66-Comcast address

                nat destination list web-acl-108 address port 80

                nat destination list web-acl-110 address

                nat destination list web-acl-111 address

                nat destination list web-acl-103 address

                allow list web-acl-118 self

                • Re: Route traffic to certain address through VPN



                  The commands you entered appear correct. However, I think you will also need to add the "no ip policy-class Public-2 rpf-check" command at the main router. This can be done in config mode.


                  A good way to try and determine what is happening to the traffic is to issue the "show ip policy-session" command. You should view the Private policy-class at the branch office and the Public-2 policy-class to see if traffic is being passed and NATted the way you want.


                  Let us know if you have any questions.