Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

tunnel within tunnel

Hello All,

I have to build an IPsec tunnel from some box to a Cisco ASA  - this will be site-to-site IPsec. Within this tunnel, another IPsec or SSL encrypted traffic will pass and this traffic will be routed from Cisco ASA to another box inside. There is going decrypted and routed to destination.

My problem is that I don´t know what and how to define as interesting traffic (encryption domain) on Cisco ASA.

Many thanks for your help.

Cisco Employee

 Hello;Well, assuming that



Well, assuming that the inner header of the inside tunnel is not natted, it would be between the IP addresses of endpoints within the new tunnel.


That should do the trick, let me know if you got what I tried to say.



VIP Green

Basically the peer addresses

Basically the peer addresses of the second tunnel will be defined as interesting traffic in the first tunnel.  The traffic between hosts would be defined as interesting traffic in the second tunnel.

Remember to configure NAT exemption / Twice NAT to prevent interesting traffic from being NATed in the case that you are using NAT that is.  In the first tunnel you would configure NAT exemption for the peer addresses of the second tunnel, and if you have NAT configured on the second ASA then you would need to configure NAT exemption for the Host VPN traffic.


Please remember to select a correct answer and rate helpful posts


Please remember to rate and select a correct answer
CreatePlease login to create content