Yes it can. The only thing you have to be aware of is the default Public filter on the public interface only allows PPTP/IPSec/ESP/ISAKMP type of packets in. If you then have unencrypted packets coming in and out of this interface, as you would in an "on-a-stick" setup, you need to change the filter on this interface to the Private filter (which is any-in/any-out type of filter).
After I posted the question, I have found out that it can be done. I'd some theory on it (exactly what you are saying) but had never implemented one.
We tested our setup yesterday and it worked.
For other members, just to let you know how this is done....
Configure the IPSec tunnel (or other tunnels) just as if you were configuring them in a regular setup. Have only one route in the concentrator i.e. the default route, pointing out the interface you want active. Additionally, you may shut down the other interface(s) that are not being used. Then comes the trick of configuring the on-a-stick.
Create rules that define the unencrypted traffic. You have to create rule-pairs, one of each direction. For example, if you want to have HTTP traffic that came over an encrypted tunnel go out the same interface (this is the on-a-stick part), then you have to create a rule for the outbound direction w.r.t. the unencrypted traffic and one for the inbound direction (which is the return/response traffic that went out). The direction is relative to the interface.
The traffic going out (after being unencrypted) will have destination port TCP/80. The traffic coming back from the web server will have SOURCE PORT TCP/80.
So, for every type of traffic you want to send/receive, there will be a rule-pair - one outgoing + one incoming.
Add these rules to the Public (Default) filter and you should be good to go. If the Public filter has been modified, then you may want to check the order of the rules just to make sure that there is nothing dropping the traffic before it hits its permit rule.
It is imperative that you be as specific as possible in defining the traffic. Especially when dealing with packets that have non-RFC 1918 IP address as they can be routed over the Internet.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :