I have a Cisco 3600 series router that serves as a vpn gateway for multiple ipsec tunnel. It's outside interface (F0/0) is where the peer vpn's terminate and it is where the crypto map is applied. I'm having an issue with a recent vpn peer addition. The access-list defining the interesting traffic for this vpn is permitting a single host from the remote end to connect to any 10.x.x.x address on our network, which should get routed through the routers inside interface (F0/1). The problem is there are routes on this router that take some 10.x.x.x addresses and ships it out one of the other tunnels, rather than inside to our network. I was thinking of defining a route map that will route any incoming vpn traffic from that single host through the inside interface of the router to the inside network. What I am unsure is will this route map work considering that when the packet first arrives on the outside interface, it is still encrypted? I don't know which takes place first. Here is the route-map, please tell me if this will work or if there is a better way:
access-list 50 permit ip 192.168.100.10
interface F0/0 (outside interface-crypto map applied here)
ip policy route-map inside
route-map inside permit 10
match ip address 50
set ip next-hop 10.x.x.x