Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

help with Policy Based Routing on VPN Router

I have a Cisco 3600 series router that serves as a vpn gateway for multiple ipsec tunnel. It's outside interface (F0/0) is where the peer vpn's terminate and it is where the crypto map is applied. I'm having an issue with a recent vpn peer addition. The access-list defining the interesting traffic for this vpn is permitting a single host from the remote end to connect to any 10.x.x.x address on our network, which should get routed through the routers inside interface (F0/1). The problem is there are routes on this router that take some 10.x.x.x addresses and ships it out one of the other tunnels, rather than inside to our network. I was thinking of defining a route map that will route any incoming vpn traffic from that single host through the inside interface of the router to the inside network. What I am unsure is will this route map work considering that when the packet first arrives on the outside interface, it is still encrypted? I don't know which takes place first. Here is the route-map, please tell me if this will work or if there is a better way:

access-list 50 permit ip

interface F0/0 (outside interface-crypto map applied here)

ip policy route-map inside

route-map inside permit 10

match ip address 50

set ip next-hop 10.x.x.x


Re: help with Policy Based Routing on VPN Router


why not to exclude this host/source from interesting traffic on those other tunnels? Just put a deny statement in front of your ACL describing interesting traffic for the other tunnels.

Something like

access-list 100 deny ip host

access-list 100 permit ip any

Regards, Martin

CreatePlease to create content