Cisco Support Community
Community Member

how to route traffic coming towards one crypto mas ipsec through another?



the question maybe simple, but I googled a lot and haven't found an answer.


as example, there is a VPN hub which is cisco 1941 router with IOS 12.

two remote locations are connected through site to site IPsec to this router which has two crypto maps(by sequence number) with the same crypto map name. the cryptomap is assaigned to one WAN interface.


is there a way to allow traffic flow between those remote locations through  VPN hub? 



I do recommend migrating to

I do recommend migrating to tunnel VPN since it will be easier for your if your scale up, as of now, your infra may still be small, but migrating is always a choice since Tunnel VPN allows dynamic routing (eigrp, ospf etc.) while IPsec S2S relies on static routes,

Well, to answer your question, you need to create static routes. and if you are using NAT, then make sure to add in those NAT statements "deny ip" and yes, we need to use extended ACLs.
We do this in all routers.

All you need to take note is your route to your destination network has its equivalent "deny ip" statement inside the NAT ACL :D

CreatePlease to create content