Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Tunnel All IPSEC Traffic

G Day.

We're setting up a L2L VPN from a 837 to a ASA5510. The tunnel is working fine however i would like to have all traffic tunnel between the sites. We will have approximately 15 sites when done. I have tried to change the crypto ACL on the router to any any however the ASA reports that there is not match. Can anyone add some input? The reason for this is that we need to control all routing and connectivity from central site. Some sites are independent but passing all traffic through central site allows us to control security better.

Could this also be achieved by using a route map and just add all traffic to the ACL? I?d rather just tunnel everything. Router config below.

Thank you in advance

Current configuration : 3537 bytes


version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

no service dhcp


hostname AAA





no logging buffered

enable secret xxx

enable password xxx


no aaa new-model


resource policy

clock timezone GMT 2

no ip source-route


ip cef

no ip domain lookup

ip domain name local

no ip bootp server


crypto isakmp policy 1

hash md5

authentication pre-share

crypto isakmp key xxx address XXX.XXX.XXX.XXX

crypto isakmp keepalive 60


crypto ipsec transform-set pix-set esp-3des esp-md5-hmac


crypto map pix 10 ipsec-isakmp

set peer XXX.XXX.XXX.XXX

set transform-set pix-set

match address 101


interface Ethernet0

ip address 190.99.x.x.255.255.0

ip nat inside

no ip virtual-reassembly

ip tcp adjust-mss 1452

no ip mroute-cache

no cdp enable

hold-queue 100 out


interface Ethernet2

no ip address


hold-queue 100 out


interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mroute-cache

atm vc-per-vp 64

no atm ilmi-keepalive

dsl operating-mode auto

hold-queue 224 in

pvc 8/35

pppoe-client dial-pool-number 1



interface FastEthernet1

duplex auto



interface Dialer1

ip address negotiated

ip access-group 102 in

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp pap sent-username password xxx

crypto map pix


ip route Dialer1

ip http server

no ip http secure-server


ip nat inside source route-map nonat interface Dialer1 overload


access-list 101 permit ip

access-list 102 remark WAN

access-list 102 permit ip

access-list 102 deny ip any

access-list 102 deny ip any

access-list 102 deny ip any

access-list 102 deny ip any

access-list 102 deny ip any

access-list 102 deny ip any

access-list 102 deny ip any

access-list 102 deny ip any

access-list 102 deny ip any

access-list 102 deny ip any host

access-list 102 permit udp any any eq non500-isakmp

access-list 102 permit udp any any eq isakmp

access-list 102 permit esp any any

access-list 102 permit icmp any any echo-reply

access-list 102 deny ip any any log

access-list 102 remark WAN

access-list 110 deny ip

access-list 110 permit ip any

dialer-list 1 protocol ip permit

route-map nonat permit 10

match ip address 110





line con 0

exec-timeout 120 0

no modem enable

stopbits 1

line aux 0

line vty 0 4

exec-timeout 120 0

length 0

transport input telnet ssh

transport output none



Cisco Employee

Re: Tunnel All IPSEC Traffic


"Any Any" is not good when doing IPSEC Tunnels.

What you need to do is "Specific Network to Any".

For example, if the LAN side on the 837 is Then you need to configure your IPSEC Interesting Traffic like,

access-list 101 permit ip any.

This way, all traffic including internet is destined to the ASA. On the ASA, you need to mirror the ACL,

access-list 101 permit ip any

In the above case, since all traffic from is destined to ASA, you may have to look into your design, routing and natting, so the users can have access to internet.

I hope it helps.



** Please rate all helpful posts **

CreatePlease to create content