Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

routing VPN IPsec - http traffic thru hq

We have a client who would like their remote sites to send all http and other traffic through hq router.They also have applications such as inventory and sales using the same link to hq.

On the access-lists I have deny all traffic from been NATd on the remote site routers but to push into the tunnel. This is not helping and still dropping traffic on the hq router when I trace to the internet.

What would you suggest I playing with ?


Thanks in advance,


Re: routing VPN IPsec - http traffic thru hq

If you want ALL traffic to go from remote site to HQ, then your ipsec acl needs to allow all local traffic to any destination through the tunnel like:

crypto map VPN 5

match address 101

access-list 101 permit ip any

That would force anything from the local subnet through the tunnel.

What devices are controlling the two end oints of the tunnel? Routers or ASA? Can you post configs and a topology?



HTH, John *** Please rate all useful posts ***
New Member

Re: routing VPN IPsec - http traffic thru hq


Thanks for your response. The end points of the tunnel are routers, in particular 1841 at central site and 851W for remote sites. I have tried as suggested but traffic drops at the gateway for hq router. What is the source address at the time the packet hits? hq or remote site public IP?

Re: routing VPN IPsec - http traffic thru hq

If you want to allow absolutely all traffic through the tunnel, you can remove your nat configs on the remote router. Is there a firewall or anything that could be dropping the traffic on the HQ side?

You can also get rid of your route statements. When the ipsec tunnel is created, the "route" is what's allowed through the tunnel. So, here's what I would do in order:

1. Make a backup of your remote site router.

2. Remove nat configs from fa4, vlan1, and bvi1

3. remote ip nat inside x.x.x.x.x statement

4. remove route-map

Your tunnels will still come up when it sees that you need to go to the subnet through your crypto map peer statement.

Also, I noticed that your acl on HQ is listed under one crypto map. Crypto acls should mirror each other, but you have:


Since you're only using one crypto map, it's going to try to match these networks on BOTH of your remote routers. So, I would create another crypto map for just your two separate networks:

crypto map to-site1 10

set peer 41.222.x.3

match address site1

access-list site1 permit ip

crypto map to-site1 20

set peer 41.222.x.4

match address site2

access-list site2 permit ip

The above would match the remote's crypto acl of "" (but in reverse).

You'll still just have the one crypto map, but with different sequence numbers. If you decide to go with these changes, make sure you do them after hours because your tunnels will come down until the change is made.

One last thing, if you remove the nat config on the remote router and they decide it's too much traffic on HQ and want to revert back, you'll need to redo your nat configs again.

Remember *Make backups* :)



HTH, John *** Please rate all useful posts ***