Managing remote routers, which use only site-to-site VPN for connectivity, can sometimes be a challenge. Most management services on the router send traffic sourced from the interface closest to the destination (typically the outside or WAN interface). However, this traffic will likely not hit your crypto maps and thus never reach the headend through the VPN tunnel (possibly leaving you unable to remotely manage the router).
To remedy this problem on your remote routers, set the source-interface option for your protocols to the interface on your remote LAN. This causes the traffic to be sourced from the specified interface, hit the crypto maps, and be directed through the VPN tunnel to the headend. Some common examples are listed below (replace e0 with the interface on your remote LAN).
ip ssh source-interface e0
ip ftp source-interface e0
ip tacacs source-interface e0
ip telnet source-interface e0
ip tftp source-interface e0
ip domain lookup source-interface e0
ntp source e0
- Jonathan Strine, The Patriot-News Co., Harrisburg, PA, USA