I've got the following setup

interface GigabitEthernet0/0

description Outside Interface

speed 100

duplex full

nameif outside

security-level 0

ip address (removed) 255.255.255.240

!

interface GigabitEthernet0/2

description Inside interface

nameif inside

security-level 100

ip address 10.33.1.1 255.255.255.0

!

interface GigabitEthernet0/2.64

vlan 64

nameif WiFi

security-level 100

ip address 10.33.64.1 255.255.255.0

The inside interface is tunneled to another location & we added the new subnet (10.33.64.0/24) to the cryptomap

Clients on the 64 VLAN can successfully ping across the tunnel & vica versa.

However people on the 64 VLAN cannot access the internet via the outside interface.

I have the following NAT rules:

nat (inside,outside) source static obj_10.33.64.0-24 obj_10.33.64.0-24 destination static BLDCorpNetwork BLDCorpNetwork route-lookup

nat (inside,outside) source static NETWORK_OBJ_10.33.1.0_24 NETWORK_OBJ_10.33.1.0_24 destination static BLDCorpNetwork BLDCorpNetwork no-proxy-arp route-lookup

nat (inside,outside) source static NETWORK_OBJ_10.33.1.0_24 NETWORK_OBJ_10.33.1.0_24 destination static NETWORK_OBJ_10.33.1.0_24 NETWORK_OBJ_10.33.1.0_24 route-lookup

nat (inside,outside) source dynamic any interface

nat (inside,outside) source static any any destination static NETWORK_OBJ_10.11.11.0_24 NETWORK_OBJ_10.11.11.0_24 no-proxy-arp route-lookup

nat (inside,outside) source static any any destination static NETWORK_OBJ_10.11.11.0_29 NETWORK_OBJ_10.11.11.0_29 no-proxy-arp route-lookup

nat (inside,any) source static obj-10.33.1.0 obj-10.33.1.0 destination static obj-10.33.64.0 obj-10.33.64.0 no-proxy-arp

I tried adding the following rule

nat (WiFi,outside) 9 source dynamic any interface

This allows clients on the 64 VLAN to browse the internet, but then they can't send traffic across the tunnel.

I'm thinking I need another NAT rule but can't seem to get it configured correctly.