Rob, 

So if my vpn pool is for example 192.168.70.60-80 and the Local Network of the IPSec tunnel is 192.168.60.0 how would I get that RAVPN pool to get through the IPSEC tunnel?

Thank You

Rob, 

That seemed to work just fine. One other question I had about RAVPN if I want it to access a local network that hangs off the ASA what do I need to configure to enable that. 

Thank You

@kajumblies15 

Create another NAT exemption rule:-

nat (INSIDE,OUTSIDE) source static INSIDE-NET INSIDE-NET destination static RAVPN RAVPN no-proxy-arp 

Rob, 

Perfect thanks so much. One final question. As im looking at the customers NAT configuration they are doing the following NAT on the VPN pool

nat (Inside, any) source static obj-LocalLan obj-LocalLan destination static RAVPN Pool RAVPN pool no-proxy-arp route-lookup

followed by what appears to be the nat to the Amazon VPC in order to pass Local Lan through the IPSec Tunnel to Amazons local VPC network

nat (Inside,Outside) source static Network_OBJ_LocalLan Network_OBJ_LocalLan  destination static Obj-AmazonLocalVPCNetwork Obj-AmazonLocalVPCNetwork no-proxy-arp

What I dont understand is why do they not have any NAT rule like the one you posted above 

nat (OUTSIDE,OUTSIDE) source static ORIGINAL-SRC TRANSLATED-SRC destination static REMOTE REMOTE no-proxy-arp

 yet users are able to access the AMAZON VPC local lan that sits behind the IPSec Tunnel. 

Thank You

@kajumblies15 

The is doing pretty much the same as my last NAT rule I provided, except the destination (outbound) interface is specified as "any" instead of outside. It achieves the same thing, cisco recommend not using "any", if possible.

nat (Inside, any) source static obj-LocalLan obj-LocalLan destination static RAVPN Pool RAVPN pool no-proxy-arp route-lookup

The source interface is "inside" so this NAT rule applies to traffic from inside local networks to outside AWS networks. The NAT rule i provided applied to RAVPN users where the source will be "outside", with the destination of "outside", so slightly different source interface.

nat (Inside,Outside) source static Network_OBJ_LocalLan Network_OBJ_LocalLan  destination static Obj-AmazonLocalVPCNetwork Obj-AmazonLocalVPCNetwork no-proxy-arp

OK that makes sense. 

So I double checked their Nat rule on the device that supposedly is not working and I do see that NAT rule and when I run a packet tracer on that ASA it tells me - WEBVPN-SVC Action-DROP and that Flow is denied by configured rule

All I am trying to do is ping from my PC that is connected to the RA VPN to try to reach a box that sits on the AWS VPC and its failing the ping. If I ping from a box thats on the local lan to the box on the AWS VPC it works just fine

Is there something Im overlooking?

Thank You

I thought you said it worked fine?

If you run packet-tracer specifying the source IP address of a connected client it will error, make sure you run packet-tracer using a free IP address from the pool

Provide the output of packet-tracer, show nat detail, show run

Rob, 

Thank You for the reply! The information you provide above works exactly as expected in my test environement. On the customer device these are the nat rules im seeing and could be the issue based on what I have gathered from you, 

2.  nat (Inside,any) source static  LocalLan LocalLan destination static RAVPN RAVPN no-proxy-arp route-lookup

3. nat (inside, outside) source static LocalLan LocalLan destination static RemoteLan RemoteLan no-proxy-arp

there are a bunch of crossed out rule and the last two are 

13. nat (inside, outside) source static any any destination static RemoteLan RemoteLan no-proxy-arp route-lookup

14. nat (outside,outside) source static RAVPN RAVPN destination RemoteLan RemoteLan

What is the purpose of the #2 nat statement. Why would they translate the local lan to the RAVPN pool?

#3 seems like it belongs because it allows the local Lan to get to the remote LAN. I believe you helped me write a similar rule

What is the purpose of the #13 rule does it actually do anything?

Lastly the #14 statement to me seems like it would not work because the RAVPN is a different subnet than the LocalNet. I would think that to accomplish passing traffic from RAVPN through the IPSec tunnel to the RemoteLan would require the rule you wrote for me previously that worked. which is below

nat (OUTSIDE,OUTSIDE) source static ORIGINAL-SRC TRANSLATED-SRC destination static REMOTE REMOTE no-proxy-arp

Please let me know your thoughts and if changing #14 to the above rule will allow traffic to pass or if one of those other rules i listed above needs to be re-mediated. 

Thank You so much! 

@kajumblies15 

Nat rule #2 - this is a NAT exemption rule and ensures that traffic between the LocalLan networks (inside) and the RAVPN network (outside, but defined as "any" in your config) is not unintentially translated, usually by your dynamic nat rule used for internet access.

Nat rule #13 - this is a NAT exemption rule and ensures that traffic between the "any" networks (inside) and the RemoteLan (outside) network is not unintentially translated, usually by your dynamic nat rule used for internet access

Nat rule #14 - would ensure the traffic between the RAVPN network (outside) and the RemoteLan (outside) network is not unintentially translated, usually by your dynamic nat rule used for internet access

The last nat rule translates the original network to another translated src network when communicating with the Remote network. You wanted this so you didn't have to amend the crypto ACL for the VPN. You won't need #14 if you use this nat rule and it works.

packet-tracer will tell you which nat rule you are matching against, amongst other things.

The output of "show nat detail" will have a hit counter, which will confirm whether those rules are being matched or not.

Rob, 

Sorry for the late reply. The nat Rule worked perfectly once tested. No issues from the customer post application. 

Thank You so much.