Thank you, I tried that earlier - had all kinds of problems with inside to outside nat using an extended acl.

However I still tried it and these are the changes made:

Extended IP access list nat

    10 deny ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255

    20 permit ip 10.10.10.0 0.0.0.255 any

ip nat inside source list nat interface Vlan9 overload

and a debug of icmp replies gives the following:

*Nov 30 19:48:35.633: IP: s=10.10.20.10 (Virtual-Access2), d=10.10.10.1, len 60, input feature, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Nov 30 19:48:35.637: IP: tableid=0, s=10.10.20.10 (Virtual-Access2), d=10.10.10.1 (BVI1), routed via RIB

*Nov 30 19:48:35.637: IP: s=10.10.20.10 (Virtual-Access2), d=10.10.10.1 (BVI1), len 60, output feature, NAT Inside(7), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Nov 30 19:48:35.637: IP: s=10.10.20.10 (Virtual-Acces

, d=10.10.10.1 (BVI1), len 60, output feature, Stateful Inspection(20), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Nov 30 19:48:35.637: IP: s=10.10.20.10 (Virtual-Access2), d=10.10.10.1, len 60, rcvd 4

*Nov 30 19:48:35.637: IP: s=10.10.20.10 (Virtual-Access2), d=10.10.10.1, len 60, stop process pak for forus packet

*Nov 30 19:48:35.637: IP: s=10.10.10.1 (local), d=10.10.20.10, len 60, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Nov 30 19:48:35.637: IP: s=10.10.10.1 (local), d=10.10.20.10 (Virtual-Access2), len 60, sending

It's still natting?

Hello Joe,

Try these changes if it helps.

ip access-list extend nat

no 10

10 deny ip 10.10.10.0 0.0.0.255 10.0.0.0 0.255.255.255

no access-list 100 permit ip 10.10.10.0 0.0.0.255 any

access-list 100 permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255

Best Regards

Please rate all helpful posts and close solved questions

Still no joy but I do get an encapsulation failed now.

*Nov 30 21:58:04.727: IP: s=10.10.20.15 (Virtual-Access2), d=10.10.10.1, len 60, input feature, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Nov 30 21:58:04.727: IP: tableid=0, s=10.10.20.15 (Virtual-Access2), d=10.10.10.1 (Vlan9), routed via RIB

*Nov 30 21:58:04.727: IP: s=10.10.20.15 (Virtual-Access2), d=10.10.10.1 (Vlan9), len 60, output feature, Post-routing NAT Outside(17), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Nov 30 21:58:04.727: IP: s=10.10.20.15 (Virtual-Access2), d=10.10.10.1 (Vlan9), len 60, output feature, Stateful Inspection(20), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Nov 30 21:58:04.727: IP: s=10.10.20.15 (Virtual-Access2), d=10.10.10.1 (Vlan9), len 60, output feature, IPSec output classification(25), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Nov 30 21:58:04.727: IP: s=10.10.20.15 (Virtual-Access2), d=10.10.10.1 (Vlan9), len 60, output feature, Firewall (NAT)(33), rtype 1, forus FALSE, sendself FALSE,

mtu 0, fwdchk FALSE

*Nov 30 21:58:04.727: IP: s=10.10.20.15 (Virtual-Access2), d=10.10.10.1 (Vlan9), len 60, output feature, Firewall (inspect)(38), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Nov 30 21:58:04.727: IP: s=10.10.20.15 (Virtual-Access2), d=10.10.10.1 (Vlan9), len 60, output feature, IPSec: to crypto engine(54), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Nov 30 21:58:04.727: IP: s=10.10.20.15 (Virtual-Access2), d=10.10.10.1 (Vlan9), len 60, output feature, Pos

t-encryption output features(55), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Nov 30 21:58:04.727: IP: s=10.10.20.15 (Virtual-Access2), d=10.10.10.1 (Vlan9), g=10.10.10.1, len 60, forward

*Nov 30 21:58:04.731: IP: s=10.10.20.15 (Virtual-Access2), d=10.10.10.1 (Vlan9), len 60, post-encap feature, (1), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Nov 30 21:58:04.731: IP: s=10.10.20.15 (Virtual-Access2), d=10.10.10.1 (Vlan9), len 60, post-encap feature, FastEther Channel(2), rt

cliniccisco(config-ext-nacl)#ype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Nov 30 21:58:04.731: IP: s=10.10.20.15 (Virtual-Access2), d=10.10.10.1 (Vlan9), len 60, encapsulation failed

I just realised i'm missing the ip classless command, since I'm using 10.10.10.0 that should give routing issues.  I'll try later.

ip classless is there by default so I'm back to square one.

I don't understand why this wouldn't work, I scoured google for info and it seems a pretty basic configuration.

Still can't get this to work.  Anyone has any more ideas?

Solved it by putting the vpn pool on the same subnet 10.10.10.0 - very weird issue though...