I'm trying to use static routes.  I followed the guide you mentioned but see no configs for static routes.  I tried entering several but none seemed to work.  I'm guessing my NATing is an issue and I have no route to the private IP of remote site.  Local site is 192.168.0.0/16 and remote is 10.7.0.0/16

ASA Version 8.2(2)
!

names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address <*Public IP*> 255.255.255.248
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 11.11.11.11 255.255.255.0
management-only
!
boot system disk0:/asa822-k8.bin
ftp mode passive
access-list ACL_IN extended permit ip any any
access-list ACL_OUTSIDE extended permit icmp any any
access-list ACL_OUTSIDE extended permit ip host <*AWS Public IP IPSEC ENDPOINT IP*> host <*ASA OUTSIDE INTERFACE PUBLIC IP*>
access-list ACL_OUTSIDE extended permit ip host <*AWS secondary Public IP IPSEC ENDPOINT IP*> host <*ASA OUTSIDE INTERFACE PUBLIC IP*>
access-list acl-amzn extended permit ip any 10.7.0.0 255.255.0.0
access-list amzn-filter extended permit ip 10.7.0.0 255.255.0.0 any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list acl-amzn
nat (inside) 1 0.0.0.0 0.0.0.0
access-group ACL_OUTSIDE in interface outside
access-group ACL_IN in interface inside
route outside 0.0.0.0 0.0.0.0 <DFGW IP> 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 11.11.11.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1379
sla monitor 1
type echo protocol ipIcmpEcho 10.7.10.18 interface outside
frequency 5
sla monitor schedule 1 life forever start-time now
crypto ipsec transform-set transform-amzn esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association replay window-size 128
crypto ipsec df-bit clear-df outside
crypto map outside 1 match address acl-amzn
crypto map outside 1 set pfs
crypto map outside 1 set peer <*AWS Public IP IPSEC ENDPOINT IP*> <*AWS Public secondary IP IPSEC ENDPOINT IP*>
crypto map outside 1 set transform-set transform-amzn
crypto map outside 1 set security-association lifetime seconds 3600
crypto map outside interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 201
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 11.11.11.0 255.255.255.0 management
ssh timeout 5
console timeout 0
dhcpd dns 8.8.8.8 8.8.4.4
!
dhcpd address 192.168.1.10-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy filter internal
group-policy filter attributes
vpn-filter value amzn-filter
tunnel-group <*AWS Public IP IPSEC ENDPOINT IP*> type ipsec-l2l
tunnel-group <*AWS Public IP IPSEC ENDPOINT IP*> general-attributes
default-group-policy filter
tunnel-group <*AWS Public IP IPSEC ENDPOINT IP*> ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 10 retry 10
tunnel-group <*AWS Public secondary IP IPSEC ENDPOINT IP*> type ipsec-l2l
tunnel-group <*AWS Public secondary IP IPSEC ENDPOINT IP*> general-attributes
default-group-policy filter
tunnel-group <*AWS Public secondary IP IPSEC ENDPOINT IP*> ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 10 retry 10
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily

Hello,

is there an access list defining your interesting traffic ? Add the below to your configuration.

access-list AWS_NAT extended permit 192.168.1.0 255.255.255.0 any
nat (outside) 1 access-list AWS_NAT

Tried that.  Below is the config.  To confirm there is now route statement for the remote private IP address correct?  The ACL's take care of that?

names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address <*Public IP*> 255.255.255.248
!
interface Ethernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Management0/0
nameif management
security-level 100
ip address 11.11.11.11 255.255.255.0
management-only
!
boot system disk0:/asa822-k8.bin
ftp mode passive
access-list ACL_IN extended permit ip any any
access-list ACL_OUTSIDE extended permit icmp any any
access-list ACL_OUTSIDE extended permit ip host <* Remote AWS Public IP*> host <*Outside interface public IP*>
access-list ACL_OUTSIDE extended permit ip host <* Remote AWS secondary Public IP*> host <*Outside interface public IP*>
access-list acl-amzn extended permit ip any 10.7.0.0 255.255.0.0
access-list amzn-filter extended permit ip any any
access-list amzn-filter extended permit ip 10.7.0.0 255.255.0.0 any
access-list AWS_NAT extended permit ip 192.168.0.0 255.255.0.0 any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (outside) 1 access-list AWS_NAT
nat (inside) 1 0.0.0.0 0.0.0.0
access-group ACL_OUTSIDE in interface outside
access-group ACL_IN in interface inside
route outside 0.0.0.0 0.0.0.0 <*DFGW IP*> 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1379
sla monitor 1
type echo protocol ipIcmpEcho 10.7.10.18 interface outside
frequency 5
sla monitor schedule 1 life forever start-time now
crypto ipsec transform-set transform-amzn esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto ipsec security-association replay window-size 128
crypto ipsec df-bit clear-df outside
crypto map outside 1 match address acl-amzn
crypto map outside 1 set pfs
crypto map outside 1 set peer <* Remote AWS Public IP*> <* Remote AWS secondary Public IP*>
crypto map outside 1 set transform-set transform-amzn
crypto map outside 1 set security-association lifetime seconds 3600
crypto map outside interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 201
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh 11.11.11.0 255.255.255.0 management
ssh timeout 5
console timeout 0
dhcpd dns 8.8.8.8 8.8.4.4
!
dhcpd address 192.168.1.10-192.168.1.254 inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy filter internal
group-policy filter attributes
vpn-filter value amzn-filter
tunnel-group <* Remote AWS Public IP*> type ipsec-l2l
tunnel-group <* Remote AWS Public IP*> general-attributes
default-group-policy filter
tunnel-group <* Remote AWS Public IP*> ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 10 retry 10
tunnel-group <* Remote AWS secondary Public IP*> type ipsec-l2l
tunnel-group <* Remote AWS secondary Public IP*> general-attributes
default-group-policy filter
tunnel-group <* Remote AWS secondary Public IP*> ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 10 retry 10
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily

In my experience with site to site VPN (and especially with VPN to AWS) you typically do not want to translate addresses for traffic going through the tunnel. So I am puzzled by this

nat (outside) 1 access-list AWS_NAT

Also you seem to be concerned about a route statement for traffic to AWS. Your default route should be sufficient to forward the traffic to AWS.

Could you post the output of the command show crypto IPsec sa

HTH

Rick

Thanks for your reply Georg.  This is now what I have in place.  Still I am unable to ping remote host.

Figured it out!!  literally "just a check box"  On AWS side needed to check the option to propagate routes for the route table to include routes set for the VPN.

Hello,

glad to hear that you got it sorted. For future reference, which of the configs is the one that works ?

The last one...my original config :)  Issue was routing setting on AWS end.   Needed to enable route propagation for the route table set for that VPN.