Is there a button for a partially correct answer? Appending those denies to the end of the NAT list (do they need to go before the permits?) means that replies to pings at the inside int now come from it. So progress certainly, however the rest of the LAN is still not accessible. Could I be missing some corresponding allows?

Thanks for your help!

Sorry - I should have mentioned they should go before the permits.

Access-list entries are processed in order from top to bottom. First match ends the ACL logic step and moves on to the next phase in the router's order of operations.

Thanks, that rang a vague bell. I'm offsite at the moment and am worried about loosing access if I try that now remotely. Although I expect there is a safe method, as I'm due back tomorrow, I think I'll try then. I'll let you know.

Thanks

Changing ACLs remotely is always a bit tricky.

Doing it wrong is a mistake we seldom make more than once. :)

With an extended ACL you can edit it interactively vs. remove and replace method.

I also sometime (if it's permitted) temporarily open up remote access so that I can ssh directly into the unit vs. coming in via the VPN I'm trying to modify.

And then there's always the trick of starting with the command "reload in 5". In case you lock yourself out, that will reboot the system and revert to the startup-config in case all goes south during your changes.

OK my NAT access-list now looks like this:

deny ip 192.192.192.0 0.0.0.255 192.168.254.0 0.0.0.255
deny ip 192.168.192.0 0.0.0.255 192.168.254.0 0.0.0.255
deny ip 192.192.192.0 0.0.0.255 10.0.0.0 0.0.0.255
deny ip 192.168.192.0 0.0.0.255 10.0.0.0 0.0.0.255
permit ip 192.192.192.0 0.0.0.255 any
permit ip 192.168.192.0 0.0.0.255 any

However the problem remains. I can currently access the inside int of the router, but not the rest of the LAN. I've tested to hosts on both internal ranges, with the same result.

Because I'm back onsite, I've been able play with Wireshark. Although I'm inexperienced with it, I can see that the ping requests hit the test host and replies are sent back. 

It feels like we are close to the solution. What next?

Hello?

I've spent a few more hours trying to figure this out and I'm still struggling. Anyone?

Try something other than ping. Unless you're inspecting icmp, that won't work by default.

I usually check with a tcp-based protocol like telnet, ssh or opening an RDP session (the latter only for Windows hosts of course).

Now I should have mentioned that also tried telnet to our mail server and RDP to multiple hosts (just not with WireShark). I've just tried again to be sure. Something still seems to be preventing traffic entering the tunnel at the router end. If it isn't an access list what else could it be?

Going back to your original posting you mentioned the VPN seems to be terminating on your loopback interface.

That would be very unusual especially considering that interface Lo1 is a private IP address and should not be routable to the distant end. What is showing you that?

Can you check:

show crypto isakmp sa
show crypto ipsec sa

...while the tunnel is up?

The reason I thought the loopback int was related (I could be wrong) is that removing the next-hop meant that I could get responses to pings but not other traffic. I figured the next-hop must be there to send traffic to the loopback, that route-map is related, no?  I later restored the config to a point before I started trying to fix it, before posting here.

Test results attached.

Has anyone got any last ideas before I go any buy a SMARTnet and file a TAC request?