Hi @MHM Cisco World  Thank you for reply here is Internal IP to Remote Site. 

> packet-tracer input vlan20-fwmgt tcp (172.21.11.26) (1024) 10.17.0.159 www detailed

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 29855 ns
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x559c8dc2d0, priority=1, domain=permit, deny=false
hits=14255095, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=vlan20-fwmgt, output_ifc=any

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Elapsed time: 20472 ns
Config:
nat (TM_DOME1,any) source static gnet_aws gnet_aws destination static gnet_lmt_to_aws gnet_lmt_to_aws no-proxy-arp
Additional Information:
NAT divert to egress interface TM_DOME1(vrfid:0)
Untranslate 10.17.0.159/80 to 10.17.0.159/80

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 9894 ns
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ipinip any any rule-id 268444685
access-list CSM_FW_ACL_ remark rule-id 268444685: PREFILTER POLICY: No Prefilter
access-list CSM_FW_ACL_ remark rule-id 268444685: RULE: DEFAULT TUNNEL ACTION RULE
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
Forward Flow based lookup yields rule:
in id=0x55a4d7ee10, priority=12, domain=permit, deny=false
hits=179600, user_data=0x5579de1800, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=vlan20-fwmgt(vrfid:0)
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=TM_DOME1(vrfid:0), vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Elapsed time: 9894 ns
Config:
class-map class_map_traceroute
match access-list traceroute
policy-map global_policy
class class_map_traceroute
set connection decrement-ttl
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x559e9524d0, priority=7, domain=conn-set, deny=false
hits=952432, user_data=0x55a39812f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=vlan20-fwmgt(vrfid:0), output_ifc=any

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Elapsed time: 9894 ns
Config:
nat (TM_DOME1,any) source static gnet_aws gnet_aws destination static gnet_lmt_to_aws gnet_lmt_to_aws no-proxy-arp
Additional Information:
Static translate 172.21.11.26/1024 to 172.21.11.26/1024
Forward Flow based lookup yields rule:
in id=0x559c4775b0, priority=6, domain=nat, deny=false
hits=141945, user_data=0x559e915e40, cs_id=0x0, flags=0x0, protocol=0
src ip/id=172.21.0.0, mask=255.255.0.0, port=0, tag=any
dst ip/id=10.16.0.0, mask=255.248.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=TM_DOME1(vrfid:0)

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 9894 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x558ff99220, priority=0, domain=nat-per-session, deny=false
hits=37992418, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 9894 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x559c3cb100, priority=0, domain=inspect-ip-options, deny=true
hits=1361909, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=vlan20-fwmgt(vrfid:0), output_ifc=any

Phase: 8
Type: FOVER
Subtype: standby-update
Result: ALLOW
Elapsed time: 43503 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x55a3cdf6e0, priority=20, domain=lu, deny=false
hits=291315, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=vlan20-fwmgt(vrfid:0), output_ifc=any

Phase: 9
Type: VPN
Subtype: encrypt
Result: ALLOW
Elapsed time: 13648 ns
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x559c153c30, priority=70, domain=encrypt, deny=false
hits=3787, user_data=0x123ff7d4, cs_id=0x559bff4ef0, reverse, flags=0x0, protocol=0
src ip/id=172.21.0.0, mask=255.255.0.0, port=0, tag=any
dst ip/id=10.16.0.0, mask=255.248.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any(vrfid:65535), output_ifc=TM_DOME1

Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Elapsed time: 5118 ns
Config:
nat (TM_DOME1,any) source static gnet_aws gnet_aws destination static gnet_lmt_to_aws gnet_lmt_to_aws no-proxy-arp
Additional Information:
Forward Flow based lookup yields rule:
out id=0x559ecce310, priority=6, domain=nat-reverse, deny=false
hits=124788, user_data=0x559ef51bc0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=172.21.0.0, mask=255.255.0.0, port=0, tag=any
dst ip/id=10.16.0.0, mask=255.248.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any(vrfid:65535), output_ifc=TM_DOME1

Phase: 11
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Elapsed time: 49474 ns
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x55a59e01e0, priority=70, domain=ipsec-tunnel-flow, deny=false
hits=3787, user_data=0x12401e2c, cs_id=0x559bff4ef0, reverse, flags=0x0, protocol=0
src ip/id=10.16.0.0, mask=255.248.0.0, port=0, tag=any
dst ip/id=172.21.0.0, mask=255.255.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=TM_DOME1(vrfid:0), output_ifc=any

Phase: 12
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 4265 ns
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x558ff99220, priority=0, domain=nat-per-session, deny=false
hits=37992420, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 1706 ns
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x559617b120, priority=0, domain=inspect-ip-options, deny=true
hits=824938, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=TM_DOME1(vrfid:0), output_ifc=any

Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Elapsed time: 93830 ns
Config:
Additional Information:
New flow created with id 47385277, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_snort
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_encrypt
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_ipsec_tunnel_flow
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_snort
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 15
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Elapsed time: 26443 ns
Config:
Additional Information:
Application: 'SNORT Inspect'

Phase: 16
Type: SNORT
Subtype: appid
Result: ALLOW
Elapsed time: 14824 ns
Config:
Additional Information:
service: (0), client: (0), payload: (0), misc: (0)

Phase: 17
Type: SNORT
Subtype: firewall
Result: ALLOW
Elapsed time: 180260 ns
Config:
Network 0, Inspection 0, Detection 2, Rule ID 268459029
Additional Information:
Starting rule matching, zone 1 -> 11, geo 0 -> 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, user 9999999, no url or host, no xff
Matched rule ids 268459029 - Allow

Result:
input-interface: vlan20-fwmgt(vrfid:0)
input-status: up
input-line-status: up
output-interface: TM_DOME1(vrfid:0)
output-status: up
output-line-status: up
Action: allow
Time Taken: 532868 ns

Hi friend 

Sorry for late reply I search look for your post in security vpn, until I found it here in routing. 

Anyway 

This nat with any as egress interface is suboptimal, change it and specify correct interface. 

Also I don't see lookup did you config routing for remote Lan (AWS prefix)? 

nat (TM_DOME1,any) source static gnet_aws gnet_aws destination static gnet_lmt_to_aws gnet_lmt_to_aws no-proxy-arp
Additional Information:
NAT divert to egress interface TM_DOME1(vrfid:0)
Untranslate 10.17.0.159/80 to 10.17.0.159/80

Hi,

You're right that the 'ANY' rout should be specified. Yes, I've added the AWS prefix 10.16.0.0/13. There are two possible changes I need to make: following AWS's recommendation to use the CIDR 0.0.0.0/0 and removing the manually added static route for the AWS VPN