I have some questions though. How do I know which ACL defines interesting traffic for my VPN?
the acls of interest for your issue are the following
split-tunnel-network-list value RDGVPN_splitTunnelAcl, which is:
access-list RDGVPN_splitTunnelAcl standard permit xx.yy.zz.0 255.255.255.0
access-list RDGVPN_splitTunnelAcl standard permit 10.HH.GG.SS 255.255.255.0
access-list RDGVPN_splitTunnelAcl standard permit xx.yy.zz.0 255.255.255.0
access-list RDGVPN_splitTunnelAcl standard permit 10.AA.JJ.XX 255.255.255.0
and the identity nat:
nat (inside) 0 access-list inside_nat0_outbound_V4, which is:
access-list inside_nat0_outbound_V4 extended permit ip xx.yy.zz.192 255.255.255.248 host 172.FF.GG.13
access-list inside_nat0_outbound_V4 extended permit ip any 10.RR.dd.EE 255.255.255.128
access-list inside_nat0_outbound_V4 extended permit ip xx.yy.zz.0 255.255.255.0 10.RR.dd.EE 255.255.255.128
access-list inside_nat0_outbound_V4 extended permit ip 10.HH.GG.SS 255.255.255.0 10.RR.dd.EE 255.255.255.128
for this to work you have to have something in the identity nat that says traffic from the networks in the split tunnel are allowed to go to the range 10.0.14.0/24
like:
access-list inside_nat0_outbound_V4 extended permit ip xx.yy.zz.0 255.255.255.0 10.0.14.0 255.255.255.0
this makes it so that traffic is not translated on the outside interface and is routed over the tunnel.
How do the nat (inside) statements get processed?
this has no bearing on the vpn because the hosts are considered an extension of the network.
hope this helps,
-t
