Spoke to spoke communication has always been super easy in ASA Site to Site VPNs. As long as your CRYPTO ACL has the remote subnets in it, and NO-NAT Statements are there everything pretty much works.
The other day I had an issue getting it to work. After some research I was still struggling. All of my remote sites were in my Crypto ACL, my VPN was up and working to the hub, and any subnet behind the hub would work, but access to other IPSEC tunnels connected behind were not working. See rough sketch of the network below.
I checked Nat statements, looked great, but my traffic was not flowing. I decided to debug via ASDM this is the error I received.
Routing failed to locate next hop for ICMP then my outside (Louisville), and inside (Italy) address.
Other examples are:
Routing failed to locate next hop for TCP then my outside (Louisville), and inside (Italy) address.
Routing failed to locate next hop for UDP then my outside (Louisville), and inside (Italy) address.
Well, 192.168.17.0/24 does not live inside my firewall – it should be connected to the outside (US-Signal) VIA the VPN. Boom, that’s when it clicked. My nat statement is wrong, well not wrong, just missing. Since these connections are connecting to my outside network, and then going to my outside network – I need to create the nat statement with the source interface and destination interface being US-Signal.
A few things to note about the below statement – I put it at the top of my manual nat entries, and notice the interface – both are US-Signal my outside interface.