Cisco ASA: Exempt VPN Traffic from Translation
In many situations, you might be using your ASA for address translation. If so, then you need to exempt your site-to-site VPN traffic from those translation rules - this is called Identity NAT.
In the ACL, use permit statements to exempt the site-to-site traffic—include both the source and destination addresses/networks.
ASA(config)#access-list nonat permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
ASA(config)#nat (inside) 0 access-list nonat
