We have several ASA5505's at remote offices with ipsec 3des L2L VPN tunnels to our hub ASA5540's. Pings work find from devices behind both endpoints of the VPN tunnels, but pings sourced from the ASA5505's to devices behind the hub ASA5540 fail. In running a debug icmp trace on the ASA5505, I see the source ip being the outside, public ip address.
Other services like aaa tacacs do not work as well because the aaa server, defined with a private ip and located behind the ASA5540, cannot be reached (show aaa-server shows tacacs server as failed, even though config on the ASA5505 points to the aaa server on the outside interface).
Any thoughts on this?