I am setting up 4 tunnels between my ASA and 4 Checkpoint remote sites. They just need access to 2 hosts. They will only accept public ip addresses so I am trying to nat the internal hosts to public addresses and force down the tunnel. When my site initiates the tunnel everything works fine (I see encryption/decryption) but when they initiate the tunnel, traffic only comes from them (I only see decryption but never see encryption). If anyone has any ideas I would be grateful. Below is the config example. I do not believe it is the external ACL because I tried the connection with the sysopt connection permit-vpn and still no dice. I ran debugs (debug crytpo ipsec 127 and debug crypto isakmp 127) but I did not seeing anything out of the ordinary. Attached is example of part of the config.