I have a ASA5510 at a main site who make the Internet access for remote site VPN (no split tunneling) and everything work fine. Now, I need to send all the VPN traffic to a L3 switch connected on the inside interface of the ASA (for NAC purpose) and this switch have the ASA as the default route. When on a remote site, I do a ping on the Internet, I see the echo that go through the VPN, then the L3 switch, go back to the ASA and then on the Internet (wanted behavior). The problem is with the echo-reply: It seem to die on the ASA and never reach the PC that initiate the ping.
Is it the statefull inspection of the ASA that kill the echo-reply? Is there a way to avoid this behavior? With a tunneled default route on the ASA, is the echo-reply supposed to be send back to the tunneled default route (in this case, the L3 switch) or he is supposed to route the echo-reply directly to the remote site via the VPN?
Thank for your help...