We have a IPSec tunnel to the head office. Our local address pool is 10.0.0.0/24. In the router, when I ping a remote server (ping 192.168.1.1) it doesn't work. But when I ping with the source interface (bvi1 = 10.0.0.1/24), it works: ping 192.168.1.1 source bvi1.
Could you please tell me the difference between the two commands? And why can't I ping in the normal way? If a computer is in the 10.0.0.0/24 subnet, can it ping the remote server?
It all depends what is in your crypto access-list. So if your crypto access-list reads something like
access-list 101 permit ip 10.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255 ( Router version )
access-list vpntraffic permit ip 10.0.0.0 255.255.255.0 192.168.1.0 255.255.255.0 (Pix version )
then you need to generate the ping with a source IP address in the 10.0.0.x range. When you ping from the router without specifying the source interface the router will use it's outside interface. If the IP address of this outside interface is not in your crypto map access-list then it will not work.