I have a weird issue. Earlier today I created a tunnel to a vendor that uses "public" addresses (138.x.x.x) as a private address for my to tunnel to. All of this works except for a remote site that has a 5505 configured as a vpnclient. The tunnel-group that they connect to has a group-policy that forces all traffic over the tunnel. The vpnacl that's applied shows that it's allowing everything over the tunnel. nat is disabled only by not having the global line in the config.
The problem is that the user tries to go to this address, but it doesn't seem to go over the tunnel. I created a capture file on my side (headend) and I don't see anything. Then I created a capture file on their side and I see it try to connect, but no success. Any ideas on how I can force this address through the tunnel so it can go out of my device like it should? I have hundreds of users that work fine, but it's the satellite offices that have these ASAs that don't. I've got same-security-traffic permit intra-interface configured on my headend 5520.