Remote site VPN (192.168.1.0/24) could terminate tunnel on ASA outside interface - and was then allowed to access network 172.31.1.0/24 across DMZ (DMZ port was reallocated to another Internet connection). Internal network (*see attachment) 10.0.0.0/12 cold also connect to 172.31/24 via this route.
Moved 172.31/24 into the network (on 10.0.0.0/24 network). Now 10.0/12 can access 172.31/24 - but remote VPN (192.168.1.0/24) cannot.
Changes made on ASA for this move:
Changed static route from pointing to DMZ for 172.31/24 network.
Added NAT exempt for 172.31/24 to remote VPN network.
From 192.168.1.0/24 - I can ping any host on the 172.16.0.0/16 and 10.0.0.0/12 network - but not 172.31/24
Can ping 172.31/24 from "allowed" host (this is a vendor connection) from 172.16.0.0/16 and from any host on 10.0.0.0/12
Cannot ping 172.31/24 from the ASA.
Can't seem to get my hands around this or know of any tool on the ASA to use to diagnose. Any ideas?