I am having multiple sites with with dynamic IP address.
At HO I am having a cisco router with dynamic IP address, in which internet port forwarding configured and VPN terminated on ASA.
I am having 40 Branches will all dynamic ip. all L2L tunnels are up and running.
my issue is that, from branch to HO communication is perfect but from HO I am not able to access ant of the branch resourcess.
could somebody help me to resolve this issue..... Config is attached.
I understand the setup a little bit better.
It seems that your routers are doing destination NAT , so all tunnels appear to be coming from "172.16.40.0/23" subnet.
And indeed your assumption is correct problem appears to be related to lack of correct routes pointing to the outside. (at least it seems so for now).
However reverse route injection should take care of it.
Speaking of which I noticed your tunnels land on
crypto dynamic-map alfa and not the system default.
Please add "crypto dynamic-map alfa 1 set reverse" and restart one of the tunnels (do not reload the spoke, just clear isakmp or ipsec session for it).
We'll see from there.