show ipsec sa interface: Internet Crypto map tag: Client, seq num: 40, local addr: UPC_IP access-list Site-to-Site-v permit ip host 172.28.14.1 192.168.16.0 255.255.255.0 local ident (addr/mask/prot/port): (172.28.14.1/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (192.168.16.0/255.255.255.0/0/0) current_peer: 80.120.67.33 #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 14246, #pkts decrypt: 14246, #pkts verify: 14246 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: UPC_IP, remote crypto endpt.: 80.120.67.33 path mtu 1500, ipsec overhead 74, media mtu 1500 current outbound spi: 6BA9F061 inbound esp sas: spi: 0x87BDD844 (2277365828) transform: esp-aes-256 esp-sha-hmac no compression in use settings ={L2L, Tunnel, } slot: 0, conn_id: 2449408, crypto-map: Client sa timing: remaining key lifetime (sec): 3013 IV size: 16 bytes replay detection support: Y Anti replay bitmap: 0x000000FF 0xFFFFFFFF outbound esp sas: spi: 0x6BA9F061 (1806299233) transform: esp-aes-256 esp-sha-hmac no compression in use settings ={L2L, Tunnel, } slot: 0, conn_id: 2449408, crypto-map: Client sa timing: remaining key lifetime (sec): 3013 IV size: 16 bytes replay detection support: Y It seems your packets reach ASA, but they find no way back through the tunnel. Below is the VPN configuration, do you see any flaws? interface Ethernet0/0 nameif Internet security-level 0 ip address UPC_IP 255.255.255.192 ! interface Ethernet0/1 nameif Lan security-level 100 ip address 192.168.10.1 255.255.255.0 ! access-list VPN extended permit ip 192.168.10.0 255.255.255.0 192.168.20.0 255.255.255.0 access-list VPN extended permit ip 192.168.10.0 255.255.255.0 192.168.1.0 255.255.255.0 access-list VPN extended permit ip 192.168.10.0 255.255.255.0 192.168.0.0 255.255.255.0 access-list VPN extended deny ip any any access-list Site-to-Site-v extended permit ip host 172.28.14.1 192.168.16.0 255.255.255.0 access-list Site-to-Site-v-NAT extended permit ip 192.168.10.0 255.255.255.0 192.168.16.0 255.255.255.0 global (Internet) 100 interface nat (Lan) 0 access-list VPN nat (Lan) 100 0.0.0.0 0.0.0.0 static (Lan,Internet) 172.28.14.0 access-list Site-to-Site-v-NAT crypto ipsec transform-set SETS esp-aes-256 esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map DynClient 65000 set transform-set SET crypto dynamic-map DynClient 65000 set reverse-route crypto map Client 40 match address Site-to-Site-v crypto map Client 40 set peer Checkpoint_IP crypto map Client 40 set transform-set SETS crypto map Client 40 set security-association lifetime seconds 3600 crypto map Client 65535 ipsec-isakmp dynamic DynClient crypto map Client interface Internet crypto isakmp identity address crypto isakmp enable Internet crypto isakmp policy 30 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 tunnel-group Checkpoint_IP type ipsec-l2l tunnel-group Checkpoint_IP ipsec-attributes pre-shared-key * !