I can't ping any host on the other side of the tunnel but I can ping any interface on the router.  I believe routing is configured ok.

Regards,

Eric

Here's my config:

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname CISCO1941

!

boot-start-marker

warm-reboot uptime 2

boot-end-marker

!

!

security authentication failure rate 3 log

security passwords min-length 8

logging buffered 2097152

logging console critical

enable secret 5 ####

!

aaa new-model

!

!

aaa authentication login local_authen local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authentication login ciscocp_vpn_xauth_ml_2 local

aaa authorization exec local_author local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

!

!

!

!

aaa session-id common

!

no process cpu autoprofile hog

!

ipv6 unicast-routing

ipv6 cef

no ip source-route

ip cef

!

!

ip nbar port-map custom-03 udp 10000 10001 10002 10003 10004 10005 10006 10007 10008 10009 10010 10011 10012 10013 10014 10015

!

ip dhcp excluded-address 10.0.1.1 10.0.1.99

ip dhcp excluded-address 10.0.1.200 10.0.1.254

!

ip dhcp pool dhcp-pool-10-0-1-0

   import all

   network 10.0.1.0 255.255.255.0

   domain-name ####

   dns-server 10.0.1.5 194.72.0.98

   default-router 10.0.1.1

   netbios-name-server 10.0.1.5

   lease 7

!

!

no ip bootp server

ip domain name ####

ip name-server 194.72.0.98

ip name-server 194.72.9.38

ip port-map user-ctcp-ezvpnsvr port tcp 11000

ip port-map user-voip-rtp port udp from 10000 to 10015

ip ips config location flash0:/IPS retries 1

ip ips notify SDEE

ip ips name sdm_ips_rule

!

ip ips signature-category

  category all

   retired true

  category ios_ips advanced

   retired false

!

ip ddns update method sdm_ddns1

HTTP

  add ####

  remove ####

interval minimum 24 0 0 0

!

!

multilink bundle-name authenticated

!

parameter-map type urlfpolicy local urlf-parameter_map

allow-mode on

parameter-map type urlf-glob cpaddbnwlocparadeny0

!

energywise domain #### security shared-secret 7 #### protocol udp port 43440 interface GigabitEthernet0/0

energywise neighbor 10.0.1.3 43440

crypto pki token default removal timeout 0

!

crypto pki trustpoint trps1_server

revocation-check none

!

!

crypto pki trustpoint TP-self-signed-238871991

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-238871991

revocation-check none

!

!

crypto pki certificate chain trps1_server

certificate ca 00 nvram:wtsuiciscoco#0CA.cer

crypto pki certificate chain TP-self-signed-238871991

certificate self-signed 01 nvram:IOS-Self-Sig#3.cer

license udi pid CISCO1941/K9 sn ####

license accept end user agreement

license boot module c1900 technology-package securityk9

license boot module c1900 technology-package datak9

!

!

archive

log config

  hidekeys

username admin privilege 15 secret 5 ####

!

redundancy

!

crypto key pubkey-chain rsa

named-key realm-cisco.pub

  key-string

   30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101

   00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16

   17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128

   B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E

   5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35

   FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85

   50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36

   006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE

   2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3

   F3020301 0001

  quit

!

!

!

!

ip tcp synwait-time 10

!

class-map match-any VOIP

match protocol skinny

match protocol sip

match protocol skype

match protocol custom-03

class-map match-any shape_outgoing_class

match any

class-map type inspect match-all SDM_GRE

match access-group name SDM_GRE

class-map type inspect match-any CCP_PPTP

match class-map SDM_GRE

class-map type inspect match-all CCP_SSLVPN

match access-group name SDM_IP

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any SDM_WEBVPN

match access-group name SDM_WEBVPN

class-map type inspect match-all SDM_WEBVPN_TRAFFIC

match class-map SDM_WEBVPN

match access-group 102

class-map type inspect match-any ccp-cls-insp-traffic

match protocol pptp

match protocol dns

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any SDM_IP

match access-group name SDM_IP

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match protocol user-ctcp-ezvpnsvr

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_EASY_VPN_SERVER_PT

match class-map SDM_EASY_VPN_SERVER_TRAFFIC

class-map type urlfilter match-any cpaddbnwlocclassdeny0

match  server-domain urlf-glob cpaddbnwlocparadeny0

class-map type inspect match-any sip-traffic

match protocol sip

class-map type inspect match-any -sdminspectclassmap-2

match protocol http

class-map type inspect match-any -sdminspectclassmap-1

match protocol http

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map match-any Management

match protocol ssh

match protocol telnet

match protocol dns

match protocol ntp

match protocol icmp

class-map type inspect match-any cpinspectclass0

match protocol http

class-map type inspect match-all ccp-cls-ccp-pol-outToIn-1

match class-map sip-traffic

match access-group name sip-out-in

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect urlfilter urlf-policy

description urlf-policy

parameter type urlfpolicy local urlf-parameter_map

class type urlfilter cpaddbnwlocclassdeny0

  reset

  log

policy-map type inspect ccp-sslvpn-pol

class type inspect cpinspectclass0

  inspect

  service-policy urlfilter urlf-policy

class type inspect CCP_SSLVPN

  pass

class class-default

  drop log

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

  service-policy urlfilter urlf-policy

class type inspect ccp-insp-traffic

  inspect

class type inspect ccp-sip-inspect

  inspect

class class-default

  pass

policy-map qos-outbound

class VOIP

  set dscp ef

  priority percent 70

class Management

  bandwidth remaining percent 10

class class-default

  bandwidth remaining percent 20

policy-map shape_outgoing

class shape_outgoing_class

  shape average 377480

  service-policy qos-outbound

policy-map type inspect ccp-permit

class type inspect SDM_WEBVPN_TRAFFIC

  inspect

class type inspect SDM_EASY_VPN_SERVER_PT

  pass

class class-default

  drop log

policy-map type inspect ccp-pol-outToIn

  class type inspect -sdminspectclassmap-2

  inspect

  service-policy urlfilter urlf-policy

class type inspect CCP_PPTP

  pass

class type inspect ccp-cls-ccp-pol-outToIn-1

  inspect

class class-default

  drop log

policy-map type inspect sdm-permit-ip

class type inspect -sdminspectclassmap-1

  inspect

  service-policy urlfilter urlf-policy

class type inspect SDM_IP

  pass

class class-default

  drop log

!

zone security out-zone

zone security in-zone

zone security ezvpn-zone

zone security sslvpn-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone

service-policy type inspect ccp-pol-outToIn

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone

service-policy type inspect sdm-permit-ip

zone-pair security zp-in-zone-sslvpn-zone source in-zone destination sslvpn-zone

service-policy type inspect ccp-sslvpn-pol

zone-pair security zp-out-zone-sslvpn-zone source out-zone destination sslvpn-zone

service-policy type inspect ccp-sslvpn-pol

zone-pair security zp-sslvpn-zone-in-zone source sslvpn-zone destination in-zone

service-policy type inspect ccp-sslvpn-pol

zone-pair security zp-sslvpn-zone-out-zone source sslvpn-zone destination out-zone

service-policy type inspect ccp-sslvpn-pol

zone-pair security zp-sslvpn-zone-ezvpn-zone source sslvpn-zone destination ezvpn-zone

service-policy type inspect ccp-sslvpn-pol

zone-pair security zp-ezvpn-zone-sslvpn-zone source ezvpn-zone destination sslvpn-zone

service-policy type inspect ccp-sslvpn-pol

!

crypto ctcp port 11000

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

encr aes

authentication pre-share

group 2

!

crypto isakmp policy 3

encr aes 256

authentication pre-share

group 2

!

crypto isakmp client configuration group vpnusers

key ####

dns 10.0.1.5 194.72.0.98

wins 10.0.1.5

domain ####

pool ezvpn_pool

acl 101

include-local-lan

max-users 100

max-logins 2

netmask 255.255.255.0

crypto isakmp profile ciscocp-ike-profile-1

   match identity group vpnusers

   client authentication list ciscocp_vpn_xauth_ml_1

   isakmp authorization list ciscocp_vpn_group_ml_1

   client configuration address respond

   keepalive 10 retry 2

   virtual-template 1

!

crypto ipsec security-association idle-time 3600

!

crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set security-association idle-time 7200

set transform-set ESP-3DES-SHA

set isakmp-profile ciscocp-ike-profile-1

!

!

!

!

!

!

interface Loopback0

ip address 10.0.11.1 255.255.255.0

!

interface Loopback1

ip address 10.0.10.1 255.255.255.0

!

interface Null0

no ip unreachables

!

interface GigabitEthernet0/0

description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$FW_INSIDE$$ETH-LAN$

ip address 10.0.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

duplex auto

speed auto

ipv6 enable

no mop enabled

!

interface GigabitEthernet0/1

description $FW_INSIDE$$ES_LAN$$ETH-LAN$

ip address 10.0.2.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

duplex auto

speed auto

ipv6 enable

no mop enabled

!

interface ATM0/0/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no atm ilmi-keepalive

!

interface ATM0/0/0.1 point-to-point

bandwidth 370

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

pvc 0/38

  cbr 370

  tx-ring-limit 3

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

  service-policy out shape_outgoing

!

!

interface Virtual-Template1 type tunnel

ip unnumbered Loopback1

no ip redirects

no ip unreachables

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip virtual-reassembly in

zone-member security ezvpn-zone

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Virtual-Template2

ip unnumbered Loopback0

no ip redirects

no ip unreachables

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip virtual-reassembly in

zone-member security sslvpn-zone

!

interface Dialer0

description $FW_OUTSIDE$

ip ddns update hostname ####

ip ddns update sdm_ddns1

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip ips sdm_ips_rule in

ip virtual-reassembly in

zone-member security out-zone

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname ####

ppp chap password 7 ####

ppp pap sent-username #### password 7 ####

!

ip local pool ezvpn_pool 10.0.10.100 10.0.10.199

ip local pool sslvpn_pool 10.0.11.100 10.0.11.199

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip flow-cache timeout active 1

ip flow-export version 5

ip flow-export destination 10.0.2.7 9996

ip flow-top-talkers

top 50

sort-by bytes

cache-timeout 500

!

ip dns server

ip nat inside source list NAT_ACCESS interface Dialer0 overload

ip nat inside source static tcp 10.0.1.8 5060 interface Dialer0 5060

ip nat inside source static udp 10.0.1.8 5060 interface Dialer0 5060

ip nat inside source static tcp 10.0.11.1 443 interface Dialer0 443

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 10.0.1.0 255.255.255.0 GigabitEthernet0/0

ip route 10.0.2.0 255.255.255.0 GigabitEthernet0/1

!

ip access-list standard NAT_ACCESS

remark CCP_ACL Category=2

permit 10.0.1.0 0.0.0.255

permit 10.0.2.0 0.0.0.255

!

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

ip access-list extended SDM_GRE

remark CCP_ACL Category=1

permit gre any any

ip access-list extended SDM_IP

remark CCP_ACL Category=1

permit ip any any

ip access-list extended SDM_WEBVPN

remark CCP_ACL Category=1

permit tcp any any eq 443

ip access-list extended sip-out-in

remark CCP_ACL Category=128

permit ip any host 10.0.1.8

!

ip sla 1

tcp-connect 10.0.1.3 9001

tos 184

tag tcp-connect

frequency 300

ip sla schedule 1 life forever start-time now

ip sla 2

icmp-echo 10.0.1.8

tag asterisk

frequency 300

ip sla schedule 2 life forever start-time now

ip sla 3

icmp-echo 10.0.1.5

tag data

frequency 300

ip sla schedule 3 life forever start-time now

ip sla 4

icmp-echo 10.0.1.2

tag wireless

frequency 300

ip sla schedule 4 life forever start-time now

ip sla 5

icmp-echo 10.0.1.9

tag cctv

ip sla schedule 5 life forever start-time now

ip sla 6

icmp-echo 10.0.1.4

tag voip-gateway

frequency 300

ip sla schedule 6 life forever start-time now

ip sla logging traps

logging esm config

logging trap debugging

logging host 10.0.2.7 transport tcp

logging 10.0.2.7

access-list 23 permit 10.0.1.0 0.0.0.255

access-list 23 permit 10.0.10.0 0.0.0.255

access-list 23 permit 10.0.2.0 0.0.0.255

access-list 23 permit 10.0.11.0 0.0.0.255

access-list 23 permit 10.0.3.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 remark CCP_ACL Category=4

access-list 101 permit ip 10.0.1.0 0.0.0.255 any

access-list 101 permit ip 10.0.2.0 0.0.0.255 any

access-list 101 permit ip 10.0.3.0 0.0.0.255 any

access-list 101 permit ip 10.0.10.0 0.0.0.255 any

access-list 101 permit ip 10.0.11.0 0.0.0.255 any

access-list 102 remark CCP_ACL Category=128

access-list 102 permit ip any host 10.0.11.1

dialer-list 1 protocol ip permit

!

!

!

!

!

snmp-server community #### RW

snmp-server community #### RO

snmp-server ifindex persist

snmp-server location ####

snmp-server contact ####

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

access-class 23 in

authorization exec local_author

login authentication local_authen

transport input telnet ssh

line vty 5 15

access-class 23 in

authorization exec local_author

login authentication local_authen

transport input telnet ssh

!

scheduler allocate 20000 1000

!

webvpn gateway gateway_1

ip address 10.0.11.1 port 443

http-redirect port 80

ssl trustpoint TP-self-signed-238871991

inservice

!

webvpn install svc flash0:/webvpn/anyconnect-dart-win-2.5.2001-k9.pkg sequence 1

!

webvpn install svc flash0:/webvpn/anyconnect-macosx-i386-2.5.2001-k9.pkg sequence 2

!

webvpn install svc flash0:/webvpn/anyconnect-linux-2.5.2001-k9.pkg sequence 3

!

webvpn context sslvpn

secondary-color white

title-color #669999

text-color black

ssl authenticate verify all

!

!

policy group policy_1

   functions svc-enabled

   svc address-pool "sslvpn_pool"

   svc default-domain "####"

   svc keep-client-installed

   svc split include 10.0.11.0 255.255.255.0

   svc split include 10.0.10.0 255.255.255.0

   svc split include 10.0.3.0 255.255.255.0

   svc split include 10.0.2.0 255.255.255.0

   svc split include 10.0.1.0 255.255.255.0

   svc dns-server primary 10.0.1.5

   svc dns-server secondary 194.72.0.98

   svc wins-server primary 10.0.1.5

default-group-policy policy_1

aaa authentication list ciscocp_vpn_xauth_ml_2

gateway gateway_1

max-users 10

inservice

!

end