Hi everyone, I hope you're all well.

I'm having a few issues with an IPSec tunnel between a Draytek router and Cisco ASA. The site has two LANs that run alongside each other

LAN 1 - Main Office LAN 192.168.4.0 /24
LAN 2 - Production LAN 10.20.21.0 /24

At the moment, each network has it's own individual IPSec VPN running to HQ (10.99.0.0 /16). The plan is to remove the tunnel from LAN 2 and push all traffic through LAN 1 VPN. Both networks can talk to each other internally so I now the routing is in place already onsite.

The problem is that I cannot seem to get LAN 2 traffic through the main tunnel. LAN 1 uses a Draytek Vigor router. I can see the tunnel is up and can see the traffic on the other end (ASA), but nothing for the LAN 2 traffic. the key snippets from the ASA are below:

object-group network marcus-remote
object-group network 192.168.4.0/24
object-group network 192.168.254.0/24
object-group network 10.20.21.0/24
object-group network marcus-local
object-group network 10.99.0.0/16
access-list marcus extended permit ip object-group marcus-local 192.168.254.0 255.255.255.0
nat (inside,outside) source static marcus-local marcus-local destination static marcus-remote marcus-remote

Currently, the local network on the Draytek VPN tunnel is set to 192.168.4.0 /24 which nats to 192.168.254.0 /24 on the ASA. That side of things is working fine. The problem I can see is that it doesn't let me add a second local subnet.

Is there anything I can do to add a second local subnet? I've tried setting the local network as 0.0.0.0 but it won't take it. Below is the bit of the config where I think the problem is.

Remote Network IP - 10.99.0.0
Remote Network Mask - 255.255.0.0
Translated Local Network to 192.168.254.0

Assistance would be greatly appreciated.

Thanks
B