Hi Rudy,

Thanks for your reply but I already have these commands in my ASA and it is still the same. I cannot ping the inside interface of ASA 5525 while connected to vpn and cannot ping from inside network to connected vpn. Any suggestion would be really appreciated.

Thanks & Regards

Rohit.

Hi, so is ping the only thing that is not working? are others protocol work fine? try checking the ACL, make sure that the VPN pool ip address are allowed to access the inside network. If you can, post/attach the whole config here.

Hi Rudy,

Thanks for you reply. I can not access internal network at all. Please see the attached code below

interface GigabitEthernet0/0

speed 1000

duplex full

nameif outside

security-level 0

ip address 200.190.70.66 255.255.255.248

!

object network NETWORK_OBJ_192.168.210.224_27

subnet 192.168.210.224 255.255.255.224

access-list splittunnel standard permit 172.16.0.0 255.255.0.0

access-list splittunnel standard permit 192.168.1.0 255.255.255.0

access-list SYSTEM_DEFAULT_CRYPTO_MAP extended permit ip any object NETWORK_OBJ_192.168.210.224_27

nat (inside,outside) source static inside-subnet-source inside-subnet-source destination static NETWORK_OBJ_192.168.210.224_27 NETWORK_OBJ_192.168.210.224_27 no-proxy-arp route-lookup

route outside 192.168.210.224 255.255.255.224 200.190.70.65 1

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map ASA-VPN-SITE 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map ASA-VPN-SITE interface outside

crypto ikev1 enable outside

crypto ikev1 policy 10

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

group-policy DefaultRAGroup internal

group-policy DefaultRAGroup attributes

dns-server value 172.16.5.31 172.16.5.32

vpn-tunnel-protocol ikev1 l2tp-ipsec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splittunnel

default-domain value zzzzzz

username user1 password zzzzzz encrypted

username user1 attributes

vpn-group-policy DefaultRAGroup

vpn-tunnel-protocol ikev1

tunnel-group DefaultRAGroup general-attributes

address-pool remote-vpn-pool

default-group-policy DefaultRAGroup

tunnel-group DefaultRAGroup ipsec-attributes

ikev1 pre-shared-key *****

tunnel-group DefaultRAGroup ppp-attributes

no authentication chap

authentication ms-chap-v2

Thanks & Regards

Rohit

What's your LAN network address? is it one of these, 172.16.0.0 255.255.0.0 / 192.168.1.0 255.255.255.0? If not one of those, you will need to modify your split tunnel ACL.

Hi Rudy,

The LAN network Address is 172.16.0.0 255.255.0.0

192.168.1.0 / 24 -- DMZ

192.168.210.224 /27 -- VPN client address

Thanks & Regards

Rohit

post your config.

Hi Rudy,

Please see the complete configuration of ASA.

ASA Version 8.6(1)2
!
hostname ciscoasa
names
!
interface GigabitEthernet0/0
 speed 1000
 duplex full
 nameif outside
 security-level 0
 ip address 200.190.70.66 255.255.255.248
!
interface GigabitEthernet0/1
 speed 1000
 duplex full
 nameif inside
 security-level 100
 ip address 172.16.3.254 255.255.255.0
!
interface GigabitEthernet0/2
 speed 1000
 duplex full
 nameif dmz
 security-level 50
 ip address 192.168.1.254 255.255.255.0
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 0
 ip address 10.1.95.11 255.255.255.0
 management-only
!
interface GigabitEthernet1/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
ftp mode passive
dns server-group DefaultDNS
 domain-name zzzzzz
object network obj-172.16.0.0-nonat
 subnet 172.16.0.0 255.255.0.0
object network obj-192.168.1.0-nonat
 subnet 192.168.1.0 255.255.255.0
object network obj-192.168.0.0-nonat
 subnet 192.168.0.0 255.255.0.0
object network obj-192.168.1.0-nonatdmz
 subnet 192.168.1.0 255.255.255.0
object network obj-192.168.201.0-nonatdmz
 subnet 192.168.1.0 255.255.255.0
object network obj-172.16.0.0-nonatdmz
 subnet 172.16.0.0 255.255.0.0
object network obj-192.168.1.0-dmz-vpn_private
 subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_192.168.210.224_27
 subnet 192.168.210.224 255.255.255.224
object network internal-radius
 host 172.16.5.67
object-group network inside-subnet-source
 network-object 172.16.1.0 255.255.255.0
 network-object 172.16.2.0 255.255.255.252
 network-object 172.16.3.0 255.255.255.0
 network-object 172.16.5.0 255.255.255.0
 network-object 172.16.10.0 255.255.255.0
 network-object 172.16.11.0 255.255.255.0
 network-object 172.16.13.0 255.255.255.0
 network-object 172.16.20.0 255.255.255.0
 network-object 172.16.21.0 255.255.255.0
 network-object 172.16.23.0 255.255.255.0
 network-object 172.16.30.0 255.255.255.0
 network-object 172.16.31.0 255.255.255.0
 network-object 172.16.35.0 255.255.255.0
 network-object 172.16.40.0 255.255.255.0
 network-object 172.16.109.0 255.255.255.0
 network-object 172.16.118.0 255.255.255.0
 network-object 172.16.128.0 255.255.255.0
 network-object 172.16.129.0 255.255.255.0
 network-object 172.16.130.0 255.255.255.0
 network-object 172.16.131.0 255.255.255.0
 network-object 172.16.132.0 255.255.255.0
 network-object 172.16.192.0 255.255.255.0
 network-object 172.16.193.0 255.255.255.0
 network-object 172.16.194.0 255.255.255.0
 network-object 172.16.195.0 255.255.255.0
 network-object 172.16.196.0 255.255.255.0
object-group network dmz-subnet-source
 network-object 192.168.1.0 255.255.255.0

access-list o_inside extended permit ah any any
access-list o_inside extended permit esp any any
access-list o_inside extended permit icmp any any
access-list o_inside extended permit icmp any any echo
access-list o_inside extended permit tcp any any eq imap4
access-list o_inside extended permit udp any any eq 143

***access-list o_inside extended permit tcp/udp SPECIFIC inside network/pc device to access host in DMZ network (none related to VPN)

access-list outside extended permit icmp any any echo-reply
access-list outside extended permit icmp any any

***access-list outside extended permit tcp/udp SPECIFIC from outside network/pc device to access host in DMZ/inside network (none related to VPN)

access-list o_dmz extended permit icmp any any echo-reply

***access-list o_dmz extended permit tcp/udp SPECIFIC from dmz network/pc device to access host in inside network (none related to VPN)

access-list splittunnel standard permit 172.16.0.0 255.255.0.0
access-list splittunnel standard permit 192.168.1.0 255.255.255.0

access-list SYSTEM_DEFAULT_CRYPTO_MAP extended permit ip any object NETWORK_OBJ_192.168.210.224_27
 
pager lines 24
logging enable
logging buffer-size 1048576
logging buffered debugging
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu dmz 1500
mtu management 1500
ip local pool remote-vpn-pool 192.168.210.231-192.168.210.250 mask 255.255.255.224
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any dmz
icmp permit any vpn_private
icmp permit any vpn_public
icmp permit any optusapn_temp
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static obj-172.16.0.0-nonat obj-172.16.0.0-nonat destination static obj-192.168.1.0-nonat obj-192.168.1.0-nonat no-proxy-arp
nat (inside,any) source static obj-172.16.0.0-nonat obj-172.16.0.0-nonat destination static obj-192.168.0.0-nonat obj-192.168.0.0-nonat no-proxy-arp
nat (inside,any) source static obj-192.168.0.0-nonat obj-192.168.0.0-nonat destination static obj-192.168.0.0-nonat obj-192.168.0.0-nonat no-proxy-arp
nat (inside,any) source static obj-192.168.0.0-nonat obj-192.168.0.0-nonat destination static obj-192.168.1.0-nonat obj-192.168.1.0-nonat no-proxy-arp
nat (dmz,any) source static obj-192.168.1.0-nonatdmz obj-192.168.1.0-nonatdmz destination static obj-172.16.0.0-nonatdmz obj-172.16.0.0-nonatdmz no-proxy-arp

nat (inside,outside) source static inside-subnet-source inside-subnet-source destination static NETWORK_OBJ_192.168.210.224_27 NETWORK_OBJ_192.168.210.224_27 no-proxy-arp route-lookup

!
nat (inside,outside) after-auto source dynamic inside-subnet-source outside-host-global
nat (inside,dmz) after-auto source dynamic inside-subnet-source dmz-host-global
nat (dmz,outside) after-auto source dynamic dmz-subnet-source outside-host-global
access-group outside in interface outside
access-group o_inside in interface inside
access-group o_dmz in interface dmz
route outside 0.0.0.0 0.0.0.0 200.190.70.65 1
route inside 172.16.0.0 255.255.0.0 172.16.3.1 1
route inside 172.20.1.0 255.255.255.0 172.16.3.1 1
route inside 172.30.1.0 255.255.255.0 172.16.3.1 1
route inside 192.168.0.0 255.255.0.0 172.16.3.1 1
route outside 192.168.210.0 255.255.255.224 200.190.70.65 1
route outside 192.168.210.32 255.255.255.224 200.190.70.65 1
route outside 192.168.210.64 255.255.255.224 200.190.70.65 1
route outside 192.168.210.96 255.255.255.224 200.190.70.65 1
route outside 192.168.210.128 255.255.255.224 200.190.70.65 1
route outside 192.168.210.224 255.255.255.224 200.190.70.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server internal-radius protocol radius
aaa-server internal-radius (inside) host 172.16.5.67
 key zzzzzz
 radius-common-pw zzzzzz
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
http server enable
http 172.16.0.0 255.255.0.0 inside
http 172.16.0.0 255.255.0.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto map ASA-VPN-SITE 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map ASA-VPN-SITE interface outside

crypto ikev2 policy 10
 encryption aes-256 aes-192 aes
 integrity sha
 group 2
 prf sha
 lifetime seconds 86400

crypto ikev2 enable outside
crypto ikev1 enable outside

crypto ikev1 policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 172.16.1.0 255.255.255.0 inside
telnet 172.16.3.0 255.255.255.0 inside
telnet 172.16.0.0 255.255.0.0 management
telnet timeout 20
ssh 172.16.0.0 255.255.0.0 inside
ssh 172.16.3.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 30
ssh version 2
console timeout 30
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 172.16.3.1
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
 anyconnect enable

group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 172.16.5.31 172.16.5.32
 vpn-tunnel-protocol ikev1 l2tp-ipsec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value splittunnel
 default-domain value ZZZZZZ

username user1 password zzzzzz encrypted
username user1 attributes
vpn-group-policy DefaultRAGroup
vpn-tunnel-protocol ikev1

tunnel-group DefaultRAGroup general-attributes
 address-pool remote-vpn-pool
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key ZZZZZZ
tunnel-group DefaultRAGroup ppp-attributes
 no authentication chap
 authentication ms-chap-v2
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect ip-options
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
  inspect icmp
  inspect h323 h225
  inspect h323 ras
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly 7
  subscribe-to-alert-group configuration periodic monthly 7
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:a225df4d313cd95bb3662bd3d70733fe
: end

Thanks & Regards

Rohit.

Your NAT statements overlap with each other.

nat (inside,any) source static obj-172.16.0.0-nonat obj-172.16.0.0-nonat destination static obj-192.168.0.0-nonat obj-192.168.0.0-nonat no-proxy-arp

nat (inside,outside) source static inside-subnet-source inside-subnet-source destination static NETWORK_OBJ_192.168.210.224_27 NETWORK_OBJ_192.168.210.224_27 no-proxy-arp route-lookup

change any on your NAT statements to a more specific interface, in this case it should be outside and add the route-lookup on it. Then remove the bottom NAT statement as you don't need it because the top NAT statement is doing the same thing.

please post the output of show run nat, show nat, show access-list and show ipsec sa commands if above steps hasn't solved your issue.