i'll try this later... i'm at work...

thanks a lot and more power.

Hello,

Sure Neetu,

Remember to rate all of the helpful posts

sorry the ip change now, since i'm testing in the office, i have another 5515x in the office and another at home...

here's my show run with filter on nat...

sh run | i nat

nat (inside,outside) source static any any destination static NETWORK_OBJ_10.0.80.32_27 NETWORK_OBJ_10.0.80.32_27 no-proxy-arp route-lookup

nat (inside,outside) after-auto source dynamic any interface

now i changed it to your instruction

sh run |  i nat

nat (outside,outside) source dynamic NETWORK_OBJ_10.0.80.32_27 interface

nat (inside,outside) after-auto source dynamic any interface

it can't route to internet, so i tried

sh run |  i nat

nat (outside,outside) source dynamic NETWORK_OBJ_10.0.80.32_27 interface

nat (outside,outside) after-auto source dynamic any interface

it still can't route my user vpn with internet...

Hello Neetu,

I mean the nat you had before should still be there,

I just wanted to add one more:

nat (outside,outside) source dynamic  NETWORK_OBJ_192.168.64.64_27  interface

Can you share the complete show run NAT?

Is there a way that we could use another subnet range ( diferent from the inside network) ?

i also tried this...

ciscoasa# sh run | i nat

nat (inside,outside) source static any any destination static NETWORK_OBJ_10.0.80.32_27 NETWORK_OBJ_10.0.80.32_27 no-proxy-arp route-lookup

nat (outside,outside) source dynamic NETWORK_OBJ_10.0.80.32_27 interface

nat (inside,outside) after-auto source dynamic any interface

ciscoasa#

it didn't work...

yeah i could create another subnet...  how can i modify the current pool for the vpn, the wizard have no edit on vpn...

Okay let's do the following:

ip local-pool Anyconnect-test 192.168.100.1-192.168.100.100 netmask 255.255.255.0

tunnel-group anyconnect-vpn general-attributes

no address-pool inside-pool-vpn

address-pool Anyconnect-test

object network Anyconnect_Pool_Julio

subnet 192.168.100.0 255.255.255.0

no nat (outside,outside) source dynamic NETWORK_OBJ_10.0.80.32_27 interface

no nat (outside,outside) after-auto source dynamic any interface

nat (inside,outside)  1 source static any any destination static  Anyconnect_Pool_Julio  Anyconnect_Pool_Julio

nat (outside,outside) source dynamic Anyconnect_Pool_Julio  interface

Let me know

i really appreciate your help...

something is not right in my test environment in the office...  at home i can ping my AD host, but here in my office, it can't.  so i have to test this at home.

thanks and more power...  i will let you know later when i'm testing at home...

Hello,

sure, keep me updated

here's my testing at home...

: Saved

: Written by enable_15 at 19:31:06.189 UTC Wed Apr 17 2013

!

ASA Version 8.6(1)2

!

hostname ciscoasa

domain-name test1.com

enable password NuLKvvWGg.x9HEKO encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 192.168.0.50 255.255.255.0

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 192.168.64.1 255.255.255.0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

ftp mode passive

dns server-group DefaultDNS

domain-name test1.com

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network NETWORK_OBJ_192.168.64.64_27

subnet 192.168.64.64 255.255.255.224

object network anyconnect-pool

subnet 192.168.100.0 255.255.255.0

pager lines 24

logging asdm informational

mtu management 1500

mtu inside 1500

mtu outside 1500

ip local pool inside-pool-vpn 192.168.64.70-192.168.64.90 mask 255.255.255.0

ip local pool anyconnect-test 192.168.100.1-192.168.100.20 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat (inside,outside) source static any any destination static anyconnect-pool anyconnect-pool

nat (outside,outside) source dynamic anyconnect-pool interface

route outside 0.0.0.0 0.0.0.0 192.168.0.1 1

route inside 192.168.64.0 255.255.255.0 192.168.64.1 10

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server LDAPSERVERS protocol ldap

aaa-server LDAPSERVERS (inside) host 192.168.64.100

ldap-base-dn dc=test1,dc=com

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password Test123

ldap-login-dn cn=administrator,cn=Users,dc=test1,dc=com

server-type auto-detect

user-identity default-domain LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=ciscoasa.test1.com

proxy-ldc-issuer

crl configure

crypto ca certificate chain ASDM_TrustPoint0

certificate d1ec6e51

    3082025c 308201c5 a0030201 020204d1 ec6e5130 0d06092a 864886f7 0d010105

    05003040 311b3019 06035504 03131263 6973636f 6173612e 74657374 312e636f

    6d312130 1f06092a 864886f7 0d010902 16126369 73636f61 73612e74 65737431

    2e636f6d 301e170d 31333034 31373138 34353433 5a170d32 33303431 35313834

    3534335a 3040311b 30190603 55040313 12636973 636f6173 612e7465 7374312e

    636f6d31 21301f06 092a8648 86f70d01 09021612 63697363 6f617361 2e746573

    74312e63 6f6d3081 9f300d06 092a8648 86f70d01 01010500 03818d00 30818902

    818100e1 1fc4496f 3f5a18f6 2809edf7 a83b4a72 f04f0a9b c38a49f4 010055c1

    5b433440 b942f442 1816b281 3e4489ee 8e96bc85 8549ae99 613a02af 5f3c963f

    dca6c79a 568eaf4c 25cd92f4 6700cfdb 794f9d8a 26a805bf 7136f75d 9346bc8c

    7d18e40e 954d626a 9cf4882d 573f9552 e70bb2f8 04933034 50d93bd4 1de2ed32

    71ea5302 03010001 a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06

    03551d0f 0101ff04 04030201 86301f06 03551d23 04183016 80148a71 8795f669

    0435b43b 9290bfab a586025a a00a301d 0603551d 0e041604 148a7187 95f66904

    35b43b92 90bfaba5 86025aa0 0a300d06 092a8648 86f70d01 01050500 03818100

    3202994e d191cafc 1cc071f0 8539dc37 63583a74 e7437d34 d34fe975 6b1879a7

    8515c574 b03c4b95 d65b750f a389e989 dc3228dd 2ffeceb9 61e369a8 7c520bc2

    ea0a9044 a454924d 4afcff95 5732d904 1ea4a313 2a75d2bb d16674d5 625f4a22

    b622ab13 7d590e7d ea09e03c affc9744 3dbc234d 8241bf4b d1bcb0bd 3ab9534d

  quit

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable outside client-services port 443

crypto ikev2 remote-access trustpoint ASDM_TrustPoint0

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd enable management

!

dhcpd address 192.168.64.40-192.168.64.60 inside

dhcpd dns 192.168.0.1 192.168.64.100 interface inside

dhcpd lease 200000 interface inside

dhcpd domain test1.com interface inside

dhcpd enable inside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point ASDM_TrustPoint0 outside

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1

anyconnect profiles anyconnect-vpn_client_profile disk0:/anyconnect-vpn_client_profile.xml

anyconnect enable

tunnel-group-list enable

group-policy GroupPolicy_anyconnect-vpn internal

group-policy GroupPolicy_anyconnect-vpn attributes

wins-server none

dns-server value 192.168.0.1 192.168.64.100

vpn-tunnel-protocol ikev2 ssl-client

default-domain value test1.com

webvpn

  anyconnect profiles value anyconnect-vpn_client_profile type user

username rickyv password gw5iJZK0zpRVc1Ur encrypted

tunnel-group anyconnect-vpn type remote-access

tunnel-group anyconnect-vpn general-attributes

address-pool anyconnect-test

authentication-server-group LDAPSERVERS LOCAL

default-group-policy GroupPolicy_anyconnect-vpn

tunnel-group anyconnect-vpn webvpn-attributes

group-alias anyconnect-vpn enable

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:158ae89723342648e472577f2fe7498c

: end

no luck on internet route...  but it still allowed me to ping host 192.168.64.100 or the AD host. 

From the original config above at home, it doesn't allow me to ping the GW 192.168.64.1 but as i said, it allows me to ping the ad host.  both configuration above and this new configuration.

Hello Neetu,

Okay do the following

packet-tracer input outside tcp 192.168.100.15 1025 4.2.2.2 80

Provide me the results,

Regards

here you go...

ciscoasa# packet-tracer input outside tcp 192.168.100.15 1025 4.2.2.2 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   10.0.100.1       255.255.255.255 identity

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop             
Drop-reason: (acl-drop) Flow is denied by configured rule

thanks...

Hello Neetu,

I see you do not have any acl, let's create one JUST FOR the PACKET-TRACER test okay?

access-list TEST permit ip 192.168.100.0 255.255.255.0 any

access-group TEST in interface outside

then the packet tracer again

ciscoasa# packet-tracer input outside tcp 192.168.100.15 1025 4.2.2.2 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   0.0.0.0         0.0.0.0         outside

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed

ciscoasa#