Thank you for your reply. That did not fix it. I'm not even seeing any hitcounts on my ACL's.

I did the following command

MehASA(config)# nat (inside) 0 access-list inside_nat0_outbound

MehASA(config)# sho access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list Test_VPN_splitTunnelAcl; 1 elements

access-list Test_VPN_splitTunnelAcl line 1 standard permit 192.168.1.0 255.255.255.0 (hitcnt=0) 0x85f9e2ff

access-list inside_nat0_outbound; 1 elements

access-list inside_nat0_outbound line 1 extended permit ip 192.168.1.0 255.255.255.0 192.168.100.0 255.255.255.0 (hitcnt=0) 0x94bd01e3

So, you are getting connected but not able to access the LAN. What is the IP Address that you are trying to ping from the VPN Client.

Also, can you post the output of "Show cry is sa" and "Show cry ipsec sa" when you are VPNed in and trying to access to the LAN.

Also, did you get a chance to do a "clear xlate" after you configured the NAT 0 statement.

Regards,

Arul

I did a clear xlate and it didnt' change anything. I'm trying to connect to 192.168.1.111 Here is the output from the commands:

MehASA(config)# sho cry is sa

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 170.163.152.43

Type : user Role : responder

Rekey : no State : AM_ACTIVE

MehASA(config)# sho cry ipsec sa

interface: outside

Crypto map tag: SYSTEM_DEFAULT_CRYPTO_MAP, seq num: 65535, local addr: 67.87.102.24

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (192.168.100.1/255.255.255.255/0/0)

current_peer: 170.163.152.43, username: test_user

dynamic allocated peer ip: 192.168.100.1

#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5

#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0

#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0

#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0

#send errors: 0, #recv errors: 0

local crypto endpt.: 67.87.102.24, remote crypto endpt.: 170.163.152.43

path mtu 1500, ipsec overhead 74, media mtu 1500

current outbound spi: 9F034A2E

inbound esp sas:

spi: 0xF2FE6308 (4076757768)

transform: esp-aes esp-sha-hmac none

in use settings ={RA, Tunnel, }

slot: 0, conn_id: 28672, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (sec): 28758

IV size: 16 bytes

replay detection support: Y

outbound esp sas:

spi: 0x9F034A2E (2667792942)

transform: esp-aes esp-sha-hmac none

in use settings ={RA, Tunnel, }

slot: 0, conn_id: 28672, crypto-map: SYSTEM_DEFAULT_CRYPTO_MAP

sa timing: remaining key lifetime (sec): 28758

IV size: 16 bytes

replay detection support: Y

thanks again for your help

Thanks for the outputs! Based on the show commands, the ASA is encrypting and decrypting traffic. So, chances are that the ASA is sending the traffic back to the VPN Client and is getting dropped somewhere in between.

On the VPN Client, under statistics, do you see packets encrypted and decrypted or only encrypted. How is the VPN Client connected to the internet. Can you use a dial up and test this just to make sure that we rule out the configuration on the ASA.

Regards,

Arul

** Please rate all helpful posts **

I did a ping -t to a host on my LAN that I know is up (pinged from ASA) for 30 seconds and this is what my stats look like

Encrypted 13

Decrypted 0

Discarded 3

Bypassed 820

That did it!!

Thank you.

Any idea why that was disabled??

Great! Thanks for the rating :-) Appreciate that.

"isakmp nat-traversal" is disabled by default and that is the reason we did not see it in the configuration. Please refer the below documentation for details:

http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/gl.html#wp1645570

Regards,

Arul

** Please rate all helpful posts **