Result of the command: "show nat detail"

Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic inside_192.168.0.10 inside_192.168.0.10 inactive
translate_hits = 0, untranslate_hits = 0
Source - Origin: 192.168.0.10/32, Translated: 192.168.0.10/32
2 (outside) to (inside) source static VPN VPN
translate_hits = 187, untranslate_hits = 0
Source - Origin: 192.168.150.0/24, Translated: 192.168.150.0/24
3 (inside) to (outside) source static inside-host inside-host destination static VPN VPN no-proxy-arp description prevent self nat
translate_hits = 0, untranslate_hits = 0
Source - Origin: 192.168.0.0/24, Translated: 192.168.0.0/24
Destination - Origin: 192.168.150.0/24, Translated: 192.168.150.0/24

Auto NAT Policies (Section 2)
1 (any) to (outside) source dynamic inside_nat interface
translate_hits = 234, untranslate_hits = 8
Source - Origin: 192.168.0.0/24, Translated: 74.10.177.111/24
2 (outside) to (outside) source dynamic VPN interface
translate_hits = 10391, untranslate_hits = 5345
Source - Origin: 192.168.150.0/24, Translated: 74.10.177.111/24

Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic any interface inactive
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 74.10.177.111/24

Packet Tracer Information:

Result of the command: "packet-tracer input inside rawip 192.168.150.100 0 192.168.0.79"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.0.0 255.255.255.0 inside

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Hi,

I just replicated your config on my lab and was able to reach Inside hosts (192.168.0.0/24) while connected to the VPN. (Please see the screenshot)

I made the changes suggested by Rob:

1. Remove the static route
2. Add manual NAT - nat (inside,outside) source static inside_nat inside_nat destination static VPN VPN no-proxy-arp

Can you please run a Packet Tracer once you connected to the VPN. Let's say the IP you have received while connected to the VPN is 192.168.150.110 and the inside host IP is 192.168.0.15.

# packet-tracer input outside tcp 192.168.150.110 25000 192.168.0.15 80

Thanks

Suresh

Hi Vsurresh, 

See below.

Result of the command: "packet-tracer input outside tcp 192.168.150.110 25000 192.168.0.15 80"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 192.168.0.0 255.255.255.0 inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group traffic_out in interface outside
access-list traffic_out extended permit ip object VPN object inside-host
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,inside) source static VPN VPN
Additional Information:
Static translate 192.168.150.110/25000 to 192.168.150.110/25000

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (outside,inside) source static VPN VPN
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 16890, packet dispatched to next module

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Could you also please run packet-tracer in the opposite direction? (Please make sure the ACL permits the traffic for testing if not, add a test ACL)

#packet-tracer input inside tcp 192.168.0.15 15000 192.168.150.110 22

Thanks

Suresh

Hi Suresh, 

Result of the command: "packet-tracer input inside tcp 192.168.0.15 15000 192.168.150.110 22"

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,inside) source static VPN VPN
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.150.110/22 to 192.168.150.110/22

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 any
Additional Information:

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,inside) source static VPN VPN
Additional Information:
Static translate 192.168.0.15/15000 to 192.168.0.15/15000

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (outside,inside) source static VPN VPN
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 19482, packet dispatched to next module

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Hi Rob, 

Yes, I tried to ping several machines on the internal network and attempted to visit a few internal web servers. 

Unfortunately, I got no response. I brought down the firewall for some of the machines too. 

Yes, the ASA is the default gateway for internet traffic. 

Hi Rob, 

I am unable to run debug icmp trace on the CLI since I am having issues connecting to ASA serial. 

I am currently using ASDM. The machines are still not responding. I notice I cannot ping 192.168.0.10 (inside interface) anymore on as a VPN client after removing nat #2. This the best log detail I can get for the ICMP request. 

6 Jan 15 2021 18:30:56 302020 192.168.150.100 49117 192.168.0.111 0 Built inbound ICMP connection for faddr 192.168.150.100/49117(LOCAL\dummyuser) gaddr 192.168.0.111/0 laddr 192.168.0.111/0 (dummyuser)

Result of the command: "show nat detai"

Manual NAT Policies (Section 1)
1 (inside) to (outside) source dynamic inside_192.168.0.10 inside_192.168.0.10 inactive
translate_hits = 0, untranslate_hits = 0
Source - Origin: 192.168.0.10/32, Translated: 192.168.0.10/32
2 (outside) to (inside) source static VPN VPN inactive
translate_hits = 0, untranslate_hits = 0
Source - Origin: 192.168.150.0/24, Translated: 192.168.150.0/24
3 (inside) to (outside) source static inside-host inside-host destination static VPN VPN no-proxy-arp description prevent self nat
translate_hits = 6, untranslate_hits = 23
Source - Origin: 192.168.0.0/24, Translated: 192.168.0.0/24
Destination - Origin: 192.168.150.0/24, Translated: 192.168.150.0/24

Auto NAT Policies (Section 2)
1 (any) to (outside) source dynamic inside_nat interface
translate_hits = 234, untranslate_hits = 8
Source - Origin: 192.168.0.0/24, Translated: 74.10.177.111/24
2 (outside) to (outside) source dynamic VPN interface
translate_hits = 12445, untranslate_hits = 6722
Source - Origin: 192.168.150.0/24, Translated: 74.10.177.111/24

Manual NAT Policies (Section 3)
1 (inside) to (outside) source dynamic any interface inactive
translate_hits = 0, untranslate_hits = 0
Source - Origin: 0.0.0.0/0, Translated: 74.10.177.111/24

See below. This is with Nat #2 enabled

Result of the command: "packet-tracer input inside tcp 192.168.0.15 15000 192.168.150.110 22 detail"

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,inside) source static VPN VPN
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.150.110/22 to 192.168.150.110/22

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2b0cd330, priority=13, domain=permit, deny=false
hits=4, user_data=0x7fff2376db00, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.0.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (outside,inside) source static VPN VPN
Additional Information:
Static translate 192.168.0.15/15000 to 192.168.0.15/15000
Forward Flow based lookup yields rule:
in id=0x7fff2a6d7290, priority=6, domain=nat, deny=false
hits=4, user_data=0x7fff217f7f20, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=192.168.150.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=outside

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a26d2c0, priority=1, domain=nat-per-session, deny=true
hits=23787, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a65c130, priority=0, domain=inspect-ip-options, deny=true
hits=930, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a675a80, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=669, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (outside,inside) source static VPN VPN
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff29387950, priority=6, domain=nat-reverse, deny=false
hits=5, user_data=0x7fff29385c70, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=192.168.150.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=outside

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fff2a26d2c0, priority=1, domain=nat-per-session, deny=true
hits=23789, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fff2a604480, priority=0, domain=inspect-ip-options, deny=true
hits=33970, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 23463, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

This without Nat rule #2 

Result of the command: "packet-tracer input inside tcp 192.168.0.15 15000 192.168.150.110 22 detail"

Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (inside,outside) source static inside-host inside-host destination static VPN VPN no-proxy-arp description prevent self nat
Additional Information:
NAT divert to egress interface outside
Untranslate 192.168.150.110/22 to 192.168.150.110/22

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group inside_access_in in interface inside
access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2b0cd330, priority=13, domain=permit, deny=false
hits=5, user_data=0x7fff2376db00, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.0.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (inside,outside) source static inside-host inside-host destination static VPN VPN no-proxy-arp description prevent self nat
Additional Information:
Static translate 192.168.0.15/15000 to 192.168.0.15/15000
Forward Flow based lookup yields rule:
in id=0x7fff29b90e50, priority=6, domain=nat, deny=false
hits=0, user_data=0x7fff217de0e0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=192.168.0.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=192.168.150.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=outside

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a26d2c0, priority=1, domain=nat-per-session, deny=true
hits=23940, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a65c130, priority=0, domain=inspect-ip-options, deny=true
hits=931, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 6
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2a675a80, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=670, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (inside,outside) source static inside-host inside-host destination static VPN VPN no-proxy-arp description prevent self nat
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff29d4ef70, priority=6, domain=nat-reverse, deny=false
hits=1, user_data=0x7fff2cbcafa0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.0.0, mask=255.255.255.0, port=0, tag=0
dst ip/id=192.168.150.0, mask=255.255.255.0, port=0, tag=0, dscp=0x0
input_ifc=inside, output_ifc=outside

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fff2a26d2c0, priority=1, domain=nat-per-session, deny=true
hits=23942, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fff2a604480, priority=0, domain=inspect-ip-options, deny=true
hits=34142, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 23612, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow