I'm trying to be able to reach the inside IP of the firewall while logged into the VPN.   I can reach everything behind the inside network except the firewall (.1), ping, nor SSH works.

As a workaround, I currently ssh into another box on the inside network and than ssh to .1 which works.

The logs show this during the connection attempt:

%ASA-6-302013: Built inbound TCP connection 211656 for outside:10.0.17.11/59835 (10.0.17.11/59835) to identity:10.0.18.1/22 (10.0.18.1/22) (xx)

%ASA-6-302014: Teardown TCP connection 211656 for outside:10.0.17.11/59835 to identity:10.0.18.1/22 duration 0:00:00 bytes 0 TCP Reset by appliance (xx)

If it matters, we also use the same VPN for external access so some of our "public internet traffic" goes through it which is why we have the nat outbound on the VPN IP block.

VPN Block: 10.0.17.0/24

Inside Block: 10.0.18.0/24

Config:

hostname vpn

domain-name x.x

enable password x.x encrypted

passwd x.x encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

switchport access vlan 2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!            

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 10.0.18.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address 64.38.x.x 255.255.255.192

!

ftp mode passive

dns domain-lookup outside

dns server-group DefaultDNS

name-server 8.8.8.8

name-server 8.8.4.4

domain-name x.x

same-security-traffic permit intra-interface

access-list OUTBOUND extended deny ip any any log

access-list INBOUND extended deny ip any any log

access-list VPN-ACCESS standard permit host 216.86.x.x

access-list VPN-ACCESS standard permit 10.0.18.0 255.255.255.0

access-list NONAT extended permit ip 10.0.18.0 255.255.255.0 10.0.17.0 255.255.255.0

pager lines 24

logging enable

logging buffered debugging

mtu inside 1500

mtu outside 1500

ip local pool THEPOOL 10.0.17.10-10.0.17.250

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

nat-control

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 10.0.18.0 255.255.255.0

nat (outside) 1 10.0.17.0 255.255.255.0

route outside 0.0.0.0 0.0.0.0 64.38.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set THESET esp-aes-256 esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map DYNAMAP 10 set transform-set THESET

crypto map THEMAP 10 ipsec-isakmp dynamic DYNAMAP

crypto map THEMAP interface outside

crypto isakmp identity address

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto isakmp policy 65535

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

telnet timeout 5

ssh 10.0.0.0 255.0.0.0 inside

ssh 173.255.x.x255.255.255.255 outside

ssh timeout 5

ssh version 2

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy VPN2_GROUP internal

group-policy VPN2_GROUP attributes

dns-server value 8.8.8.8

vpn-simultaneous-logins 2

vpn-idle-timeout 180

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value VPN-ACCESS

default-domain value x.x

tunnel-group VPN2 type remote-access

tunnel-group VPN2 general-attributes

address-pool THEPOOL

default-group-policy VPN2_GROUP

tunnel-group VPN2 ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!            

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect ip-options

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny 

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip 

  inspect xdmcp

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:4fde47bb39dfdcc58894bbd55559209d