Thank you for your example it was very helpful. This issue I had was it will only accept a network under: IPv4 Split Tunneling Networks. I tried to make a range but it would only allow me to add a network not a range. I was hoping that would work since my VPN range is just a couple of IP’s.

VPN Pool range object: 192.168.1.250-.254

VPN Pool to: 192.168.1.250 - 192.168.1.254

Created NAT Exception Rule for VPN Pool according to your example.

I can ping the inside PC when connected to VPN but not RDP to that PC. I can RDP internally just not through VPN.

I ran packet tracer and it looks like everything it is allowed?? Output is attached.

packet-tracer input inside icmp 192.168.1.250 8 0 192.168.1.5

192.168.1.250 (VPN Pool)

192.168.1.5 (PC on Eth1/2 VLAN 1)

Anything else I can try or is there something I am not doing correctly?

Thank you for your insight,

JJ

@jjevans1 if you notice the packet-tracer output confirms the input and output interfaces are both "inside", which is technically accurate (because they overlap) but not what you want. Don't use the same network for the VPN pool, use another separate network that isn't the inside network, i.e. 192.168.2.0/24. You can then create a network object as 192.168.1.0/24 that represents the inside network and reference this in the split-tunnel configuration. Use these 2 unique networks in the NAT exemption rules.

192.168.1.250 (VPN Pool)

192.168.1.5 (PC on Eth1/2 VLAN 1)
this not work at all, 
the VPN pool must have different subnet than Inside hosts, 
the VPN Pool IP will add to route table as connect direct via OUT not IN interface. 

this is your issue I think 

@jjevans1 the AnyConnect VPN network is on the OUTSIDE, not inside. So your packet-tracer is incorrect, the source interface would be OUTSIDE if the source is 192.168.2.0/24

Your split-tunnel is incorrect, you need to allow the internal network (192.168.1.0/24)

Thank you all,

Changed the Split Tunneling to Allow. Nice catch! Different then on the PeteNetLive example.

Ran new packet trace which is attached.

It looks like the packet is dropped by the default rule on Phase 4. So I think I have to create an Access Control Rule for the VPN Traffic allowing ICMP and RDP???

I really appreciate your patience and insight.

JJ

No need any ACL, 
now use anyconnect user and ping inside and access RDP, all I see is OK now. 
try and share result.

@jjevans1 your Access Control Policy is also incorrect, you don't have a rule from outside to inside.

You need to permit from outside (192.168.2.0/24) to inside (192.168.1.0/24) aswell as the rule from inside (192.168.1.0/24 to outside (192.168.2.0/24).

@MHM Cisco World you do need Access Control rules on FTD, VPN traffic is not permitted as default unlike the ASA.

thanks 

@jjevans1 are you actually connected to the VPN on 192.168.2.1? If so use an IP address in the VPN pool that is not in use and try packet-tracer again - "packet-tracer input outside icmp 192.168.2.22 8 0 192.168.1.5" or just generate real traffic.