Hi. I have the following situation. 

ASA 5512-X running ASA software 9.8.4(tried also with 9.10) and on that ASA the following configuration:

- 1 WAN connection - Public ip address - direct connection RJ45

- 1 WAN connection - Pubilc ip address - via PPPoE

- 1 INSIDE interface

- 1 Interface link to a Cisco 6500

- Anyconnect remote VPN access and also Ipsec VPN tunnels both normal IPsec and VTI interfaces over ipsec.

Out of this whole setup i cannot get the hosts on the INSIDE interface to get out on the internet. 

Anyconnect is working and you can login and also does NAT for the vpn subnet.

the VTI interfaces and the othe IPSEC tunnels work fine.

Routing to and from the 6500 is perfect as well.  

Runing packet tracer it shows the connection being dropped by the implicit rule but i do have an allow any any rule. 

I have checked inter-interface and intra-interface settings and are fine. all routing looks also fine yet no internet access. 

I'll add the config below maybe somebody can give me an idea of what it could be and how to fix it.

Thanks

hostname Asa-VPN

enable password  encrypted

passwd  encrypted

names

ddns update method http

ddns both

interval maximum 0 0 5 0

!

no mac-address auto

ip local pool VPN-DHCP-Pool 192.168.245.10-192.168.245.25 mask 255.255.255.0

!

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 193.x.x.x 255.255.255.224

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 10.10.1.1 255.255.255.0

!

interface GigabitEthernet0/2

nameif cisco6500

security-level 100

ip address 10.254.2.2 255.255.255.252

!

interface GigabitEthernet0/3

description rds

nameif rdspppoe

security-level 0

pppoe client vpdn group rds

pppoe client route distance 10

ip address pppoe setroute

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Tunnel1

nameif Benny-VTI

ip address 10.20.0.1 255.255.255.252

tunnel source interface outside

tunnel destination y.y.y.y

tunnel mode ipsec ipv4

tunnel protection ipsec profile Benny-Profile

!

interface Tunnel2

nameif Alex-VTI

ip address 192.168.60.2 255.255.255.252

tunnel source interface outside

tunnel destination z.z.z.z

tunnel mode ipsec ipv4

tunnel protection ipsec profile alex-proposal

!

boot system disk0:/asa984-smp-k8.bin

ftp mode passive

clock timezone EEST 2

clock summer-time EEDT recurring last Fri Apr 0:00 last Fri Sep 0:00

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network NETWORK_OBJ_192.168.245.0_27

subnet 192.168.245.0 255.255.255.224

object network inside-subnet-outside

subnet 10.10.1.0 255.255.255.0

object network vpn-out-main

subnet 192.168.245.0 255.255.255.224

object network xxxxx

subnet 192.168.88.0 255.255.255.0

object network inside-subnet

subnet 10.10.1.0 255.255.255.0

object network inside-subnet-rdspppoe

subnet 10.10.1.0 255.255.255.0

object network vpn-out-rds

subnet 192.168.245.0 255.255.255.224

object network vpn-subnet

subnet 192.168.245.0 255.255.255.224

object network mineri

subnet 10.254.1.0 255.255.255.0

object network xxxxx

subnet 192.168.0.0 255.255.255.0

object network xxxxx

host 79.97.165.193

object network storage

subnet 10.40.255.0 255.255.255.0

object network xxxx

subnet 10.254.5.0 255.255.255.0

object network vps-docker-01

host 10.10.1.5

object network inter-cisco

subnet 10.254.2.0 255.255.255.252

object network docker-01-ccx

host 10.10.1.5

object network outside-ip

host x.x.x.x

object network obj_any

subnet 0.0.0.0 0.0.0.0

object-group network DM_INLINE_NETWORK_3

network-object object gabi

network-object object mineri

object-group network DM_INLINE_NETWORK_1

network-object object xxxx

network-object object mineri

object-group service DM_INLINE_TCP_2 tcp

port-object range 10001 10002

port-object eq 10070

port-object eq 11070

port-object range 13280 13281

port-object eq 15000

port-object eq 16000

port-object eq 1811

port-object eq 2222

port-object eq 26942

port-object eq 26943

port-object eq 61208

port-object eq 8070

port-object eq 8071

access-list outside_access extended permit tcp any4 object vps-docker-01 eq 16000 log debugging

access-list vpn extended permit ip object vpn-subnet any

access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd

access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631

access-list AnyConnect_Client_Local_Print remark Windows' printing port

access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100

access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol

access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353

access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol

access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355

access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol

access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137

access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns

access-list AnyConnect_Client_Local_Print extended deny ip any4 any4

access-list global_access extended permit ip any any log debugging

access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object dubai

access-list inside_access_in extended permit ip any any log debugging

pager lines 24

logging enable

logging buffered debugging

logging asdm debugging

logging class webvpn console debugging

mtu outside 1500

mtu inside 1500

mtu cisco6500 1500

mtu rdspppoe 1492

mtu management 1500

no failover

no monitor-interface service-module

icmp unreachable rate-limit 1 burst-size 1

icmp permit any outside

icmp permit any inside

icmp permit any cisco6500

icmp permit any rdspppoe

asdm image disk0:/asdm-7101.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

arp rate-limit 8192

nat (any,outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static dubai dubai no-proxy-arp route-lookup

!

object network inside-subnet-outside

nat (any,outside) dynamic interface

object network vpn-out-main

nat (any,outside) dynamic interface

object network inside-subnet-rdspppoe

nat (inside,rdspppoe) dynamic interface

object network vpn-out-rds

nat (any,rdspppoe) dynamic interface

access-group outside_access in interface outside

access-group inside_access_in in interface inside

access-group global_access global

router bgp 65343

bgp log-neighbor-changes

bgp graceful-restart

timers bgp 10 32 0

address-family ipv4 unicast

  neighbor 192.168.60.1 remote-as 34555

  neighbor 192.168.60.1 activate

  neighbor 192.168.88.1 remote-as 65500

  neighbor 192.168.88.1 ebgp-multihop 255

  neighbor 192.168.88.1 activate

  neighbor 10.20.0.2 remote-as 65000

  neighbor 10.20.0.2 ebgp-multihop 10

  neighbor 10.20.0.2 timers 10 30 30

  neighbor 10.20.0.2 activate

  network 10.10.1.0 mask 255.255.255.0

  network 10.254.1.0 mask 255.255.255.0

  network 10.254.5.0 mask 255.255.255.0

  network 10.40.255.0 mask 255.255.255.0

  bgp suppress-inactive

  no auto-summary

  no synchronization

exit-address-family

!

route outside 0.0.0.0 0.0.0.0 x.x.x.129 1 track 1

route cisco6500 10.40.255.0 255.255.255.0 10.254.2.1 1

route cisco6500 10.254.1.0 255.255.255.0 10.254.2.1 1

route cisco6500 10.254.5.0 255.255.255.0 10.254.2.1 1

route Null0 192.168.245.0 255.255.255.224 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

timeout igp stale-route 0:01:10

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa authentication login-history

http server enable 4443

http server idle-timeout 180

http server session-timeout 180

http 192.168.1.0 255.255.255.0 management

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 outside

sysopt connection tcpmss 1460

sysopt noproxyarp rdspppoe

sla monitor 1

type echo protocol ipIcmpEcho 8.8.8.8 interface outside

sla monitor schedule 1 life forever start-time now

sla monitor 2

type echo protocol ipIcmpEcho 192.168.88.1 interface outside

timeout 1000

frequency 3

sla monitor schedule 2 life forever start-time now

crypto ipsec ikev1 transform-set aes esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set benny esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set alex-transform esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set toxx esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set test-alex esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set test-alex mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec profile alex-test-prop

set ikev1 transform-set test-alex

set pfs group2

set security-association lifetime seconds 1800

crypto ipsec profile Benny-Profile

set ikev1 transform-set benny

set pfs group5

set security-association lifetime kilobytes 10000

set security-association lifetime seconds 3600

crypto ipsec profile alex-proposal

set ikev1 transform-set alex-transform

set pfs group5

set security-association lifetime seconds 3600

crypto ipsec profile toxx-transform

set ikev1 transform-set toxx

set pfs group2

set security-association lifetime seconds 3600

crypto ipsec security-association lifetime seconds 3600

crypto ipsec security-association replay window-size 128

crypto ipsec security-association pmtu-aging infinite

crypto ipsec df-bit clear-df outside

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set pfs

crypto map outside_map 1 set peer 94.203.254.169

crypto map outside_map 1 set ikev1 transform-set toxx

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto map rdspppoe_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map rdspppoe_map0 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map rdspppoe_map0 interface rdspppoe

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=ciscoasa

proxy-ldc-issuer

crl configure

crypto ca trustpoint ASDM_TrustPoint1

keypair ASDM_TrustPoint1

crl configure

crypto ca trustpoint ASDM_TrustPoint2

enrollment terminal

crl configure

crypto ca trustpool policy

crypto isakmp identity address

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 2

encryption aes-256

integrity sha256

group 19

prf sha256

lifetime seconds 86400

crypto ikev2 policy 3

encryption aes-256

integrity sha256

group 19

prf sha

lifetime seconds 86400

crypto ikev2 policy 4

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 5

encryption aes-256

integrity sha256

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 6

encryption aes-256 aes-192 aes 3des des

integrity sha md5

group 5 2 1

prf sha

lifetime seconds 86400

crypto ikev2 policy 7

encryption aes-256

integrity sha256

group 14

prf sha256

lifetime seconds 86400

crypto ikev2 policy 8

encryption aes-256

integrity sha256

group 14

prf sha256

lifetime seconds 28800

crypto ikev2 policy 9

encryption aes-gcm-256 aes-gcm-192 aes-gcm

integrity null

group 2

prf sha256

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 50

encryption aes

integrity sha256

group 19

prf sha256

lifetime seconds 14400

crypto ikev2 policy 60

encryption aes-256

integrity sha384

group 5

prf sha384

lifetime seconds 3600

crypto ikev2 enable outside client-services port 443

crypto ikev2 enable rdspppoe client-services port 443

crypto ikev2 remote-access trustpoint ASDM_TrustPoint1

crypto ikev1 enable outside

crypto ikev1 enable rdspppoe

crypto ikev1 policy 10

authentication pre-share

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

crypto ikev1 policy 40

authentication pre-share

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 50

authentication rsa-sig

encryption aes-192

hash sha

group 2

lifetime 86400

crypto ikev1 policy 70

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 80

authentication rsa-sig

encryption aes

hash sha

group 2

lifetime 86400

crypto ikev1 policy 100

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 110

authentication rsa-sig

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 130

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 140

authentication rsa-sig

encryption des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 160

authentication pre-share

encryption aes-256

hash sha

group 5

lifetime 86400

crypto ikev1 policy 200

authentication pre-share

encryption aes

hash sha

group 2

lifetime 28800

crypto ikev1 policy 202

authentication pre-share

encryption aes

hash sha

group 5

lifetime 86400

crypto ikev1 policy 210

authentication pre-share

encryption aes

hash sha

group 5

lifetime 28800

!

track 1 rtr 1 reachability

telnet timeout 5

ssh stricthostkeycheck

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 management

ssh timeout 50

ssh version 2

ssh key-exchange group dh-group14-sha1

console timeout 0

management-access inside

no ipv6-vpn-addr-assign aaa

no ipv6-vpn-addr-assign local

dhcp-client client-id interface outside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd option 3 ip 192.168.1.1 interface management

dhcpd enable management

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point ASDM_TrustPoint1 outside

ssl trust-point ASDM_TrustPoint1 inside

ssl trust-point ASDM_TrustPoint1 cisco6500

ssl trust-point ASDM_TrustPoint1 rdspppoe

webvpn

enable outside

enable rdspppoe

hsts

  enable

  max-age 31536000

  include-sub-domains

  no preload

anyconnect image disk0:/anyconnect-macos-4.7.01076-webdeploy-k9.pkg 3

anyconnect image disk0:/anyconnect-win-4.7.01076-webdeploy-k9.pkg 4

anyconnect profiles vpc_city_client_profile disk0:/vpc_city_client_profile.xml

anyconnect enable

tunnel-group-list enable

cache

  disable

error-recovery disable

group-policy DfltGrpPolicy attributes

vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless

group-policy GroupPolicy_94.203.254.169 internal

group-policy GroupPolicy_94.203.254.169 attributes

vpn-tunnel-protocol ikev1

group-policy GroupPolicy_vps-city1 internal

group-policy GroupPolicy_vps-city1 attributes

wins-server none

dns-server value 8.8.8.8 8.8.4.4

vpn-tunnel-protocol ikev2 ssl-client

split-tunnel-policy tunnelall

default-domain none

split-tunnel-all-dns enable

webvpn

  anyconnect mtu 1354

  anyconnect profiles value vpc_city_client_profile type user

group-policy toxx-l2tp internal

group-policy toxx-l2tp attributes

vpn-tunnel-protocol l2tp-ipsec

dynamic-access-policy-record DfltAccessPolicy

webvpn

  svc ask enable default webvpn

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

  no tcp-inspection

policy-map type inspect esmtp esmtp_pmap

parameters

  no mask-banner

  allow-tls

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect esmtp esmtp_pmap

  inspect sip 

  inspect icmp

  inspect ipsec-pass-thru

  inspect icmp error

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:c58401d194d0d29ecc77f853c8e4eaa0

: end