Hello

Can you try and move the default nat rule to the end of the nat config and test again please, keeping you static pat applied::

no nat (inside,mts-out) source dynamic any interface
nat (inside,mts-out) after-auto source dynamic any interface

Same behavior:

AnyConnect Portal works fine: https://134.17.5.142/+CSCOE+/logon.html

The following is a complete ASA configuration. Thus, the inside is connected directly to the Catalyst router, where there is a vlan with this IP address. The outside interface receives the address and the static route automatically.

+ NO any static routes 

Gateway of last resort is 134.17.4.1 to network 0.0.0.0

C    172.16.8.0 255.255.255.0 is directly connected, Wifi
C    172.16.0.0 255.255.255.0 is directly connected, inside
S    172.16.100.10 255.255.255.255 [1/0] via 134.17.4.1, mts-out
C    134.17.4.0 255.255.252.0 is directly connected, mts-out
d*   0.0.0.0 0.0.0.0 [1/0] via 134.17.4.1, mts-out

Judging by the packet tracer, any request that comes from the outside interface does not fall into the NAT rules.

Result of the command: "sh run"

: Saved
:
ASA Version 9.1(3) 
!
hostname
domain-name 
enable 
names
ip local pool Office_VPN 172.16.100.10-172.16.100.200 mask 255.255.255.0
!
interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 172.16.0.1 255.255.255.0 
!
interface Ethernet0/1
 speed 1000
 nameif mts-out
 security-level 0
 ip address dhcp setroute 
 ipv6 enable
!
interface Ethernet0/2
 nameif Wifi
 security-level 0
 ip address 172.16.8.1 255.255.255.0 
!
interface Ethernet0/3
 shutdown
 nameif CORP
 security-level 0
 ip address 10.0.0.1 255.255.255.0 
!
interface Management0/0
 shutdown
 nameif management
 security-level 100
 ip address dhcp setroute 
!
ftp mode passive
clock timezone EEST 2
clock summer-time EEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns domain-lookup mts-out
dns server-group DefaultDNS
 name-server 172.16.0.254
 domain-name 
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Local_Office_Network
 subnet 172.16.0.0 255.255.255.0
 description Local Network
object network VPN_Minsk
 subnet 172.16.100.0 255.255.255.0
 description VPN_Minsk
object network VPN
 subnet 172.16.100.0 255.255.255.0
object network VPN1
 subnet 172.16.100.0 255.255.255.0
object network SVN-EXT
 host 172.16.0.250
object network obj_172.16.0.250
 host 172.16.0.250
object network SVN-NAT
 host 172.16.0.250
object network SVN_NAT
 host 172.16.0.250
object network RocketChat
 host 172.16.0.100
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_SERVICE_2
 service-object icmp echo
 service-object icmp echo-reply
 service-object icmp6 echo
 service-object icmp6 echo-reply
 service-object icmp6 unreachable
access-list inside_access_in extended permit ip object Local_Office_Network any 
access-list inside_access_in extended permit ip object VPN_Minsk any 
access-list inside_access_in extended permit icmp any any 
access-list inside_access_in extended permit ip any interface CORP 
access-list Beltelecom_access_in extended permit ip any any 
access-list Beltelecom_access_in extended permit tcp any any eq www 
access-list Beltelecom_access_in extended permit object-group DM_INLINE_SERVICE_2 any any 
access-list Beltelecom_access_in extended permit tcp any interface mts-out eq 8443 
access-list Beltelecom_access_in extended permit tcp any interface mts-out eq 8081 
access-list Beltelecom_access_in extended permit tcp any any eq 9000 
access-list Office_Allowed remark Jira/Bamboo/BitBucket
access-list Office_Allowed standard permit 172.16.0.0 255.255.255.0 
access-list Wifi_access_in extended permit ip any any 
access-list nonat_rule extended permit ip 172.16.100.0 255.255.255.0 172.16.0.0 255.255.255.0 
access-list nonat_rule extended permit ip any object VPN_Minsk 
access-list mts-out_access_in extended permit ip any any 
access-list mts-out_access_in extended permit ip any interface mts-out 
access-list mts-out_access_in extended permit object-group TCPUDP any object SVN-EXT eq www 
access-list Sound extended permit ip any object SVN-EXT 
access-list outside-access-inside extended permit tcp any host 172.16.0.250 eq 8080 
access-list sound standard permit host 172.16.0.250 
access-list global_mpc extended permit ip any any 
pager lines 24
logging enable
logging list auth level debugging
logging asdm auth
logging debug-trace
logging class auth asdm informational 
logging class vpn asdm informational 
logging class ssl asdm informational 
flow-export destination inside 172.16.0.115 2055
mtu inside 1500
mtu mts-out 1480
mtu Wifi 1500
mtu CORP 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Wifi,mts-out) source dynamic any interface
nat (CORP,inside) source static any any dns no-proxy-arp route-lookup
!
object network RocketChat
 nat (inside,mts-out) static interface service tcp https 8443 
!
nat (inside,mts-out) after-auto source dynamic any interface
access-group inside_access_in in interface inside
access-group Beltelecom_access_in in interface mts-out
access-group Wifi_access_in in interface Wifi
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map Group_Check
  map-name  memberOf IETF-Radius-Class
dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL 
aaa authentication serial console LOCAL 
aaa authentication ssh console LOCAL 
aaa authentication telnet console LOCAL 
aaa authorization command LOCAL 
http server enable
http 172.16.0.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 mts-out
http 0.0.0.0 0.0.0.0 inside
http redirect mts-out 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt noproxyarp inside
sysopt noproxyarp mts-out
sysopt noproxyarp management
 
telnet timeout 5
ssh 172.16.0.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
no vpn-addr-assign dhcp
no ipv6-vpn-addr-assign aaa
no ipv6-vpn-addr-assign local
dhcp-client client-id interface management
dhcpd address 172.16.8.10-172.16.8.254 Wifi
dhcpd dns 8.8.8.8 8.8.4.4 interface Wifi
dhcpd enable Wifi
!
dhcpd address 10.0.0.10-10.0.0.100 CORP
dhcpd dns 172.16.0.254 8.8.8.8 interface CORP
dhcpd enable CORP
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 82.209.245.153
ssl encryption aes256-sha1 aes128-sha1 3des-sha1 dhe-aes128-sha1 dhe-aes256-sha1
ssl trust-point Global_External mts-out
webvpn
 enable mts-out
 anyconnect-essentials
 anyconnect profiles New disk0:/new.xml
 anyconnect enable
 tunnel-group-list enable
 tunnel-group-preference group-url
group-policy SSL_VPN internal
group-policy SSL_VPN attributes
 dns-server value 172.16.0.254
 vpn-simultaneous-logins 10
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Office_Allowed
 default-domain value strikerz-inc.com
 split-tunnel-all-dns disable
 address-pools value Office_VPN
 smartcard-removal-disconnect enable
 webvpn
  anyconnect ssl rekey time none
  anyconnect profiles value New type user
  anyconnect ask none default anyconnect
  customization value DfltCustomization
  always-on-vpn profile-setting
group-policy DfltGrpPolicy attributes
 dns-server value 172.16.0.254
 vpn-tunnel-protocol ikev1 l2tp-ipsec 
 default-domain value strikerz-inc.com
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol ssl-clientless
group-policy SOUND internal
group-policy SOUND attributes
 wins-server none
 dns-server value 8.8.8.8
 vpn-simultaneous-logins 3
 vpn-idle-timeout 30
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value sound
 webvpn
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information.
username vpnm password Mu2HvbX9xenLqIVHN2gY1A== nt-encrypted
username enerotov password U1oi5DrUcrFD.sS8 encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
 address-pool (inside) Office_VPN
 address-pool Office_VPN
 default-group-policy SSL_VPN
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool Office_VPN
tunnel-group SSL_VPN type remote-access
tunnel-group SSL_VPN general-attributes
 address-pool (inside) Office_VPN
 address-pool Office_VPN
 authentication-server-group AD LOCAL
 default-group-policy SSL_VPN
tunnel-group SSL_VPN webvpn-attributes
 group-alias strikerz-office enable
tunnel-group SOUND type remote-access
tunnel-group SOUND general-attributes
 address-pool Office_VPN
 authentication-server-group AD
 default-group-policy SOUND
tunnel-group SOUND webvpn-attributes
 group-alias sound enable
!
class-map global-class
 match access-list global_mpc
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
policy-map global-policy
 class global-class
  flow-export event-type all destination 172.16.0.115
!
service-policy global_policy global

: end

Hello

---

@zero_cool83 wrote:

 (172.16.0.2 is the LAN IP address of the Catalyst master router). Thus, the inside is connected directly to the Catalyst router, where there is a vlan with this IP address.

 

object network RocketChat
 host 172.16.0.100

---

Post the config of that catalyst router( I assume its L3 switch)

cisco WS-C3750G-24TS-1U config:

sw01-main#sh run
Building configuration...

Current configuration : 3882 bytes
!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname sw01-main
!
boot-start-marker
boot-end-marker
!
enable secret 5 ********************
enable password ********************
!
username ************** privilege 15 password 0 ***************
!
!
no aaa new-model
switch 2 provision ws-c3750g-24ts-1u
system mtu routing 1546
vtp domain Cisco
vtp mode transparent
ip routing
no ip icmp rate-limit unreachable
ip name-server 172.16.0.254
ip dhcp excluded-address 172.16.0.1 172.16.0.159
ip dhcp excluded-address 172.16.0.181 172.16.0.254
!
ip dhcp pool vl105
   import all
   network 172.16.0.0 255.255.255.0
   default-router 172.16.0.1
   dns-server 172.16.0.254
!
!
!
!
crypto pki trustpoint TP-self-signed-3421512064
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3421512064
 revocation-check none
 rsakeypair TP-self-signed-3421512064
!
!
crypto pki certificate chain TP-self-signed-3421512064
 ........
!
!
!
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
ip ssh source-interface Vlan1
!
!
!
interface GigabitEthernet2/0/1
!
interface GigabitEthernet2/0/2
!
interface GigabitEthernet2/0/3
!
interface GigabitEthernet2/0/4
!
interface GigabitEthernet2/0/5
!
interface GigabitEthernet2/0/6
!
interface GigabitEthernet2/0/7
!
interface GigabitEthernet2/0/8
!
interface GigabitEthernet2/0/9
!
interface GigabitEthernet2/0/10
!
interface GigabitEthernet2/0/11
!
interface GigabitEthernet2/0/12
!
interface GigabitEthernet2/0/13
!
interface GigabitEthernet2/0/14
!
interface GigabitEthernet2/0/15
!
interface GigabitEthernet2/0/16
!
interface GigabitEthernet2/0/17
!
interface GigabitEthernet2/0/18
!
interface GigabitEthernet2/0/19
!
interface GigabitEthernet2/0/20
!
interface GigabitEthernet2/0/21
!
interface GigabitEthernet2/0/22
!
interface GigabitEthernet2/0/23
!
interface GigabitEthernet2/0/24
!
interface GigabitEthernet2/0/25
!
interface GigabitEthernet2/0/26
!
interface GigabitEthernet2/0/27
!
interface GigabitEthernet2/0/28
!
interface Vlan1
 ip address 172.16.0.2 255.255.248.0
!
ip classless
ip route 172.16.0.0 255.255.248.0 172.16.0.1
ip http server
ip http secure-server
!
!
access-list 1 permit any
!
!
!
line con 0
line vty 0 4
 access-class 1 in
 exec-timeout 30 0
 privilege level 15
 password 123456
 login local
 transport preferred ssh
 transport input ssh
line vty 5 15
 password
 login
!
end

Hello
Suggest you make this switch a host switch by disabling ip routing and putting the dhcp scope for this subnet on the ASA, but in the mean time

no ip route 172.16.0.0 255.255.248.0 172.16.0.1
ip route 0.0.0.0 0.0.0.0 vlan 1 172.16.0.1

After adding this (in that order):

object network Rocket
nat (any,mts-out) static interface service tcp 3000 8443 
!
nat (inside,mts-out) after-auto source dynamic Local_Office_Network interface
nat (inside,mts-out) after-auto source static any any

Now I can see the normal traffic between outside/inside (!!!):

But I still can't reach from outside  (from my home): http://134.17.5.142:8443/

Interesting picture, I just replaced outside IP in the packet tracer on the my white IP:

Hello

as I have stated from your OP the static nat statement for that host was okay and with that original any any in your nat acl  it was looking like your static nat wasn’t the problem -even though it wasnt a secure way of doing nat

since then you have added-removed various configuration .so it’s hard to understand the current status

Lastly you have now shown a L3 device attachied on the lan interface of a the asa which has the incorrect routing for a lan host resides on the L3 switch

what needs to be accomplished is you need to establish basic connectivity from your lan this through the asa before anything else

So to start change the default of the L3 switch and test connection to the asa and then next to the internet via that dynamic NAT statement I asked you to add - remove all over additional nat statements if not required then we can work through your issue in a defined manner

Hello,

something is misconfigured in your network. Have a look at the output below:

SW01

ip dhcp pool vl105
import all
network 172.16.0.0 255.255.255.0
default-router 172.16.0.1
dns-server 172.16.0.254

!

interface Vlan1
ip address 172.16.0.2 255.255.248.0

ip route 172.16.0.0 255.255.248.0 172.16.0.1

ASA

interface Ethernet0/0
nameif inside
security-level 100
ip address 172.16.0.1 255.255.255.0
ospf cost 10
ospf authentication null

--> There is no IP address 172.16.0.1 on your layer 3 switch. Also, the subnet masks on the firewall and the Vlan 1 interface do not match. The DHCP pool is named Vl105, does that mean it is supposed to serve Vlan 105 ?

I don't know what your topology looks like, but what is the purpose of the layer 3 switch when you only have one Vlan, Vlan 1, configured ?

Also, on the ASA, the inside interface has a partial OSPF configuration, what is that for ?

So, I deleted all the unused NAT rules. Now I see the following picture, where 178.127.181.1 (my home ext IP) 172.16.0.100 (internal server)

"packet-tracer input mts-out tcp 178.127.181.1 8888 172.16.0.100 3000"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   172.16.0.0      255.255.255.0   inside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Beltelecom_access_in in interface mts-out
access-list Beltelecom_access_in extended permit tcp any any object-group DM_INLINE_TCP_1 
object-group service DM_INLINE_TCP_1 tcp
 port-object eq 8888
 port-object eq 3000
Additional Information:

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 4
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network RC
 nat (any,mts-out) static interface service tcp 3000 8888 
Additional Information:

Result:
input-interface: mts-out
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Catch it!!!

I SWITCH 

no ip routing 

Int vlan 1

ip address 19216.0.2 255.255.255.0

Ip default-gateway 172.16.0.1

PC

static is address 

Did it. Not helped.

interface Vlan1
ip address 172.16.0.2 255.255.248.0
no ip route-cache
!
ip default-gateway 172.16.0.1

I added a rule as recommended:

nat (any,any) after-auto source static any Local_Office_Network destination static Local_Office_Network Local_Office_Network no-proxy-arp

and visually everything is OK:

But I sltill get from my home PC:

I have no options left)