Marvin, thanks for your detailed reply. I am not sure I understand what you mean by this subnet 172.16.26.0/24?  How do I fix the issue with the dynamic routing protocol and the route statement?

Your ASA needs a route defined to know to use the inside interface for the 172.x.x.x subnets. Or do you mean for you remote clients to reach the ones that re connected via outside_arena interface?

It knows that 172.16.26.0 is connected to inside interface but any other inside ones are not included in any route statements so the default route via outside_arena will be used.

Where are the subnets you want to reach - behind inside interface or behind outside_Arena interface?

Okay thanks, I understand what you are saying now.

Subnet 172.26.0.0 is connected to insideinterface.  All other subnets are behind the outside_Arena interface.  I have a site to site VPN to another ASA 5505 in site B to reach subnets

 network-object object obj-172.20.0.0
 network-object object obj-172.22.0.0
 network-object object obj-172.23.0.0
 network-object object obj-172.25.0.0
 network-object object obj-172.27.0.0

and another site to site VPN to a VShield Edge Gateway for subnet

 network-object object obj-172.30.0.0

When connected to subnet 172.26.0.0 internally I have access to all these subnets. 

All the subnets which are accessible via the 2nd ASA 5505 in site B are being migrated to where 172.30.0.0 is situated but temporarily I need to give users access whilst the migration work is be completed.  Once migration has finished I only care about 172.30.0.0 and a new subnet 172.31.0.0

Ah OK. I think I understand. You have remote access VPN clients whose traffic needs to "hairpin" and reach networks that are connected via site-site VPN.

In this use case you need to have "nat(outside_Arena,outside_Arena)" statements as the remote access VPN clients are considered as being on the outside interface for NAT purposes of outbound traffic. See this TAC document for a more detailed explanation.

Modify your final NAT statement as follows:

nat (outside_Arena,outside_Arena) source static DM_INLINE_NETWORK_6 DM_INLINE_NETWORK_6 destination static NETWORK_OBJ_10.11.1.0_27 NETWORK_OBJ_10.11.1.0_27 no-proxy-arp route-lookup

Thank you, I will give that a go.

Can I just issue that command in the CLI to modify the existing statement?

Sure, cli works fine.

First a "no..." on the existing statement and then add the replacement.

We also recommend "clear xlate" whenever we make a NAT change.

Sorry to sound a bit daft but what do you mean by First a "no..." on existing?  This is my first time configuring this type of device and I bet I will break it ;-/

no worries, it can be daunting at first.

The existing line you have is:

nat (inside,outside_Arena) source static DM_INLINE_NETWORK_6 DM_INLINE_NETWORK_6 destination static NETWORK_OBJ_10.11.1.0_27 NETWORK_OBJ_10.11.1.0_27 no-proxy-arp route-lookup

That's incorrect since both the source and destination are on the outside_Arena interface.

That needs to be removed, the new command entered, and the translation table cleared (to remove any stale entries that might have been using the old rule).

So enter the following (in configure mode):

no nat (inside,outside_Arena) source static DM_INLINE_NETWORK_6 DM_INLINE_NETWORK_6 destination static NETWORK_OBJ_10.11.1.0_27 NETWORK_OBJ_10.11.1.0_27 no-proxy-arp route-lookup

nat (outside_Arena,outside_Arena) source static DM_INLINE_NETWORK_6 DM_INLINE_NETWORK_6 destination static NETWORK_OBJ_10.11.1.0_27 NETWORK_OBJ_10.11.1.0_27 no-proxy-arp route-lookup

clear xlate

Thanks Marvin

You have been most helpful and patient.  I will try this tonight.

Unfortunately this hasn't worked.  I am not sure if I have done something wrong.  I did not run all the commands in one go but individually??  See told you I could break it!  Does it look right?

Result of the command: "show config"

: Saved
: Written by sarah.kingswell at 20:42:08.718 GMT/BDT Mon Aug 10 2015
!
ASA Version 8.4(2) 
!

no names
name 172.26.0.32 DEMO.ILYNQ.COM_InternalIP description Used in NAT rule for port redir of pts 81 and 3389
name 172.26.0.33 DEMO2.ILYNQ.COM_InternalIP description Used in NAT rule pt 82 redirection
name 172.26.0.28 RDP_Destination1_InternalIP description Used in NAT rule to port redirect pt 3389
name 172.26.0.31 RDP_Destination2_InternalIP description RDP_Destination2_InternalIP
name 172.26.0.26 UKFS_InternalIP description Used in NAT rule to port redirect FTP pt 21
name 172.26.0.29 UKSUPP1_InternalIP description Used in NAT rule for PT80 web support
name 92.237.118.233 VIRGIN_ISP_Gateway
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 32
!
interface Ethernet0/2
 switchport access vlan 12
!
interface Ethernet0/3
 switchport access vlan 12
!
interface Ethernet0/4
 switchport access vlan 12
!
interface Ethernet0/5
 switchport access vlan 12
!
interface Ethernet0/6
 switchport access vlan 12
!
interface Ethernet0/7
!
interface Vlan12
 nameif inside
 security-level 100
 ip address 172.26.0.1 255.255.255.0 
!
interface Vlan32
 nameif outside_Arena
 security-level 0
 ip address 95.130.99.137 255.255.255.240 
!
boot system disk0:/asa842-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
 domain-name lynq.co.uk
same-security-traffic permit intra-interface
object network obj-172.26.0.0
 subnet 172.26.0.0 255.255.255.0
object network obj-172.29.0.0
 subnet 172.29.0.0 255.255.255.0
object network obj-172.27.0.0
 subnet 172.27.0.0 255.255.255.0
object network obj-172.23.0.0
 subnet 172.23.0.0 255.255.255.0
object network obj-172.25.0.0
 subnet 172.25.0.0 255.255.255.0
object network obj-192.168.0.0
 subnet 192.168.0.0 255.255.252.0
object network obj-10.100.100.0
 subnet 10.100.100.0 255.255.255.0
object network obj-172.22.0.0
 subnet 172.22.0.0 255.255.255.0
object network obj-192.168.40.0
 subnet 192.168.40.0 255.255.255.0
object network obj-172.20.0.0
 subnet 172.20.0.0 255.255.255.0
object network DEMO2.ILYNQ.COM_InternalIP
 host 172.26.0.33
object network obj-92.237.118.236
 host 92.237.118.236
object service obj-tcp-source-eq-80
 service tcp source eq www 
object service obj-tcp-source-eq-21
 service tcp source eq ftp 
object network obj-172.26.0.132
 host 172.26.0.132
object network obj-92.237.118.237
 host 92.237.118.237
object service obj-tcp-source-eq-3389
 service tcp source eq 3389 
object network obj-172.26.0.107
 host 172.26.0.107
object network obj-92.237.118.238
 host 92.237.118.238
object network DEMO.ILYNQ.COM_InternalIP
 host 172.26.0.32
object network obj-92.237.118.235
 host 92.237.118.235
object network BT_ISP_Gateway
 host 81.138.134.30
 description BT ISP Router
object network obj-172.26.0.26
 host 172.26.0.26
 description FTP server
object service ftp
 service tcp source eq ftp destination range 1 65535 
object network BT_NatHidingStaticIP
 host 81.138.134.25
object network 172.26.0.152
 host 172.26.0.152
 description PH Fendi Demo laptop
object network ukfs
 host 172.26.0.26
 description Used in NAT rule to port redirect FTP pt 21
object network NETWORK_OBJ_172.26.0.0_24
 subnet 172.26.0.0 255.255.255.0
object network NETWORK_OBJ_172.30.0.0_24
 subnet 172.30.0.0 255.255.255.0
object network NETWORK_OBJ_172.31.0.0_25
 subnet 172.31.0.0 255.255.255.128
object network obj-172.30.0.0
 subnet 172.30.0.0 255.255.255.0
object network NETWORK_OBJ_172.31.0.192_26
 subnet 172.31.0.192 255.255.255.192
object network NETWORK_OBJ_192.168.50.0_26
 subnet 192.168.50.0 255.255.255.192
object network NETWORK_OBJ_10.0.0.0_28
 subnet 10.0.0.0 255.255.255.240
object network NETWORK_OBJ_10.11.1.0_27
 subnet 10.11.1.0 255.255.255.224
object service FendiRDP
 service tcp source eq 3389 
object network Obj_FendiRDP
 host 172.26.0.19
object network UKBK
 host 172.26.0.15
object network 172.26.0.19
 host 172.26.0.19
object service 8080
 service tcp source eq 8080 destination eq 8080 
object network Clarke-Aruba
 subnet 172.31.0.0 255.255.255.0
object-group icmp-type DM_INLINE_ICMP_1
 icmp-object echo
 icmp-object echo-reply
 icmp-object source-quench
 icmp-object time-exceeded
 icmp-object traceroute
 icmp-object unreachable
object-group icmp-type DM_INLINE_ICMP_2
 icmp-object echo
 icmp-object echo-reply
 icmp-object source-quench
 icmp-object time-exceeded
 icmp-object traceroute
 icmp-object unreachable
object-group service DM_INLINE_TCP_1 tcp
 port-object eq 3389
 port-object eq 3390
 port-object eq 81
 port-object eq 82
 port-object eq ftp
 port-object eq www
object-group network DM_INLINE_NETWORK_2
 network-object host 92.237.118.235
 network-object host 92.237.118.236
 network-object host 92.237.118.237
 network-object host 92.237.118.238
object-group service DM_INLINE_TCP_2 tcp
 port-object eq 3389
 port-object eq 81
 port-object eq 82
 port-object eq ftp
 port-object eq www
 port-object eq https
object-group service DM_INLINE_TCP_3 tcp
 port-object eq 3389
 port-object eq www
object-group network DM_INLINE_NETWORK_3
 network-object object obj-172.20.0.0
 network-object object obj-172.29.0.0
 network-object object obj-192.168.40.0
 network-object object obj-172.23.0.0
 network-object object obj-172.25.0.0
 network-object object obj-10.100.100.0
 network-object object obj-172.22.0.0
 network-object object obj-192.168.0.0
 network-object object obj-172.27.0.0
 network-object object obj-172.30.0.0
 network-object object Clarke-Aruba
object-group icmp-type DM_INLINE_ICMP_5
 icmp-object echo
 icmp-object echo-reply
 icmp-object source-quench
 icmp-object time-exceeded
 icmp-object traceroute
 icmp-object unreachable
object-group icmp-type DM_INLINE_ICMP_3
 icmp-object echo
 icmp-object echo-reply
 icmp-object source-quench
 icmp-object time-exceeded
 icmp-object traceroute
 icmp-object unreachable
object-group icmp-type DM_INLINE_ICMP_4
 icmp-object echo
 icmp-object echo-reply
 icmp-object source-quench
 icmp-object time-exceeded
 icmp-object traceroute
 icmp-object unreachable
object-group protocol DM_INLINE_PROTOCOL_1
 protocol-object ip
 protocol-object icmp
object-group network DM_INLINE_NETWORK_1
 network-object 172.27.0.0 255.255.255.0
 network-object object obj-172.20.0.0
 network-object object obj-172.29.0.0
 network-object object obj-192.168.40.0
object-group network DM_INLINE_NETWORK_4
 network-object 172.30.0.0 255.255.255.0
 network-object object Clarke-Aruba
object-group network DM_INLINE_NETWORK_5
 network-object object Clarke-Aruba
 network-object object NETWORK_OBJ_172.30.0.0_24
object-group network DM_INLINE_NETWORK_6
 network-object object obj-172.20.0.0
 network-object object obj-172.22.0.0
 network-object object obj-172.23.0.0
 network-object object obj-172.25.0.0
 network-object object obj-172.26.0.0
 network-object object obj-172.27.0.0
 network-object object obj-172.30.0.0
access-list inside_nat_outbound extended permit ip 172.26.0.0 255.255.255.0 any 
access-list inside_access_in extended permit ip 172.26.0.0 255.255.255.0 any 
access-list inside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1 
access-list inside_access_in extended permit tcp any any 
access-list dmz_access_in extended permit icmp any any object-group DM_INLINE_ICMP_2 
access-list inside_nat0_outbound extended permit ip 172.26.0.0 255.255.255.0 172.23.0.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 172.26.0.0 255.255.255.0 172.25.0.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 172.26.0.0 255.255.255.0 192.168.0.0 255.255.252.0 
access-list inside_nat0_outbound extended permit ip 172.26.0.0 255.255.255.0 10.100.100.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 172.26.0.0 255.255.255.0 172.22.0.0 255.255.255.0 
access-list outside_Arena_cryptomap extended permit ip 172.26.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 
access-list outside_virgin_isp_access_in extended permit icmp any any object-group DM_INLINE_ICMP_3 
access-list outside_virgin_isp_cryptomap_1 extended permit ip 172.26.0.0 255.255.255.0 172.23.0.0 255.255.255.0 
access-list outside_bt_isp_access_in extended permit icmp any any object-group DM_INLINE_ICMP_5 
access-list outside_bt_isp_access_in extended permit tcp any any eq ftp 
access-list outside_virgin_isp_access_in_1 extended permit icmp any any object-group DM_INLINE_ICMP_4 
access-list outside_virgin_isp_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_1 any 192.168.0.0 255.255.252.0 
access-list outside_virgin_isp_access_in_1 extended permit ip host 80.88.92.106 any 
access-list outside_virgin_isp_access_in_1 extended permit icmp any any 
access-list outside_virgin_isp_access_in_1 extended permit object obj-tcp-source-eq-3389 any interface outside_Arena 
access-list outside_virgin_isp_access_in_1 extended permit object obj-tcp-source-eq-3389 object 172.26.0.19 any 
access-list outside_virgin_isp_cryptomap_2 extended permit ip 172.26.0.0 255.255.255.0 object obj-10.100.100.0 
access-list outside_Arena_cryptomap_1 extended permit ip 172.26.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_4 
access-list NAT-EXEMPT extended permit ip 172.26.0.0 255.255.255.0 10.11.1.0 255.255.255.0 
access-list NONAT extended permit ip 172.26.0.0 255.255.255.0 10.11.1.0 255.255.255.0 inactive 
access-list local_lan_access standard permit 172.27.0.0 255.255.255.0 
access-list local_lan_access standard permit 172.26.0.0 255.255.255.0 
access-list local_lan_access standard permit 172.30.0.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside_Arena 1500
ip local pool UKSSLUsers 172.31.0.200-172.31.0.240 mask 255.255.255.0
ip local pool AnyConnect 192.168.50.20-192.168.50.40 mask 255.255.255.0
ip local pool net-10 10.0.0.1-10.0.0.10 mask 255.255.255.0
ip local pool remotessl 10.11.1.2-10.11.1.20 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-711.bin
no asdm history enable
arp timeout 14400
nat (inside,outside_Arena) source static obj-172.26.0.0 obj-172.26.0.0 destination static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 no-proxy-arp
nat (inside,outside_Arena) source dynamic obj-172.26.0.0 interface
nat (inside,outside_Arena) source static NETWORK_OBJ_172.26.0.0_24 NETWORK_OBJ_172.26.0.0_24 destination static DM_INLINE_NETWORK_5 DM_INLINE_NETWORK_5 no-proxy-arp route-lookup
nat (outside_Arena,outside_Arena) source static DM_INLINE_NETWORK_6 DM_INLINE_NETWORK_6 destination static NETWORK_OBJ_10.11.1.0_27 NETWORK_OBJ_10.11.1.0_27 no-proxy-arp route-lookup
!
object network Obj_FendiRDP
 nat (inside,outside_Arena) static interface service tcp 3389 3389 
access-group inside_access_in in interface inside
access-group outside_virgin_isp_access_in_1 in interface outside_Arena
route outside_Arena 0.0.0.0 0.0.0.0 95.130.99.129 180
route outside_Arena 172.20.0.0 255.255.255.0 95.130.99.129 1
route outside_Arena 172.23.0.0 255.255.255.0 95.130.99.129 1
route outside_Arena 172.26.0.19 255.255.255.255 95.130.99.129 1
route outside_Arena 172.27.0.0 255.255.255.0 95.130.99.129 1
route outside_Arena 172.30.0.0 255.255.255.0 95.130.99.129 1
route outside_Arena 192.168.0.0 255.255.252.0 95.130.99.129 1
route outside_Arena 193.120.165.154 255.255.255.255 95.130.99.129 1
route outside_Arena 194.44.55.5 255.255.255.255 95.130.99.129 1
route outside_Arena 194.44.136.114 255.255.255.255 95.130.99.129 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
http server enable 8443
http 172.26.0.0 255.255.255.0 inside
http 194.44.136.114 255.255.255.255 outside_Arena
http 193.120.165.154 255.255.255.255 outside_Arena
http 194.44.55.0 255.255.255.0 outside_Arena
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sysopt connection tcpmss 1350
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac 
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac 
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_virgin_isp_map 1 match address outside_Arena_cryptomap
crypto map outside_virgin_isp_map 1 set peer 193.120.165.154 
crypto map outside_virgin_isp_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_virgin_isp_map 2 match address outside_Arena_cryptomap_1
crypto map outside_virgin_isp_map 2 set pfs 
crypto map outside_virgin_isp_map 2 set peer 80.88.92.105 
crypto map outside_virgin_isp_map 2 set ikev1 transform-set ESP-3DES-SHA ESP-AES-256-SHA
crypto map outside_virgin_isp_map 5 match address outside_virgin_isp_cryptomap_1
crypto map outside_virgin_isp_map 5 set peer 194.44.136.114 
crypto map outside_virgin_isp_map 5 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_virgin_isp_map 6 match address outside_virgin_isp_cryptomap_2
crypto map outside_virgin_isp_map 6 set peer 212.87.74.171 
crypto map outside_virgin_isp_map 6 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_virgin_isp_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_virgin_isp_map interface outside_Arena
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 fqdn vpnuk.lynq.co.uk
 subject-name CN=LYNQUKASA
 crl configure
crypto ca certificate chain ASDM_TrustPoint0
 certificate 5b0ba155
    308201e1 3082014a a0030201 0202045b 0ba15530 0d06092a 864886f7 0d010105 
    05003035 31123010 06035504 0313094c 594e5155 4b415341 311f301d 06092a86 
    4886f70d 01090216 1076706e 756b2e6c 796e712e 636f2e75 6b301e17 0d313530 
    37323231 30323635 395a170d 32353037 31393130 32363539 5a303531 12301006 
    03550403 13094c59 4e51554b 41534131 1f301d06 092a8648 86f70d01 09021610 
    76706e75 6b2e6c79 6e712e63 6f2e756b 30819f30 0d06092a 864886f7 0d010101 
    05000381 8d003081 89028181 00b34b55 c66162ec f3fb376f 9f24491e a71b931e 
    3332434d f826ed42 ea1620fb 4cfa0ee1 6080fb0c e1b3470e 1a6b8bc2 8f7234c6 
    e65616e3 362bea14 9f45f49d 5f919c14 1f98986b a579b466 21149480 3b75ebe9 
    826116a0 92811587 1cffb55a 895a4a52 e2b5243c 1dccfe5d 3347a8f6 55235e2f 
    990a4f09 0cb3af08 34f538fa 21020301 0001300d 06092a86 4886f70d 01010505 
    00038181 0055e50c def67359 c835c88a 69527106 1272ca5f c1834613 4bbe4d9c 
    4fb0c526 b79b7836 257a38ff 11550295 ef0c54ad 71fcd7ed d030d150 6a4ddc80 
    6068b088 de6c656f 0591223d e03d93de 04191ab6 3280332a 5cb2e489 e0aabf4c 
    b92c609a 87d5d784 7119f96b f004005c 717877fc 66bd8abc fd6d8a5d 11f2ff23 
    3a9059ed be
  quit
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside_Arena client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
crypto ikev1 enable outside_Arena
crypto ikev1 policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 28800
!
track 1 rtr 123 reachability
!
track 100 rtr 1 reachability
telnet 172.26.0.0 255.255.255.0 inside
telnet 172.26.0.0 255.255.0.0 inside
telnet timeout 5
ssh 172.26.0.0 255.255.255.0 inside
ssh 194.44.136.114 255.255.255.255 outside_Arena
ssh 193.120.165.154 255.255.255.255 outside_Arena
ssh 194.44.55.0 255.255.255.0 outside_Arena
ssh timeout 30
console timeout 0
vpdn group BTFibre request dialout pppoe
vpdn group BTFibre localname D203277@hg52.btclick.com
vpdn group BTFibre ppp authentication chap
vpdn group btpppoe request dialout pppoe
vpdn group btpppoe localname D203277@hg52.btclick.com
vpdn group btpppoe ppp authentication pap
vpdn group bt_pppoe request dialout pppoe
vpdn group bt_pppoe localname D203277@hg52.btclick.com
vpdn group bt_pppoe ppp authentication pap
vpdn group PPPOE_BT request dialout pppoe
vpdn group PPPOE_BT localname D203277@hg52.btclick.com
vpdn group PPPOE_BT ppp authentication pap
vpdn group BTDSL request dialout pppoe
vpdn group BTDSL localname D203277@hg52.btclick.com
vpdn group BTDSL ppp authentication pap
vpdn group D203277@hg52.btclick.com request dialout pppoe
vpdn group D203277@hg52.btclick.com localname D203277@hg52.btclick.com
vpdn group D203277@hg52.btclick.com ppp authentication chap
vpdn username D203277@hg52.btclick.com password password1 store-local
vpdn username 01329221836@talktalkbusiness.net password J7R5K6F2J6 store-local

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 65.55.56.206
tftp-server inside 172.26.0.26 \
ssl trust-point ASDM_TrustPoint0 inside
ssl trust-point ASDM_TrustPoint0 outside_Arena
webvpn
 enable inside
 enable outside_Arena
 anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
 anyconnect enable
 tunnel-group-list enable
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-clientless
group-policy GroupPolicy_SSL internal
group-policy GroupPolicy_SSL attributes
 wins-server none
 dns-server value 172.26.0.25
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value local_lan_access
 default-domain value lynq.co.uk
 vlan none
group-policy GroupPolicy_80.88.92.105 internal
group-policy GroupPolicy_80.88.92.105 attributes
 vpn-tunnel-protocol ikev1 
group-policy GroupPolicy_194.44.136.114 internal
group-policy GroupPolicy_194.44.136.114 attributes
 vpn-tunnel-protocol ikev1 
group-policy GroupPolicy_193.120.165.154 internal
group-policy GroupPolicy_193.120.165.154 attributes
 vpn-tunnel-protocol ikev1 
username tdb.admin password 66rOScYvr6BoMfol encrypted privilege 15
username paul.synnott password 3UDjotP6R7/M6C0B encrypted privilege 15
username sarah.kingswell password 5XyGsYkEdLoWOQiY encrypted privilege 15
username pete.hayes password aKXo6uAmPQjnwJ6q encrypted
username taras.chuhay password Yxj1fcjQ/tmX15oH encrypted privilege 15
username sean.timmins password ChKbOC6xl/qpg0kj encrypted privilege 15
username ciaran.raftery password 7IlPp0OBHDtzh4gY encrypted privilege 15
username colm.admin password 2MIbxjKQswsLMY/w encrypted privilege 15
tunnel-group 193.120.165.154 type ipsec-l2l
tunnel-group 193.120.165.154 general-attributes
 default-group-policy GroupPolicy_193.120.165.154
tunnel-group 193.120.165.154 ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group 194.44.136.114 type ipsec-l2l
tunnel-group 194.44.136.114 general-attributes
 default-group-policy GroupPolicy_194.44.136.114
tunnel-group 194.44.136.114 ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group 212.87.74.171 type ipsec-l2l
tunnel-group 212.87.74.171 ipsec-attributes
 ikev1 pre-shared-key *****
tunnel-group 80.88.92.105 type ipsec-l2l
tunnel-group 80.88.92.105 general-attributes
 default-group-policy GroupPolicy_80.88.92.105
tunnel-group 80.88.92.105 ipsec-attributes
 ikev1 pre-shared-key *****
 peer-id-validate nocheck
tunnel-group SSL type remote-access
tunnel-group SSL general-attributes
 address-pool remotessl
 default-group-policy GroupPolicy_SSL
tunnel-group SSL webvpn-attributes
 group-alias SSL enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect pptp 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4318256166533820f8c74da6c6abe0ce

Sorry - I was focusing only on the NAT since earlier I hadn't realized its also a remote access VPN to site-site VPN configuration.

For the site-site VPN we also need to account for the VPN users in the ctyptomap access-list. Right now you have:

access-list outside_Arena_cryptomap extended permit ip 172.26.0.0 255.255.255.0 object-group DM_INLINE_NETWORK_1

Add a line (access list entry) to it to include the VPN address pool:

access-list outside_Arena_cryptomap extended permit ip NETWORK_OBJ_10.11.1.0_27 object-group DM_INLINE_NETWORK_1

That will tell the site-site VPN to treat traffic coming from the remote access VPN clients as "interesting" for purposes of putting it into the tunnel.

It will not accept the command?

Result of the command: "configure terminal"

The command has been sent to the device

Result of the command: "access-list outside_Arena_cryptomap extended permit ip NETWORK_OBJ_10.11.1.0_27 object-group DM_INLINE_NETWORK_1"

access-list outside_Arena_cryptomap extended permit ip NETWORK_OBJ_10.11.1.0_27                                                        ^object-group DM_INLINE_NETWORK_1

ERROR: % Invalid input detected at '^' marker.

Sorry - missed a keyword there. Try:

access-list outside_Arena_cryptomap extended permit ip object-group NETWORK_OBJ_10.11.1.0_27 object-group DM_INLINE_NETWORK_1