Hello mibricen

You were correct in your assumption that the SSL_VPN_NONAT is the object that identifies the internal networks. 

I was unable to get my object NAT to work so I created a regular NAT rule, so it now looks like this:

nat (Perham-LAN,Outside) source static any any destination static SSL_VPN_POOL SSL_VPN_POOL no-proxy-arp route-lookup
nat (Outside,Perham-LAN) source static SSL_VPN_POOL SSL_VPN_POOL no-proxy-arp route-lookup
nat (Outside,Outside) source dynamic SSL_VPN_POOL interface

Now:

• I can ping outside my network (e.g. google DNS)
• I cannot resolve DNS using servers outside my network (e.g. google DNS)
• I can NOT ping my default gateway
• I can NOT ping hosts in my NONAT network object group

Hello Evan,

Just to clarify, the first and second line on the nat configuration you shared are defining the traffic the same way.

This line is bi-directional:

nat (Perham-LAN,Outside) source static any any destination static SSL_VPN_POOL SSL_VPN_POOL no-proxy-arp route-lookup

So traffic from Any via Perham-LAN interface and going to SSL_VPN_POOL via outside interface will hit this nat rule, as well as traffic comming from  SSL_VPN_POOL via outside going to Any via Perham-LAN will hit this same rule

Hence this second line is not really necessary, and it may cause Reverse Path Failure drops if the ASA detects that one nat is used for outbound traffic and another for inbound traffic on the same connection:

nat (Outside,Perham-LAN) source static SSL_VPN_POOL SSL_VPN_POOL no-proxy-arp route-lookup

Now the third nat seems correctly configured, however you will need to be careful to configure a dynamic nat as policy nat, this because if new nat rules are added they will show below the currrent nat on the nat table and the dynamic rule may absorb traffic not meant to the rule.

So instead of using this:

nat (Outside,Outside) source dynamic SSL_VPN_POOL interface

I personally prefer to use:

object network SSL_VPN_POOL
 nat (Outside,Outside) dynamic interface

Which on the very first post of this forum you mentioned that you already had configured if I understood correctly.

By running the command show run nat it should show like:

nat (Perham-LAN,Outside) source static any any destination static SSL_VPN_POOL SSL_VPN_POOL no-proxy-arp route-lookup
nat (Outside,Outside) source dynamic SSL_VPN_POOL interface

Making sure that the dynamic nat is always the last, to avoid it to take precedence.

And as a personal opinion, I will rather configure it like this, with the no nat on the policy nat (Section 1) and the dynamic nat on the object nat (Section 2):

nat (Perham-LAN,Outside) source static SSL_VPN_NONAT SSL_VPN_NONAT destination static SSL_VPN_POOL SSL_VPN_POOL no-proxy-arp route-lookup
!
object network SSL_VPN_POOL
 nat (Outside,Outside) dynamic interface

I will prefer to use a previously defined object or object-group instead of the "any" on the policy nat, since it may absorb traffic not meant to it.

For troubleshooting your current issue.

Please run a packet tracer command from one of the hosts on the internal lan to one host on the VPN pool:

packet-tracer input Perham-LAN icmp 192.168.2.43 8 0 172.20.253.43 detailed

Note: Replace  <192.168.2.43> for a real host ip on your local lan and <172.20.253.43> for the ip assigned on the Remote user.

Check if it shows any drop on some phase.

You may also want to run the same command backwards to check for any difference.

packet-tracer input Outside icmp 172.20.253.43  8 0 192.168.2.43 detailed

And also:

packet-tracer input Outside icmp 172.20.253.43  8 0 192.168.2.43 detailed

To make sure they are following the correct path and hitting the correct nat rules.

Very important: For the packet tracer to work on an outside>inside scenario. The traffic need to be permitted on an access-group applied to the outside interface.

If you find anything unusual on the packet tracer responses let me know. Or once collected attach them on the forum for analysis.

Regards,

Miguel