I created the new ACL and tied it to the interface, but was still unable to ping from 172.168.129.1 to 172.168.128.1, or vice versa.

I didn't remove "access-list NoNAT extended permit ip 10.240.0.0 255.255.0.0 172.16.129.0 255.255.255.0" yet because I'm using that as a test just to make sure some vpn traffic is actually passing.

Please add this command

nat  (HVAC) 0 access-list acl-nonat-HVAC

sorry you do not need this ACL be applied on this interface, so remove this command below.

access-group acl-nonat-HVAC in interface HVAC

I have removed the access-group command and added the nat command but still unable to ping either direction.

Thanks!

Jason

Here is my current config

!
interface Ethernet0/0
switchport access vlan 4
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
switchport access vlan 2
!
interface Ethernet0/7
switchport access vlan 2
!
interface Vlan1
nameif inside
security-level 100
ip address 10.240.0.1 255.255.0.0
!
interface Vlan2
no forward interface Vlan1
nameif HVAC
security-level 100
ip address 172.16.128.1 255.255.255.0
!
interface Vlan4
nameif outside
security-level 0
ip address 12.x.x.x 255.255.255.0
!
ftp mode passive
access-list CDEO extended permit ip 10.240.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list NoNAT extended permit ip 10.240.0.0 255.255.0.0 10.0.0.0 255.0.0.0
access-list NoNAT extended permit ip 10.240.0.0 255.255.0.0 172.16.129.0 255.255.255.0
access-list NoNAT extended permit ip 10.102.229.0 255.255.255.0 172.16.129.0 255.255.255.0
access-list NoNAT extended permit ip 172.16.129.0 255.255.255.0 10.102.229.0 255.255.255.0
access-list NoNAT extended permit ip 172.16.128.0 255.255.255.0 172.16.129.0 255.255.255.0
access-list NoNAT extended permit ip 172.16.129.0 255.255.255.0 172.16.128.0 255.255.255.0
access-list inbound extended permit icmp any any echo-reply
access-list inbound extended permit icmp any any source-quench
access-list inbound extended permit icmp any any unreachable
access-list inbound extended permit icmp any any time-exceeded
access-list outbound extended permit ip any any
access-list vpn standard permit 10.240.0.0 255.255.0.0
access-list vpn standard permit 10.102.229.0 255.255.255.0
access-list vpn standard permit 172.16.128.0 255.255.255.0
access-list acl-nonat-HVAC extended permit ip 172.16.128.0 255.255.255.0 172.16.129.0 255.255.255.0
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu HVAC 1500
ip local pool shhfvpnpool 172.16.129.1-172.16.129.5 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NoNAT
nat (inside) 1 0.0.0.0 0.0.0.0
nat (HVAC) 0 access-list acl-nonat-HVAC
access-group outbound out interface inside
access-group inbound in interface outside
route outside 0.0.0.0 0.0.0.0 12.x.x.x 1

dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set Main esp-des esp-sha-hmac
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set transform-set myset
crypto dynamic-map dynmap 10 set security-association lifetime seconds 28800
crypto dynamic-map dynmap 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map dynmap 10 set reverse-route
crypto map CDEOVPN 35 match address CDEO
crypto map CDEOVPN 35 set peer 64.x.x.x
crypto map CDEOVPN 35 set transform-set Main
crypto map CDEOVPN 100 ipsec-isakmp dynamic dynmap
crypto map CDEOVPN interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 20
authentication pre-share
encryption des
hash sha
group 1
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400

console timeout 0
management-access inside

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
group-policy shhf internal
group-policy shhf attributes
vpn-idle-timeout 30
vpn-session-timeout 1440
vpn-filter none
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn

tunnel-group 64.x.x.x type ipsec-l2l
tunnel-group 64.x.x.x ipsec-attributes
pre-shared-key *****
tunnel-group shhf type remote-access
tunnel-group shhf general-attributes
address-pool shhfvpnpool
default-group-policy shhf
tunnel-group shhf ipsec-attributes
pre-shared-key *****
tunnel-group vpnclient type remote-access
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global

add this under the existing class.

class inspection_default

inspect icmp

Try to ping a host inside the HVAC network segment or ping a connected switch inside HVAC network segment instead of ping to phycial interface of the firewall.

Inspect icmp has been added.  I'm not able to ping a workstation in the HVAC vlan when VPN'd in.

Please be sure to disconnected from current vpn session on vpn-client and reconnect again for testing.

Are you able to ping inside interface at least on vlan1, when vpn in ?

Please post the output from below command.

packet-tracer input HVAC icmp 172.16.129.1 8 0 172.16.128.1

In order return traffic to come back to firewall, there has to be a static route and it must exist on switch as follows.

ip route 172.16.129.0 255.255.255.0 172.16.128.1

The workstation in the HVAC vlan is plugged directly into eth0/7 on the ASA.  The ASA doesn't recognize

ip route 172.16.129.0 255.255.255.0 172.16.128.1

Thanks so much for your help!

Jason

The workstation is configured as follows:

IP: 172.16.128.5

Subnet: 255.255.255.0

GW: Blank (This computer has 2 nics)

Should I be able to enter 172.16.128.1 as the Gateway?

Yes the gateway must be pointing to 172.16.128.1.

Try with the gateway applied on the PC to make sure, the ASA is funtional as intented.

When ASA is funtional as intented, then you may add a static route permanent on the PC to push VPN bound traffic to NIC connected to ASA.

add this route on the PC, if you choice remove its gateway address.

route add -p 172.16.129.0 MASK 255.255.255.0 172.16.128.5

Now that I think about it, the second nic in that machine (the one not connected to the ASA) definitely doesn't need a gateway because it is connected to a HVAC controller.

Will it work to put 172.16.128.1 as the Gateway on the nic connected to the ASA, or am I definitely going to need a switch to perform layer 3 routing?

Ok, I added the Gateway on the workstation as 172.16.128.1 and I'm NOW able to ping it from my vpn connection!  Thanks so much for your help!