thanks for the information, can you check the Logs and packet tracer where it was blocked and what is not allowing, as per the policy you made some arrangements, but it was not clear how that was tagged in the rules.

so can we get more information, please

Hello Rob,

Here is the packet-tracer output

---------------------------------------------------------------------------------------

NLSL-ASA01/act/sec# packet-tracer input WAN tcp 10.100.146.5 4152 142.250.184.$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 217.166.205.97 using egress ifc WAN

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group WAN_access_in in interface WAN
access-list WAN_access_in extended permit ip object-group DM_INLINE_NETWORK_101 any
object-group network DM_INLINE_NETWORK_101
network-object object VPN_POOL
network-object object VPN_POOL_2
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e61647b0, priority=13, domain=permit, deny=false
hits=0, user_data=0x7fb9d8cbf240, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.100.146.0, mask=255.255.254.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (WAN,WAN) source dynamic DM_INLINE_NETWORK_102 interface
Additional Information:
Dynamic translate 10.100.146.5/4152 to 217.166.205.100/4152
Forward Flow based lookup yields rule:
in id=0x7fb9e7277780, priority=6, domain=nat, deny=false
hits=16544, user_data=0x7fb9ebb77750, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.100.146.0, mask=255.255.254.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=WAN

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e410bc00, priority=1, domain=nat-per-session, deny=true
hits=471721639, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e4180780, priority=0, domain=inspect-ip-options, deny=true
hits=695869193, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 6
Type: CP-PUNT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9fa4f3c90, priority=89, domain=punt, deny=true
hits=9073, user_data=0x7fb9e26591a0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.100.146.5, mask=255.255.255.255, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 7
Type: WEBVPN-SVC
Subtype: in
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9f3e0b730, priority=71, domain=svc-ib-tunnel-flow, deny=false
hits=10162, user_data=0xab9a000, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=10.100.146.5, mask=255.255.255.255, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Result:
input-interface: WAN
input-status: up
input-line-status: up
output-interface: WAN
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

---------------------------------------------------------------------------------------

Looks like the traffic is been dropped because a missing ACL to alow it, but I have below ACL configured 

access-list WAN_access_in extended permit ip object-group DM_INLINE_NETWORK_101 any

object-group network DM_INLINE_NETWORK_101
network-object object VPN_POOL
network-object object VPN_POOL_2

Basically, I'm allowing everything coming from WAN to any. 

Do you think the ACL is wrong configured? 

Best regards, 

@Unit4_cognizant 

I believe you see that WEBVPN-SVC drop when the IP address is already allocated to a RAVPN user. Was the IP address - 10.100.146.5 in use when you run packet-tracer? Can you run it again from a source IP address that is not in use please.

You are right, sorry about it, by the time  ran the packet-tracer that Ip was already in use by a user. 

Here you can see the new packet-tracer result with a free source IP 

----------------------------------------------------------------------------------------

NLSL-ASA01/act/sec# packet-tracer input WAN tcp 10.100.146.10 4152 142.250.184$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 217.166.205.97 using egress ifc WAN

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group WAN_access_in in interface WAN
access-list WAN_access_in extended permit ip object-group DM_INLINE_NETWORK_101 any
object-group network DM_INLINE_NETWORK_101
network-object object VPN_POOL
network-object object VPN_POOL_2
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e61647b0, priority=13, domain=permit, deny=false
hits=2, user_data=0x7fb9d8cbf240, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.100.146.0, mask=255.255.254.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (WAN,WAN) source dynamic DM_INLINE_NETWORK_102 interface
Additional Information:
Dynamic translate 10.100.146.10/4152 to 217.166.205.100/4152
Forward Flow based lookup yields rule:
in id=0x7fb9e7277780, priority=6, domain=nat, deny=false
hits=17074, user_data=0x7fb9ebb77750, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.100.146.0, mask=255.255.254.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=WAN

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e410bc00, priority=1, domain=nat-per-session, deny=true
hits=472047265, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e4180780, priority=0, domain=inspect-ip-options, deny=true
hits=696480564, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e4174570, priority=20, domain=lu, deny=false
hits=134420672, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e62e67d0, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=464027652, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 8
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (WAN,WAN) source dynamic DM_INLINE_NETWORK_102 interface
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fb9e6b61570, priority=6, domain=nat-reverse, deny=false
hits=2, user_data=0x7fb9ea5a39f0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.100.146.0, mask=255.255.254.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=WAN

Phase: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fb9e410bc00, priority=1, domain=nat-per-session, deny=true
hits=472047267, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 10
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fb9e4180780, priority=0, domain=inspect-ip-options, deny=true
hits=696480566, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 11
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 911066388, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 12
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 217.166.205.97 using egress ifc WAN

Phase: 13
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 2c4f.525f.9bd0 hits 348 reference 4407

Result:
input-interface: WAN
input-status: up
input-line-status: up
output-interface: WAN
output-status: up
output-line-status: up
Action: allow

----------------------------------------------------------------------------------------

Everything is looking fine, however, while connected that VPN profile Internet access gets completely lost 

Bets Regards, 

Can you take 2 packet captures (inbound and outbound) and provide the pcaps for review.

I've never previously configured hairpin nat for RAVPN using the syntax you've used. Here is an example that I know works (NAT is configured under the object, not global) perhaps try this and see if it makes a difference.

object network VPN_POOL
 subnet 10.100.146.0 255.255.254.0
 nat (WAN,WAN) dynamic interface

object network VPN_POOL_2
 subnet 10.100.148.0 255.255.255.0
 nat (WAN,WAN) dynamic interface

Also remove your existing rule whilst testing to ensure the above rules are matched.

no nat (WAN,WAN) source dynamic DM_INLINE_NETWORK_103 interface

Hello Rob, 

Thanks so much for your support, i have modify this VPN profile as per below 

-------------------------------------------------------------------------------------- 

group-policy GroupPolicy_NSPT internal
group-policy GroupPolicy_NSPT attributes
wins-server none
dns-server value 10.100.2.5 10.100.2.2
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
webvpn
anyconnect profiles value NSPT type user

tunnel-group NSPT type remote-access
tunnel-group NSPT general-attributes
address-pool DHCP_VPN_NSPT_POOL
authentication-server-group EESGR_LDAP
default-group-policy GroupPolicy_NSPT
tunnel-group NSPT webvpn-attributes
group-alias nspt enable
group-url https://anyconnectnlsl.unit4.com/nspt enable

ip local pool DHCP_VPN_NSPT_POOL 10.100.150.10-10.100.150.254 mask 255.255.255.0

object network VPN_NSPT_POOL
subnet 10.100.150.0 255.255.255.0
nat (WAN,WAN) dynamic interface

access-list WAN_access_in extended permit ip object 10.100.150.0 any

--------------------------------------------------------------------------------------

However while connected I'm still losing Internet connection and now internal connection is lost 

-------------------------------------------------------------------------------------- 

Packet-tracer to public IP

NLSL-ASA01/act/sec# packet-tracer input WAN icmp 10.100.150.15 8 0 10.100.6.50$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.100.6.50 using egress ifc LAN

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (LAN,WAN) source static Corplan8 Corplan8 destination static Corplan8 Corplan8 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface LAN
Untranslate 10.100.6.50/0 to 10.100.6.50/0

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group WAN_access_in in interface WAN
access-list WAN_access_in extended permit ip object 10.100.150.0 any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e98a0890, priority=13, domain=permit, deny=false
hits=4, user_data=0x7fb9d8cbf3c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.100.150.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (LAN,WAN) source static Corplan8 Corplan8 destination static Corplan8 Corplan8 no-proxy-arp route-lookup
Additional Information:
Static translate 10.100.150.15/0 to 10.100.150.15/0
Forward Flow based lookup yields rule:
in id=0x7fb9e42d9d50, priority=6, domain=nat, deny=false
hits=383413920, user_data=0x7fb9ea4319a0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=any
dst ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=LAN

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e2a68980, priority=0, domain=nat-per-session, deny=true
hits=740534783, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e4180780, priority=0, domain=inspect-ip-options, deny=true
hits=697423279, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 7
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e9a56a20, priority=70, domain=inspect-icmp, deny=false
hits=18416580, user_data=0x7fb9e9a56e10, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e7ebca70, priority=70, domain=inspect-icmp-error, deny=false
hits=18416580, user_data=0x7fb9ea5ca6a0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 9
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e62e67d0, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=464585761, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 10
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (LAN,WAN) source static Corplan8 Corplan8 destination static Corplan8 Corplan8 no-proxy-arp route-lookup
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fb9e42d9900, priority=6, domain=nat-reverse, deny=false
hits=380684215, user_data=0x7fb9ea431e20, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=any
dst ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=LAN

Phase: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fb9e2a68980, priority=0, domain=nat-per-session, deny=true
hits=740534785, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 12
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fb9e4138f30, priority=0, domain=inspect-ip-options, deny=true
hits=615856513, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=LAN, output_ifc=any

Phase: 13
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 912005386, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_inspect_icmp
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_inspect_icmp
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 14
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.100.6.50 using egress ifc LAN

Phase: 15
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 842b.2be4.5ae1 hits 22 reference 1

Result:
input-interface: WAN
input-status: up
input-line-status: up
output-interface: LAN
output-status: up
output-line-status: up
Action: allow

NLSL-ASA01/act/sec#
NLSL-ASA01/act/sec#
NLSL-ASA01/act/sec# packet-tracer input WAN tcp 10.100.150.15 4356 142.250.184$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 217.166.205.97 using egress ifc WAN

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group WAN_access_in in interface WAN
access-list WAN_access_in extended permit ip object 10.100.150.0 any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e98a0890, priority=13, domain=permit, deny=false
hits=5, user_data=0x7fb9d8cbf3c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.100.150.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 3
Type: NAT
Subtype:
Result: ALLOW
Config:
object network VPN_NSPT_POOL
nat (WAN,WAN) dynamic interface
Additional Information:
Dynamic translate 10.100.150.15/4356 to 217.166.205.100/4356
Forward Flow based lookup yields rule:
in id=0x7fb9e6ee7250, priority=6, domain=nat, deny=false
hits=195, user_data=0x7fb9e67edbc0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.100.150.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=WAN

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e410bc00, priority=1, domain=nat-per-session, deny=true
hits=472511885, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 5
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e4180780, priority=0, domain=inspect-ip-options, deny=true
hits=697470400, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 6
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e4174570, priority=20, domain=lu, deny=false
hits=134537774, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e62e67d0, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=464615711, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fb9e410bc00, priority=1, domain=nat-per-session, deny=true
hits=472511887, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fb9e4180780, priority=0, domain=inspect-ip-options, deny=true
hits=697470402, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 912052468, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 11
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 217.166.205.97 using egress ifc WAN

Phase: 12
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 2c4f.525f.9bd0 hits 14139 reference 4359

Result:
input-interface: WAN
input-status: up
input-line-status: up
output-interface: WAN
output-status: up
output-line-status: up
Action: allow

-------------------------------------------------------------------------------------- 

Packet-tracer to internal IP 

NLSL-ASA01/act/sec# packet-tracer input WAN tcp 10.100.150.15 4356 10.100.6.50$

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.100.6.50 using egress ifc LAN

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (LAN,WAN) source static Corplan8 Corplan8 destination static Corplan8 Corplan8 no-proxy-arp route-lookup
Additional Information:
NAT divert to egress interface LAN
Untranslate 10.100.6.50/22 to 10.100.6.50/22

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group WAN_access_in in interface WAN
access-list WAN_access_in extended permit ip object 10.100.150.0 any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e98a0890, priority=13, domain=permit, deny=false
hits=6, user_data=0x7fb9d8cbf3c0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.100.150.0, mask=255.255.255.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (LAN,WAN) source static Corplan8 Corplan8 destination static Corplan8 Corplan8 no-proxy-arp route-lookup
Additional Information:
Static translate 10.100.150.15/4356 to 10.100.150.15/4356
Forward Flow based lookup yields rule:
in id=0x7fb9e42d9d50, priority=6, domain=nat, deny=false
hits=383446162, user_data=0x7fb9ea4319a0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=any
dst ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=LAN

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e410bc00, priority=1, domain=nat-per-session, deny=true
hits=472514393, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e4180780, priority=0, domain=inspect-ip-options, deny=true
hits=697478543, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 7
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e4174570, priority=20, domain=lu, deny=false
hits=134538632, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fb9e62e67d0, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=464620829, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=any

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (LAN,WAN) source static Corplan8 Corplan8 destination static Corplan8 Corplan8 no-proxy-arp route-lookup
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fb9e42d9900, priority=6, domain=nat-reverse, deny=false
hits=380716155, user_data=0x7fb9ea431e20, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=any
dst ip/id=10.0.0.0, mask=255.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=WAN, output_ifc=LAN

Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fb9e410bc00, priority=1, domain=nat-per-session, deny=true
hits=472514395, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x7fb9e4138f30, priority=0, domain=inspect-ip-options, deny=true
hits=615900144, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=LAN, output_ifc=any

Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 912060583, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 13
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.100.6.50 using egress ifc LAN

Phase: 14
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 842b.2be4.5ae1 hits 15 reference 1

Result:
input-interface: WAN
input-status: up
input-line-status: up
output-interface: LAN
output-status: up
output-line-status: up
Action: allow

-------------------------------------------------------------------------------------- 

Any idea what could be failing? I guess I'm missing something in the config, but packet-tracer is showing good  

Thanks, 

Well it looks you have a NAT exemption rules in place, so LAN to WAN traffic should not be natted.

When you say "still losing Internet connection" does that mean it sometimes works?

Do you have a hosted based firewall that could be blocking access to the internet?

Provide your configuration in a text file, provide the output of "show nat detail" and provide the pcaps asked for previously - this will help identify where the issue lies.