cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2745
Views
3
Helpful
31
Replies

AnyConnect VPN Connected but no internet

philipvoceehs
Level 1
Level 1

Hi Guys,

Managed to get our VPN connection to login and work. I can access anything locally on the office network such as file servers etc but we have no internet access. We don't want to split tunnel as all traffic needs to go through the office ASA for IP restricted servers, websites etc.

What are we missing? Here is our config albeit with some bits committed mainly objects and certificates:

Result of the command: "show running-config"

: Saved

:
: Serial Number: JAD27200585
: Hardware: FPR-1010, 7204 MB RAM, CPU Atom C3000 series 2200 MHz, 1 CPU (4 cores)
:
ASA Version 9.16(2)3
!
hostname ciscoasa
enable password ***** pbkdf2
service-module 1 keepalive-timeout 4
service-module 1 keepalive-counter 6
!
license smart
feature tier standard
names
no mac-address auto
ip local pool VPN-IP-Range 10.0.100.15-10.0.100.20 mask 255.255.255.0

!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.100.1 255.255.255.0
!
interface Ethernet1/1
no switchport
nameif outside
security-level 0
pppoe client vpdn group EHS
ip address pppoe setroute
!
interface Ethernet1/2
switchport
!
interface Ethernet1/3
switchport
!
interface Ethernet1/4
switchport
!
interface Ethernet1/5
switchport
!
interface Ethernet1/6
switchport
!
interface Ethernet1/7
switchport
power inline auto
!
interface Ethernet1/8
switchport
power inline auto
!
interface Management1/1
management-only
nameif management
security-level 100
ip address 192.168.45.1 255.255.255.0
!
interface BVI1
no nameif
no security-level
no ip address
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.67.222.222 outside
name-server 208.67.220.220 outside
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
host EXTERNALIP
object service PPTP-srv
service tcp source eq pptp
object service https
service tcp source eq https
object service http
service tcp source eq www
object service ESET
service tcp source eq 2222
object service SVN
service tcp source eq 8443
object service MPWEB
service tcp source eq 8444
access-list outside_access_in remark EHS VPN Connection
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any object EHS_VPN_SERVER
access-list outside_access_in extended permit tcp any object-group Development_Agent_Servers object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any object EHSDEVAPP01 object-group SVN_Connection
access-list outside_access_in remark ESET Management Server incoming connections
access-list outside_access_in extended permit tcp any object EHS_ESET_SERVER object-group ESET_Server
access-list outside_access_in extended permit tcp any object EHSDEVAPP01 object-group Dev_MPWeb_External
access-list outside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit gre any any
access-list inside_access_in extended permit tcp any eq pptp any
access-list outside_cryptomap extended permit ip 10.0.100.0 255.255.255.0 object UK_HOSTED_NETWORK
access-list VPN_Filter extended permit ip object-group DM_INLINE_NETWORK_7 object-group DM_INLINE_NETWORK_3
access-list VPN_Filter extended permit ip object USA_HOSTED_DC_CONTROLLER object-group DM_INLINE_NETWORK_4
access-list VPN_Filter extended permit ip object CANADA_DOMAIN_CONTROLLER object-group DM_INLINE_NETWORK_5
access-list VPN_Filter extended permit ip object EA_DOMAIN_CONTROLLER object-group DM_INLINE_NETWORK_6
access-list outside_cryptomap_1 extended permit ip 10.0.100.0 255.255.255.0 object USA_Network
access-list outside_cryptomap_2 extended permit ip 10.0.100.0 255.255.255.0 object CANADA_INSIDE_NETWORK
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
pager lines 24
logging enable
logging timestamp
logging console debugging
logging trap warnings
logging asdm debugging
logging class auth console debugging asdm debugging
logging class session asdm debugging
logging class sys asdm debugging
logging class vpn console debugging asdm debugging
logging class vpnc console debugging asdm debugging
logging class webvpn console debugging asdm debugging
logging class svc console debugging asdm debugging
logging class dap console debugging asdm debugging
mtu inside 1500
mtu outside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static NETWORK_OBJ_10.0.100.0_24 NETWORK_OBJ_10.0.100.0_24 destination static UK_HOSTED_NETWORK UK_HOSTED_NETWORK no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.0.100.0_24 NETWORK_OBJ_10.0.100.0_24 destination static USA_Network USA_Network no-proxy-arp route-lookup
nat (any,outside) source static NETWORK_OBJ_10.0.100.0_24 NETWORK_OBJ_10.0.100.0_24 destination static CANADA_INSIDE_NETWORK CANADA_INSIDE_NETWORK no-proxy-arp route-lookup
nat (inside,outside) source static EHS_VPN_SERVER interface service PPTP-srv PPTP-srv
nat (inside,outside) source static DM_INLINE_NETWORK_1 interface service https https
nat (inside,outside) source static DM_INLINE_NETWORK_2 interface service http http
nat (inside,outside) source static EHS_ESET_SERVER interface service ESET ESET
nat (inside,outside) source static EHSDEVAPP01 interface service SVN SVN
nat (inside,outside) source static EHSDEVAPP01 interface service MPWEB MPWEB
nat (inside,outside) source static NETWORK_OBJ_10.0.100.0_24 NETWORK_OBJ_10.0.100.0_24 destination static NETWORK_OBJ_10.0.100.0_27 NETWORK_OBJ_10.0.100.0_27 no-proxy-arp route-lookup
!
object network obj_any
nat (any,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server EHSRADIUS protocol radius
aaa-server EHSRADIUS (inside) host 10.0.100.80
timeout 5
key *****
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.45.0 255.255.255.0 management
http 10.0.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AZURE-PROPOSAL
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec ikev2 ipsec-proposal AES-256-SHA-512
protocol esp encryption aes-256
protocol esp integrity sha-512
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer X.X.X.X
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES AZURE-PROPOSAL
crypto map outside_map 2 match address outside_cryptomap
crypto map outside_map 2 set peer X.X.X.X
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-DES-SHA
crypto map outside_map 2 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 3 match address outside_cryptomap_2
crypto map outside_map 3 set peer X.X.X.X
crypto map outside_map 3 set ikev2 ipsec-proposal AES-256-SHA-512
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpoint _SmartCallHome_ServerCA2
no validation-usage
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=10.0.100.1,CN=ciscoasa
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpool policy
auto-import

-- OMMITTED CERTIFICATE DETAILS --

quit
crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 policy 2
encryption aes-256
integrity sha512
group 21
prf sha512
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha256
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha256
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 policy 40
encryption aes
integrity sha256
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint ASDM_Launcher_Access_TrustPoint_0
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 14
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 14
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 14
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 14
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 14
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 14
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha256
console timeout 0
vpdn group EHS request dialout pppoe
vpdn group EHS localname m594672@X.X.X.X
vpdn group EHS ppp authentication chap
vpdn username X.X.X.Xpassword *****
dhcpd auto_config outside
!
dhcpd address 192.168.45.10-192.168.45.12 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 outside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip
webvpn
port 4433
enable outside
dtls port 4433
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/anyconnect-win-4.9.04043-webdeploy-k9.pkg 1
anyconnect profiles EHS disk0:/ehs.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
group-policy GroupPolicy_EHSVPN internal
group-policy GroupPolicy_EHSVPN attributes
wins-server none
dns-server value 10.0.100.200 8.8.8.8
vpn-access-hours none
vpn-simultaneous-logins 15
vpn-idle-timeout 60
vpn-session-timeout none
vpn-filter value inside_access_in
vpn-tunnel-protocol ssl-client
group-lock value EHSVPN
split-tunnel-policy tunnelall
ipv6-split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain value EHS
split-tunnel-all-dns enable
vlan none
security-group-tag none
webvpn
anyconnect profiles value EHS type user
group-policy GroupPolicy_X.X.X.X internal
group-policy GroupPolicy_X.X.X.X attributes
vpn-tunnel-protocol ikev2
group-policy GroupPolicy_X.X.X.X internal
group-policy GroupPolicy_X.X.X.X attributes
vpn-filter value VPN_Filter
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_X.X.X.X internal
group-policy GroupPolicy_X.X.X.X attributes
vpn-filter value VPN_Filter
vpn-tunnel-protocol ikev2
dynamic-access-policy-record DfltAccessPolicy
webvpn
svc ask none default svc
username admin password ***** pbkdf2 privilege 15
tunnel-group DefaultRAGroup ipsec-attributes
ikev2 remote-authentication eap query-identity
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X general-attributes
default-group-policy GroupPolicy_X.X.X.X
tunnel-group X.X.X.X ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X general-attributes
default-group-policy GroupPolicy_X.X.X.X
tunnel-group X.X.X.X ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group X.X.X.Xtype ipsec-l2l
tunnel-group X.X.X.X general-attributes
default-group-policy GroupPolicy_X.X.X.X
tunnel-group X.X.X.X ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group EHSVPN type remote-access
tunnel-group EHSVPN general-attributes
address-pool VPN-IP-Range
authentication-server-group EHSRADIUS
default-group-policy GroupPolicy_EHSVPN
tunnel-group EHSVPN webvpn-attributes
group-alias EHSVPN enable
!
class-map inspection_default
match default-inspection-traffic
class-map class_snmp
match port udp eq 4161
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect pptp
inspect icmp
class class_snmp
inspect snmp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
Cryptochecksum:ea62db802051e27e24b2f9a4d537a0e0
: end

Thanks,

Dave

1 Accepted Solution

Accepted Solutions

If you return to my first comment I mention that that NAT(outside, outside) and NAT(any, outside) conflict, you need to remove NAT(Any, outside) and use for traffic from Inside NAT(inside, outside) <<-I assume you use Inside nameif interface 

MHM

nat (any,outside) dynamic interface

View solution in original post

31 Replies 31

@philipvoceehs create a NAT rule from outside to outside.

object network VPN-POOL
 subnet 10.0.100.0 255.255.255.0
 nat (OUTSIDE,OUTSIDE) dynamic interface

And permit hairpinning

same-security-traffic permit intra-interface

 

FYI, I would not recommend using a VPN pool from within the same network as your internal LAN, I suggest using a different network .

Hi Rob,

Thanks, tried that but no luck unfortunately.

I guest that 
you have NAT from ANY to Outside 
this I think break the new NAT 
Outside to Outside 
try specify the interface instead of use ANY in NAT 

MHM

@philipvoceehs run packet-tracer from the CLI to simulate the traffic, when you specify the source IP address do not use the IP address of an active VPN client. Provide the output for review.

@Rob Ingram can you provide me a CLI output to try, sorry, not proficient in CLI, primarily working in ASDM.

@philipvoceehs example, replace source IP address if in use:

packet-tracer input outside tcp 10.0.100.15 3000 8.8.8.8 80

Hi @Rob Ingram 

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055bff6cfa416 flow (NA)/NA

Using command: packet-tracer input outside tcp 10.0.100.16 3000 8.8.8.8 80

@philipvoceehs can you append "detailed" to the end that packet-tracer command and run again, provide the full output.

Hi @Rob Ingram 

Sure no problem:

Result of the command: "packet-tracer input outside tcp 10.0.100.15 3000 8.8.8.8 80 detailed"
 
Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 81.148.64.1 using egress ifc  outside
 
Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffaea442160, priority=11, domain=permit, deny=true
hits=58474, user_data=0x6, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=outside, output_ifc=any
 
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055bff6cfa416 flow (NA)/NA

@philipvoceehs please recreate your VPN IP pool using a different network that is not the same as the internal network. Make sure you create the correct NAT rules etc and try again.

Hi @Rob Ingram 

I've changed it to 10.0.101.0 and set the range to 10.0.100.100-10.0.100.200. Amended your NAT rule VPN_Pool object to 10.0.101.0 subnet 255.255.255.0

No luck still.

@philipvoceehs what did you change? those are in different networks - "I've changed it to 10.0.101.0 and set the range to 10.0.100.100-10.0.100.200."

Provide the updated configuration and run packet-tracer again.

@Rob Ingram updated config:

Result of the command: "show running-config"

: Saved

:
: Serial Number: JAD27200585
: Hardware: FPR-1010, 7204 MB RAM, CPU Atom C3000 series 2200 MHz, 1 CPU (4 cores)
:
ASA Version 9.16(2)3
!
hostname ciscoasa
enable password ***** pbkdf2
service-module 1 keepalive-timeout 4
service-module 1 keepalive-counter 6
!
license smart
feature tier standard
names
no mac-address auto
ip local pool VPN-IP-Range 10.0.101.100-10.0.101.200 mask 255.255.255.0

!
interface Vlan1
nameif inside
security-level 100
ip address 10.0.100.1 255.255.255.0
!
interface Ethernet1/1
no switchport
nameif outside
security-level 0
pppoe client vpdn group EHS
ip address pppoe setroute
!
interface Ethernet1/2
switchport
!
interface Ethernet1/3
switchport
!
interface Ethernet1/4
switchport
!
interface Ethernet1/5
switchport
!
interface Ethernet1/6
switchport
!
interface Ethernet1/7
switchport
power inline auto
!
interface Ethernet1/8
switchport
power inline auto
!
interface Management1/1
management-only
nameif management
security-level 100
ip address 192.168.45.1 255.255.255.0
!
interface BVI1
no nameif
no security-level
no ip address
!
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 208.67.222.222 outside
name-server 208.67.220.220 outside
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network EHSDEVHWN01
host 10.0.100.207
object network EHS_BASELINE_VM
host 10.0.100.212
object network EHS_DEV_AUTOBUILD_VM
host 10.0.100.55
object network EHSDEVAPP01
host 10.0.100.208
object network EHSDEVAPP02
host 10.0.100.90
object network EHSDEVAPP03
host 10.0.100.96
object network EHSDEVSQL01
host 10.0.100.209
object network EHSDEVWEB01
host 10.0.100.210
object network STU_BUILD_VM
host 10.0.100.240
object network EHS_HYPERV_NODE
host 10.0.100.201
object network EHS_BACKUP_SERVER
host 10.0.100.203
object network EHS_PRIMARY_DC
host 10.0.100.200
object network EHS_SECONDARY_DC
host 10.0.100.219
object network EHS_VPN_SERVER
host 10.0.100.204
object network EHS_FILE_SERVER
host 10.0.100.205
object network EHS_ESET_SERVER
host 10.0.100.220
object network EHS_SQL_VM
host 10.0.100.66
object network DEVAGENT_01
host 10.0.100.47
object network DEVAGENT_02
host 10.0.100.64
object network DEVAGENT_03
host 10.0.100.65
object network DEVAGENT_04
host 10.0.100.43
object network ROUTER
host 10.0.100.1
object network EXTERNAL_IP
host EXTERNALIP
object service PPTP-srv
service tcp source eq pptp
object service https
service tcp source eq https
object service http
service tcp source eq www
object service ESET
service tcp source eq 2222
object service SVN
service tcp source eq 8443
object service MPWEB
service tcp source eq 8444
object network USA_CISCO_FIREWALL
host X.X.X.X
object network UK_CISCO_FIREWALL
host X.X.X.X
object network CANADA_CISCO_FIREWALL
host 162.252.169.71
object network USA_Network
subnet 192.168.1.0 255.255.255.0
object network NETWORK_OBJ_10.0.100.0_24
subnet 10.0.100.0 255.255.255.0
object network UK_HOSTED_NETWORK
subnet 10.0.1.0 255.255.255.0
object network UK_HOSTED_DC_CONTROLLER
host 10.0.1.19
object service RDP
service tcp source eq 3389
object network USA_HOSTED_DC_CONTROLLER
host 192.168.1.6
object network CANADA_INSIDE_NETWORK
subnet 10.0.101.0 255.255.255.0
object network CANADA_DOMAIN_CONTROLLER
host 10.0.101.10
object network EA_DOMAIN_CONTROLLER
host 10.0.1.5
object network UK_HOST_4
host 10.0.1.27
object network EHSUK_DATA_TRANSFER
host 10.0.1.31
object network NETWORK_OBJ_10.0.100.0_27
subnet 10.0.100.0 255.255.255.224
object network VPN-POOL
subnet 10.0.101.0 255.255.255.0
object-group network Development_Servers
network-object object EHSDEVAPP01
network-object object EHSDEVAPP02
network-object object EHSDEVAPP03
network-object object EHSDEVHWN01
network-object object EHSDEVSQL01
network-object object EHSDEVWEB01
network-object object EHS_BASELINE_VM
network-object object EHS_DEV_AUTOBUILD_VM
network-object object EHS_HYPERV_NODE
network-object object STU_BUILD_VM
network-object object DEVAGENT_01
network-object object DEVAGENT_02
network-object object DEVAGENT_03
network-object object DEVAGENT_04
object-group network Operational_Servers
network-object object EHS_BACKUP_SERVER
network-object object EHS_ESET_SERVER
network-object object EHS_HYPERV_NODE
network-object object EHS_PRIMARY_DC
network-object object EHS_SECONDARY_DC
network-object object EHS_VPN_SERVER
network-object object EHS_SQL_VM
object-group network Development_Agent_Servers
network-object object DEVAGENT_01
network-object object DEVAGENT_02
network-object object DEVAGENT_03
network-object object DEVAGENT_04
network-object object EHSDEVAPP01
network-object object EHSDEVAPP02
network-object object EHSDEVAPP03
network-object object EHSDEVWEB01
network-object object EHS_DEV_AUTOBUILD_VM
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service ESET_Server tcp
port-object eq 2222
object-group service SVN_Connection tcp
port-object eq 8443
object-group service Dev_MPWeb_External tcp
port-object eq 8444
object-group service DM_INLINE_SERVICE_3
service-object gre
service-object tcp
service-object tcp destination eq pptp
object-group network DM_INLINE_NETWORK_1
group-object Development_Agent_Servers
group-object Development_Servers
object-group network All_Internal_Networks
network-object 10.0.100.0 255.255.255.0
object-group service DM_INLINE_SERVICE_2
service-object gre
service-object tcp destination eq https
service-object tcp destination eq pptp
object-group network DM_INLINE_NETWORK_2
group-object Development_Agent_Servers
group-object Development_Servers
object-group network DM_INLINE_NETWORK_3
network-object object EHS_PRIMARY_DC
network-object object EHS_SECONDARY_DC
object-group network DM_INLINE_NETWORK_4
network-object object EHS_PRIMARY_DC
network-object object EHS_SECONDARY_DC
object-group network DM_INLINE_NETWORK_5
network-object object EHS_PRIMARY_DC
network-object object EHS_SECONDARY_DC
object-group network DM_INLINE_NETWORK_6
network-object object EHS_PRIMARY_DC
network-object object EHS_SECONDARY_DC
object-group service RADIUS tcp
port-object eq 1812
port-object eq 1813
object-group network DM_INLINE_NETWORK_7
network-object object EHSUK_DATA_TRANSFER
network-object object UK_HOSTED_DC_CONTROLLER
access-list outside_access_in remark EHS VPN Connection
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_2 any object EHS_VPN_SERVER
access-list outside_access_in extended permit tcp any object-group Development_Agent_Servers object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit tcp any object EHSDEVAPP01 object-group SVN_Connection
access-list outside_access_in remark ESET Management Server incoming connections
access-list outside_access_in extended permit tcp any object EHS_ESET_SERVER object-group ESET_Server
access-list outside_access_in extended permit tcp any object EHSDEVAPP01 object-group Dev_MPWeb_External
access-list outside_access_in extended permit icmp any any
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit gre any any
access-list inside_access_in extended permit tcp any eq pptp any
access-list outside_cryptomap extended permit ip 10.0.100.0 255.255.255.0 object UK_HOSTED_NETWORK
access-list VPN_Filter extended permit ip object-group DM_INLINE_NETWORK_7 object-group DM_INLINE_NETWORK_3
access-list VPN_Filter extended permit ip object USA_HOSTED_DC_CONTROLLER object-group DM_INLINE_NETWORK_4
access-list VPN_Filter extended permit ip object CANADA_DOMAIN_CONTROLLER object-group DM_INLINE_NETWORK_5
access-list VPN_Filter extended permit ip object EA_DOMAIN_CONTROLLER object-group DM_INLINE_NETWORK_6
access-list outside_cryptomap_1 extended permit ip 10.0.100.0 255.255.255.0 object USA_Network
access-list outside_cryptomap_2 extended permit ip 10.0.100.0 255.255.255.0 object CANADA_INSIDE_NETWORK
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
pager lines 24
logging enable
logging timestamp
logging console debugging
logging trap warnings
logging asdm debugging
logging class auth console debugging asdm debugging
logging class session asdm debugging
logging class sys asdm debugging
logging class vpn console debugging asdm debugging
logging class vpnc console debugging asdm debugging
logging class webvpn console debugging asdm debugging
logging class svc console debugging asdm debugging
logging class dap console debugging asdm debugging
mtu inside 1500
mtu outside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static NETWORK_OBJ_10.0.100.0_24 NETWORK_OBJ_10.0.100.0_24 destination static UK_HOSTED_NETWORK UK_HOSTED_NETWORK no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_10.0.100.0_24 NETWORK_OBJ_10.0.100.0_24 destination static USA_Network USA_Network no-proxy-arp route-lookup
nat (any,outside) source static NETWORK_OBJ_10.0.100.0_24 NETWORK_OBJ_10.0.100.0_24 destination static CANADA_INSIDE_NETWORK CANADA_INSIDE_NETWORK no-proxy-arp route-lookup
nat (inside,outside) source static EHS_VPN_SERVER interface service PPTP-srv PPTP-srv
nat (inside,outside) source static DM_INLINE_NETWORK_1 interface service https https
nat (inside,outside) source static DM_INLINE_NETWORK_2 interface service http http
nat (inside,outside) source static EHS_ESET_SERVER interface service ESET ESET
nat (inside,outside) source static EHSDEVAPP01 interface service SVN SVN
nat (inside,outside) source static EHSDEVAPP01 interface service MPWEB MPWEB
nat (inside,outside) source static NETWORK_OBJ_10.0.100.0_24 NETWORK_OBJ_10.0.100.0_24 destination static NETWORK_OBJ_10.0.100.0_27 NETWORK_OBJ_10.0.100.0_27 no-proxy-arp route-lookup
!
object network obj_any
nat (any,outside) dynamic interface
object network VPN-POOL
nat (outside,outside) dynamic interface
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server EHSRADIUS protocol radius
aaa-server EHSRADIUS (inside) host 10.0.100.80
timeout 5
key *****
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 192.168.45.0 255.255.255.0 management
http 10.0.100.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AZURE-PROPOSAL
protocol esp encryption aes-256
protocol esp integrity sha-256
crypto ipsec ikev2 ipsec-proposal AES-256-SHA-512
protocol esp encryption aes-256
protocol esp integrity sha-512
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer X.X.X.X
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES AZURE-PROPOSAL
crypto map outside_map 2 match address outside_cryptomap
crypto map outside_map 2 set peer X.X.X.X
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-192-SHA ESP-AES-256-SHA ESP-DES-SHA
crypto map outside_map 2 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 3 match address outside_cryptomap_2
crypto map outside_map 3 set peer EXTERNALIP
crypto map outside_map 3 set ikev2 ipsec-proposal AES-256-SHA-512
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpoint _SmartCallHome_ServerCA2
no validation-usage
crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=10.0.100.1,CN=ciscoasa
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpool policy
auto-import

-- OMMITED CERTS--

crypto ikev2 policy 1
encryption aes-256
integrity sha256
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 policy 2
encryption aes-256
integrity sha512
group 21
prf sha512
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha256
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha256
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 policy 40
encryption aes
integrity sha256
group 5
prf sha256
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev2 remote-access trustpoint ASDM_Launcher_Access_TrustPoint_0
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 14
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 14
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 14
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 14
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 14
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 14
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha256
console timeout 0
vpdn group EHS request dialout pppoe
vpdn group EHS localname m594672@hg70.btclick.com
vpdn group EHS ppp authentication chap
vpdn username m594672@hg70.btclick.com password *****
dhcpd auto_config outside
!
dhcpd address 192.168.45.10-192.168.45.12 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 outside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside vpnlb-ip
webvpn
port 4433
enable outside
dtls port 4433
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/anyconnect-win-4.9.04043-webdeploy-k9.pkg 1
anyconnect profiles EHS disk0:/ehs.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
group-policy GroupPolicy_EHSVPN internal
group-policy GroupPolicy_EHSVPN attributes
wins-server none
dns-server value 10.0.100.200 8.8.8.8
vpn-access-hours none
vpn-simultaneous-logins 15
vpn-idle-timeout 60
vpn-session-timeout none
vpn-tunnel-protocol ssl-client ssl-clientless
group-lock value EHSVPN
split-tunnel-policy tunnelall
ipv6-split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain value EHS
split-tunnel-all-dns enable
vlan none
security-group-tag none
webvpn
anyconnect profiles value EHS type user
group-policy GroupPolicy_EXTERNALIP internal
group-policy GroupPolicy_EXTERNALIP attributes
vpn-tunnel-protocol ikev2
group-policy GroupPolicy_X.X.X.X internal
group-policy GroupPolicy_X.X.X.X attributes
vpn-filter value VPN_Filter
vpn-tunnel-protocol ikev1 ikev2
group-policy GroupPolicy_X.X.X.X internal
group-policy GroupPolicy_X.X.X.X attributes
vpn-filter value VPN_Filter
vpn-tunnel-protocol ikev2
dynamic-access-policy-record DfltAccessPolicy
webvpn
svc ask none default svc
username admin password ***** pbkdf2 privilege 15
tunnel-group DefaultRAGroup ipsec-attributes
ikev2 remote-authentication eap query-identity
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X general-attributes
default-group-policy GroupPolicy_X.X.X.X
tunnel-group X.X.X.X ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group X.X.X.X type ipsec-l2l
tunnel-group X.X.X.X general-attributes
default-group-policy GroupPolicy_X.X.X.X
tunnel-group X.X.X.X ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group EXTERNALIP type ipsec-l2l
tunnel-group EXTERNALIP general-attributes
default-group-policy GroupPolicy_EXTERNALIP
tunnel-group EXTERNALIP ipsec-attributes
ikev1 pre-shared-key *****
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
tunnel-group EHSVPN type remote-access
tunnel-group EHSVPN general-attributes
address-pool VPN-IP-Range
authentication-server-group EHSRADIUS
default-group-policy GroupPolicy_EHSVPN
tunnel-group EHSVPN webvpn-attributes
group-alias EHSVPN enable
!
class-map inspection_default
match default-inspection-traffic
class-map class_snmp
match port udp eq 4161
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect pptp
inspect icmp
class class_snmp
inspect snmp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
Cryptochecksum:9101bdcf396335572e766f20bde3a5c0
: end

Packet tracer output: 

Result of the command: "packet-tracer input outside tcp 10.0.100.15 3000 8.8.8.8 80 detailed"
 
Phase: 1
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 81.148.64.1 using egress ifc  outside
 
Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: DROP
Config:
Implicit Rule
Additional Information:
 Forward Flow based lookup yields rule:
 in  id=0x7ffaea442160, priority=11, domain=permit, deny=true
hits=58613, user_data=0x6, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=outside, output_ifc=any
 
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055bff6cfa416 flow (NA)/NA
 

@philipvoceehs you've changed the VPN ip pool but you've run the wrong packet-tracer.

Try this:-

packet-tracer input outside tcp 10.0.101.115 3000 8.8.8.8 80 detailed