1. No split tunnel policy.

2. The routes are in place. The inside NIC of the ASA is directly connected to a L3 switch configured to point to the ASA inside IP as the next hop to 10.11.10.0/24.

I don't know if I need to specify an incoming ACL on the inside interface; I thought that by default the ASA should allow this coming from security level 100. I even removed any ACL but didn't make any difference. I also tried removing the "no proxy-arp" under the "nat" line but also didn't make any difference.

I feel that this has something to do with defining the internal subnets somewhere on the ASA because I already confirmed reachability towards 10.11.10.0/24 from the directly connected subnet. I just don't know if this is correct or where to add these subnets.

-MG

Do you have vpn filter define as well?

You do not have to define any internal subnets on the ASA, as long as you have a route towards those subnets, routing correctly via the inside interface, you already covered all the config on the ASA.

Where is these 2 internal subnets (177.1.10.0 & 177.1.11.0), is it directly connected to that L3 switch where the ASA inside interface is connected? Can you share topology diagram?

Yes, these are directly connected to the L3 switch as SVI's.

ASA-------Cat3560---SVI's: 177.1.10.0/24 & 177.1.10.11.0/24

If I do an extended ping sourcing these subnets, I cannot reach the 10.11.10.0/24. I can only reach up to the ASA's inside interface. The port the ASA is connected to on the switch is defined as a routed interface. On the ASA logs, I can see traffic FROM (as well as TO) these networks.

Packet captures on the VPN client show that these subnets don't reach the client at all.

MG

Sorry, I forgot to reply to your first question - no, I don't think I have any VPN filter defined. It's basically a clean ASA with only the Startup and VPN wizards producing the above configuration. I don't recall any part of the wizard where I was asked to define a filter, unless I missed it. This is all that's defined for the VPN portion:

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point ASDM_TrustPoint0 outside

webvpn

enable outside

anyconnect image disk0:/anyconnect-win-2.5.3055-k9.pkg 1

anyconnect enable

tunnel-group-list enable

group-policy GroupPolicy_usjabber internal

group-policy GroupPolicy_usjabber attributes

wins-server none

dns-server value 7.8.9.10

vpn-tunnel-protocol ssl-client

default-domain value test.local

username bill password JA36vKLZ8S2SqI2x encrypted
tunnel-group usjabber type remote-access
tunnel-group usjabber general-attributes

address-pool usjabber_pool

default-group-policy GroupPolicy_usjabber

tunnel-group usjabber webvpn-attributes

group-alias usjabber enable

!

If you change this line:

FROM:

nat (inside,outside) source static any any destination static  NETWORK_OBJ_10.11.10.0_24 NETWORK_OBJ_10.11.10.0_24 no-proxy-arp  route-lookup

TO:

nat (inside,outside) source static any any destination static  NETWORK_OBJ_10.11.10.0_24 NETWORK_OBJ_10.11.10.0_24

Then "clear xlate"

Does it work?

Sorry for the late reply. I finally proved that base config of SSLVPN Wizard by default allows me to access the remote clients from the LAN. The issue was a routing/switching config on the next-hop L3 switch. I wasn't sure at first if the cause of one-way VoIP audio between the VPN Clients and LAN was due to the ASA.

I did try removing the no-proxy-arp route-lookup without any difference in the traffic behaviour.

Thanks for the help.

MG