Community,

I set up an ASA 5510 and when I connect to the VPN via Anyconnect, it connects, I get an IP (10.100.1.5 from the Mars_VPN pool) but then I cannot access other subnets. All of the subnets live on the firewall (all the arp entries) so I know the FW has routes to each subnet because theyre locally connected. Ive tried everything I can think of to get it to work but am at a loss. I disabled the incoming ACL for the Group Policy im connected to and allowed the traffic in the firewall ACLs. Ive configued the NAT so that any return traffic isnt getting NAT'ed to the outside IP (it remains as an internal IP). the downstream switch is not routing, its only passing layer 2 traffic. Ill post the config. Can anyone see why Im unable to connect to any other subnets when Im connected to VPN? Thanks.

MarsASA# show run
: Saved
:
ASA Version 9.1(2)
!
hostname MarsASA
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
ip local pool Mgmt_Pool 10.100.0.10-10.100.0.20 mask 255.255.255.0
ip local pool Mars_Pool 10.100.1.5-10.100.1.10 mask 255.255.255.0
!
interface Ethernet0/0
description Outside
nameif Outside
security-level 0
ip address dhcp setroute
!
interface Ethernet0/1
speed 100
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface Ethernet0/2
speed 100
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface Ethernet0/3
speed 100
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface Management0/0
nameif Management
security-level 50
ip address 10.0.0.1 255.255.255.0
!
interface Port-channel1
description Inside
speed 100
nameif Inside
security-level 100
ip address 10.1.0.1 255.255.255.248
!
interface Port-channel1.11
description Mars Mining Default Gateway
vlan 11
nameif MarsMining
security-level 50
ip address 10.10.1.1 255.255.255.0
!
interface Port-channel1.999
vlan 999
nameif Wireless
security-level 50
ip address 192.168.1.2 255.255.255.0
!
boot system disk0:/asa912-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
same-security-traffic permit inter-interface
object network net_mars-mining
subnet 10.10.1.0 255.255.255.0
object network net_customer2
subnet 10.10.2.0 255.255.255.0
object network net_management
subnet 10.0.0.0 255.255.255.0
object network net_mars-vpn
subnet 10.100.1.0 255.255.255.0
object network 96.39.182.129
host 96.39.182.129
object network obj_outside
host 71.89.218.144
object network net_wireless
subnet 192.168.1.0 255.255.255.0
object network net_vpn-nets
subnet 10.100.0.0 255.255.0.0
object-group service DM_INLINE_UDP_1 udp
port-object eq bootpc
port-object eq bootps
access-list Inside_access_in extended permit ip any any
access-list Management_access_in extended permit ip object net_management object net_management
access-list MarsMining_access_in extended permit ip any any
access-list MarsMining_access_in extended permit icmp any any
access-list Outside_access_in extended permit icmp any any
access-list Outside_access_in extended permit udp any any object-group DM_INLINE_UDP_1
access-list DataNetworks standard permit 10.10.1.0 255.255.255.0
access-list DataNetworks standard permit 10.0.0.0 255.255.255.0
access-list MarsVPN_access_in extended permit ip any any
access-list MarsVPN_access_in extended permit icmp any any
access-list net_mgmt-vpn extended permit ip object net_management object net_management
access-list net_mgmt-vpn extended permit icmp any any
access-list Wireless_access_in extended deny ip object net_wireless object net_mars-mining
access-list Wireless_access_in extended deny ip object net_wireless object net_management
access-list Wireless_access_in extended permit ip any any
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
pager lines 24
mtu Outside 1500
mtu Management 1500
mtu Inside 1500
mtu MarsMining 1500
mtu Wireless 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-762-150.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (any,Outside) source dynamic any interface
nat (any,Outside) source static any any destination static net_vpn-nets net_vpn-nets unidirectional
access-group Outside_access_in in interface Outside
access-group Management_access_in in interface Management
access-group Inside_access_in in interface Inside
access-group MarsMining_access_in in interface MarsMining
access-group Wireless_access_in in interface Wireless
route Outside 0.0.0.0 0.0.0.0 71.x.x.144 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Management
http 0.0.0.0 0.0.0.0 Inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map Inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Inside_map interface Inside
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
enrollment self
fqdn none
subject-name CN=10.0.0.1,CN=ciscoasa
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=ciscoasa
keypair ASDM_LAUNCHER
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
certificate ba24ac5a
308201c3 3082012c a0030201 020204ba 24ac5a30 0d06092a 864886f7 0d010105
05003026 3111300f 06035504 03130863 6973636f 61736131 11300f06 03550403
13083130 2e302e30 2e31301e 170d3138 30333136 32313233 33375a17 0d323830
33313332 31323333 375a3026 3111300f 06035504 03130863 6973636f 61736131
11300f06 03550403 13083130 2e302e30 2e313081 9f300d06 092a8648 86f70d01
01010500 03818d00 30818902 818100ae d6b59564 6e819149 320f65d2 58efbc9c
930e4373 d239faea 39908a89 b2317a7d 53ac69be 7a742031 3401111a 3b25ca4e
9e9e99e5 332fea41 888d5259 8206aace 3b856a6d 2fafdf75 e8ed36c8 5578af86
4844bdea ff296bdc ebec4b0c f1b4824b 607bd52a 2fa1577b 425af247 4de3d7e7
1ca04f75 b280ae7e 846e404e c43fef02 03010001 300d0609 2a864886 f70d0101
05050003 81810015 0911189e 78323fbd 7936085a 4bd6ae6a 8d964f6e 596441a3
7e7c72fb 5c6b0ef5 0ba82662 16482903 3ec6fbda 19a6d47e f608a027 adea5bf4
1e11ce34 914060d9 bfc8918f 14af7784 cc698c7e 5c3f7a07 4d397bbd 454a0424
ec8b12e0 a24b7186 6f6b033c f7245188 ea34fca4 ee2def0a 6a34c0c3 e64931bd
db216859 5e13d8
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate bb24ac5a
308201cf 30820138 a0030201 020204bb 24ac5a30 0d06092a 864886f7 0d010105
0500302c 3111300f 06035504 03130863 6973636f 61736131 17301506 092a8648
86f70d01 09021608 63697363 6f617361 301e170d 31383033 31363231 32353033
5a170d32 38303331 33323132 3530335a 302c3111 300f0603 55040313 08636973
636f6173 61311730 1506092a 864886f7 0d010902 16086369 73636f61 73613081
9f300d06 092a8648 86f70d01 01010500 03818d00 30818902 818100ae d6b59564
6e819149 320f65d2 58efbc9c 930e4373 d239faea 39908a89 b2317a7d 53ac69be
7a742031 3401111a 3b25ca4e 9e9e99e5 332fea41 888d5259 8206aace 3b856a6d
2fafdf75 e8ed36c8 5578af86 4844bdea ff296bdc ebec4b0c f1b4824b 607bd52a
2fa1577b 425af247 4de3d7e7 1ca04f75 b280ae7e 846e404e c43fef02 03010001
300d0609 2a864886 f70d0101 05050003 8181004a 80dfdb34 a0b7a13d 1128ec50
07902ff2 fee09806 690e2c97 29f4c8fc c1d54b9b f843670f 66ebf841 69179f65
1a3d3ef7 6717f7b3 c16ddb8a 0fb99fe7 d16c6a9e 7e395fe0 061b96bd 75f36d6d
ce185241 34c76650 21938e73 6ff8bc57 41fcdfce ab37a792 9d39b521 4c1e0cf7
407644d4 b5aeaa88 2e09be31 d5362144 98d519
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable Outside
crypto ikev2 remote-access trustpoint ASDM_Launcher_Access_TrustPoint_0
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcp-client client-id interface Outside
dhcpd address 10.10.1.5-10.10.1.250 MarsMining
dhcpd dns 8.8.8.8 8.8.4.4 interface MarsMining
dhcpd lease 604800 interface MarsMining
dhcpd enable MarsMining
!
dhcpd address 192.168.1.10-192.168.1.20 Wireless
dhcpd dns 8.8.8.8 interface Wireless
dhcpd enable Wireless
!
threat-detection basic-threat
no threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 Outside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 Inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 Management vpnlb-ip
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 Management
webvpn
enable Outside
anyconnect image disk0:/anyconnect-win-4.4.02039-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-macos-4.4.02039-webdeploy-k9.pkg 2
anyconnect enable
group-policy DfltGrpPolicy attributes
dns-server value 8.8.8.8 8.8.4.4
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client
group-policy MarsMiningGP internal
group-policy MarsMiningGP attributes
vpn-filter none
vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value DataNetworks
address-pools value Mars_Pool
group-policy ManagementGP internal
group-policy ManagementGP attributes
vpn-filter value net_mgmt-vpn
vpn-tunnel-protocol ikev1 ikev2 ssl-client ssl-clientless
split-tunnel-policy excludespecified
split-tunnel-network-list value net_mgmt-vpn
address-pools value Mgmt_Pool
username admin password IidV0SWHsmTMyxaS encrypted privilege 15
username admin attributes
vpn-group-policy ManagementGP
username MarsAdmin password jlvAqDkai3L/3Zw0 encrypted
username MarsAdmin attributes
vpn-group-policy MarsMiningGP
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:71ae3ff739a9932f207acb9894f96a6c
: end
MarsASA#