i added the management-access administration command. when i connect using anyconnect from outside, i am assigned 172.16.10.2 ip address. i need to connect to the 10.18 network when i am outside.

i am able to ping 10.18.1.120 from my remote machine. 

after adding the packet-tracer input command, this is my output

admin-firewall(config)# packet-tracer input administration icmp 10.18.1.121 8 $

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffec80d4f80, priority=1, domain=permit, deny=false
hits=23666, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=administration, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 172.16.10.1 255.255.255.255 outside

Phase: 3
Type: IP-OPTIONS
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffec80d9fc0, priority=0, domain=inspect-ip-options, deny=true
hits=139, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=administration, output_ifc=any

Phase: 4
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7ffec80d99e0, priority=66, domain=inspect-icmp-error, deny=false
hits=3, user_data=0x7ffec80d8f50, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, dscp=0x0
input_ifc=administration, output_ifc=any
Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (administration,outside) source static any any destination static NETWORK_OBJ_172.16.10.0_29 NETWORK_OBJ_172.16.10.0_29 no-proxy-arp route-lookup
Additional Information:
Static translate 10.18.1.121/0 to 10.18.1.121/0
Forward Flow based lookup yields rule:
in id=0x7ffec829fde0, priority=6, domain=nat, deny=false
hits=2, user_data=0x7ffec829f2b0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=172.16.10.0, mask=255.255.255.248, port=0, dscp=0x0
input_ifc=administration, output_ifc=outside

Phase: 6
Type: WEBVPN-SVC
Subtype: out
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7ffec9c444d0, priority=71, domain=svc-ob-tunnel-flow, deny=false
hits=3, user_data=0x1000, cs_id=0x0, reverse, flags=0x0, protocol=0Phase: 7
Type: USER-STATISTICS
Subtype: user-statistics
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7ffec8e73a50, priority=0, domain=user-statistics, deny=false
hits=38, user_data=0x7ffec8e628c0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=any, output_ifc=outside

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 255, packet dispatched to next module
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 255, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_adjacency
snp_fp_svc_ob_tunnel_flow
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...

Result:
input-interface: administration
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

i am now able to ping 10.18.1.121 which is my inside host. am i able to do the same for TCP and UDP so that i am able to access other services ?

Yes!! If you are able to ping any of the host behind the ASA then you should be able to access other hosts as well and as I do not see any filter applied in the group-policy, I believe you will be able to access any other port or services as well. 

I hope that this issue is resolved now. Let me know if it is not.

Thanks,
Vishnu

i do not know where i am going wrong here. i am only able to ping 10.18.1.120 (internal gateway) and 10.18.4.121 (inside host). im not able to ping other workstations. below is my current config

: Saved
: Written by enable_15 at 09:07:39.788 UTC Tue Oct 18 2016
!
ASA Version 8.6(1)2
!
hostname admin-firewall
names
!
interface GigabitEthernet0/0
nameif administration
security-level 100
ip address 10.18.1.120 255.255.0.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 10.17.13.120 255.255.0.0
!
interface GigabitEthernet0/2
nameif admin-out13
security-level 0
ip address 10.13.1.120 255.255.0.0
!
interface GigabitEthernet0/3
nameif ip_phones
security-level 0
ip address 10.90.100.120 255.255.0.0
!
interface Management0/0
nameif management
security-level 10
ip address 10.1.13.120 255.255.0.0
management-only
!
ftp mode passive
object network NETWORK_OBJ_172.16.10.0_29
subnet 172.16.10.0 255.255.255.248
object network Admin_Email_Server
host 10.18.4.120
description admin email server
object network Admin_Srv_Farm
subnet 10.18.4.0 255.255.255.0
description subenet where admin servers are hosted
object-group icmp-type ICMP_Group
icmp-object alternate-address
icmp-object conversion-error
icmp-object echo
icmp-object echo-reply
icmp-object information-reply
icmp-object information-request
icmp-object mask-reply
icmp-object mask-request
icmp-object mobile-redirect
icmp-object parameter-problem
icmp-object redirect
icmp-object router-advertisement
icmp-object router-solicitation
icmp-object source-quench
icmp-object time-exceeded
icmp-object timestamp-reply
icmp-object timestamp-request
icmp-object traceroute
icmp-object unreachable
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group protocol Admin_vpn_accepT
protocol-object ip
protocol-object icmp
protocol-object udp
protocol-object tcp
access-list Internal_LAN remark VPN address pool
access-list Internal_LAN standard permit 172.16.10.0 255.255.255.0
access-list Split_Tunnel standard permit any
pager lines 24
logging enable
logging asdm informational
mtu administration 1500
mtu outside 1500
mtu admin-out13 1500
mtu ip_phones 1500
mtu management 1500
ip local pool ADMIN_VPN_POOL 172.16.10.1-172.16.10.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-66114.bin
no asdm history enable
arp timeout 14400
nat (administration,outside) source static any any destination static NETWORK_OBJ_172.16.10.0_29 NETWORK_OBJ_172.16.10.0_29 no-proxy-arp route-lookup
route outside 172.16.10.0 255.255.255.0 10.18.1.120 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.18.0.0 255.255.0.0 administration
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=admin-firewall
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate ba34f657
308202ec 308201d4 a0030201 020204ba 34f65730 0d06092a 864886f7 0d010105
05003038 31173015 06035504 03130e61 646d696e 2d666972 6577616c 6c311d30
1b06092a 864886f7 0d010902 160e6164 6d696e2d 66697265 77616c6c 301e170d
31363130 31313132 34383031 5a170d32 36313030 39313234 3830315a 30383117
30150603 55040313 0e61646d 696e2d66 69726577 616c6c31 1d301b06 092a8648
86f70d01 0902160e 61646d69 6e2d6669 72657761 6c6c3082 0122300d 06092a86
4886f70d 01010105 00038201 0f003082 010a0282 010100b0 ca99c579 e8d9ebd8
a870fb07 183e42c6 2ddc7f6d f8a11577 a2c2ee38 34828e99 47f93715 79151ce3
3ae538f7 a5f3099d 33c7f986 1f8fb63f e7153a5f 4f8f6b7a f9bbd761 25ae685c
2b8171f6 2cbf12b4 b816733d f43a0ee4 9ed850b7 ad927697 7652901f a6e57d0f
3e7da2d0 966623a7 c77f2566 f7a46713 5444b5a1 189513ac fe94fc38 f66cdf73
462cf1f3 b9e3a470 cb37d33f 7b768f4f 7a9e8cf2 adc723ca a92aa1a0 80b9ac83
e92e3af6 97fb719d c9d38ec0 642cbd39 b435c34a 296bb884 a11066d9 c9f5b457
29e14723 71bc8b1d 4e3b1a3b 0901cea8 46447858 84b5e901 5e7ebccb 3261df11
b6c8f01c acfabfc8 4c0dae80 e5c7d278 aaef9ea9 362f4102 03010001 300d0609
2a864886 f70d0101 05050003 82010100 5de504ce ae4627e6 d3831c41 19ddae55
7b4aa183 67474ec6 7f7adc7f 87ab51f5 07762dc5 00bc095e a1c45b65 b3e3e620
695ca449 3bce1d42 fb682729 01888fc4 c77d271a 19742090 c23a0ac9 b7c41745
78ada8de 91eb2713 01473583 8ecddc83 c106af28 8946aab4 73d2110a a2f2d720
e9ad1a69 66e2e440 c7a641af d8a61f9f 00c2cd1a 6896e8f0 1e0e6c33 49b68b62
9bac6bf6 58d0c1df 9abe04da 6807a113 e65880c2 14a61e08 52674c56 e1f97ed7
73aec49d 8af6b7b1 81f11b4f bf397a67 7b2c0c59 fb02c439 2453f58d 3040070b
ec741cb4 b80e8092 bdfa84de 59576af8 0c01c80d 6b159c6c 769f4b0f b88a2ba1
c6a2eed2 46960107 de78b555 1a932d03
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet timeout 5
ssh timeout 5
console timeout 0
management-access administration
dhcpd address 10.90.100.1-10.90.100.100 ip_phones
dhcpd dns 4.2.2.2 8.8.8.8 interface ip_phones
dhcpd lease 1800 interface ip_phones
dhcpd domain uz.ac.zw interface ip_phones
dhcpd option 3 ip 10.90.1.254 interface ip_phones
dhcpd enable ip_phones
!
!
tls-proxy maximum-session 1000
!
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
anyconnect image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
anyconnect profiles ITADMIN_VPN_client_profile disk0:/ITADMIN_VPN_client_profile.xml
anyconnect enable
tunnel-group-list enable
group-policy GroupPolicy_ITADMIN_VPN internal
group-policy GroupPolicy_ITADMIN_VPN attributes
wins-server none
dns-server value 10.18.4.120 10.50.7.178
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Internal_LAN
default-domain value uz.ac.zw
webvpn
anyconnect profiles value ITADMIN_VPN_client_profile type user
username webster password xxxxxxxxxxxx encrypted
username webster attributes
service-type remote-access
username admin password xxxxxxxxxxxx encrypted privilege 15
username admin attributes
service-type remote-access
tunnel-group ITADMIN_VPN type remote-access
tunnel-group ITADMIN_VPN general-attributes
address-pool ADMIN_VPN_POOL
default-group-policy GroupPolicy_ITADMIN_VPN
tunnel-group ITADMIN_VPN webvpn-attributes
group-alias ITADMIN_VPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:469b2b3c02371ef54ce5cae174b6678c

Hi,

On your downstream switch that is connecting your inside network do you have a reverse route for the Anyconnect pool.

Try adding the following route on the switch/router:

ip route 172.16.10.0 255.255.255.0 10.18.1.120

Regards,

Aditya

Please rate helpful posts and mark correct answers.

so should i  do this on my ASA firewall since it is connecting to my 10.18 network ?

admin-firewall(config)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route

Gateway of last resort is not set

S 172.16.10.2 255.255.255.255 [1/0] via 10.17.13.121, outside
C 10.18.0.0 255.255.0.0 is directly connected, administration
C 10.17.0.0 255.255.0.0 is directly connected, outside
C 10.90.0.0 255.255.0.0 is directly connected, ip_phones
admin-firewall(config)#

so i need 172.16.10 to access 10.18.0.0 network.