Thank you for your reply!

Okay I did notice that before. Though I think this might add another Wrinke the situation.  We have two Public Class C Address spaces. I have them both Terminated to the ASA.  Outside-100, Outside-101 Same Security Level. Though I jsut now added the 'same-security-traffic permit inter-interface' command.

I did add in a nat (inside,outside-101) source static LOCAL_NETWORK LOCAL_NETWORK destination static REMOTE_NETWORK REMOTE_NETWORK

though I did leave in the (inside, any)

I'll see what it looks like with:

same-security-traffic permit inter-interface

no nat (inside, any)  source static LOCAL_NETWORK LOCAL_NETWORK destination static REMOTE_NETWORK REMOTE_NETWORK

You don't really need the command: same-security-traffic permit inter-interface

That command is only required if you would like to communicate between interfaces that have the same security level, ie communicat between your 2 external interfaces.

Thank you again for your reply... This has been stressing me out for a while now and My head hurts from all of the banging!

I thought that the same-security command might help out in another situation.

I'm about to give up on our second Public Subnet terminated to the same ASA.   So when in the lab and I place a Remote ASA/PIX on Subnet Outside-100, though the VPN terminates on Subnet Outside-101, outside-101 has a hard time talking to the Static IP on Outside-100. I end up having to put a Route in for the the static.

Anyway. Adding the Specific NAT commands for Inside to Outside-100 and Outside-101 didn't seem to fix the issue.

Some other info.

%ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src inside: dst outside-101: denied due to NAT reverse path failure

THey are always src inside: dst outside-101:

Any Originating Traffic from to seems to get denied.

So I cannot access the server at Remote Office, though Remote Office can Access Corp Office...   So I fear that I dont have the VPN setup 100% either. )-:

I'll see if I can sanatize some configs.

I apprecaite your help!
Scott<-

Here are my Configs.

Thank you....

Corp Office Config

ASA Version 8.3(2) 
!
hostname Corp-Office
names
name 10.1.0.0 NETWORK-CORP
name 10.10.0.0 NETWORK-HA
name 10.11.0.0 NETWORK-OLIVET
name 10.12.0.0 NETWORK-235HBG
name 10.13.0.0 NETWORK-FITCH
name 10.2.0.0 NETWORK-SALES
name 10.100.0.0 NETWORK-IPSec-POOL description IPSec DHCP Pool
name 10.6.0.0 NETWORK-TRAINING
name 10.205.0.0 NETWORK-SSLVPN-POOL description SSL VPN Client DHCP Pool
dns-guard
!
interface Ethernet0/0
description 100 Network Outside IP
nameif outside-100
security-level 0
ip address 100.123.234.16 255.255.255.0 
!
interface Ethernet0/1
description 101 Network Outside IP
nameif outside-101
security-level 0
ip address 101.123.234.3 255.255.255.0 
!
interface Ethernet0/2
description inside
nameif inside
security-level 100
ip address 10.1.0.3 255.255.0.0 
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0 
management-only
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.1.0.6
name-server 10.1.0.8
domain-name ADDCDOMAIN.com
object network NETWORK-235HBG 
subnet 10.12.0.0 255.255.0.0
object network NETWORK-FITCH 
subnet 10.13.0.0 255.255.0.0
object network NETWORK-HA 
subnet 10.10.0.0 255.255.0.0
object network NETWORK-CORP 
subnet 10.1.0.0 255.255.0.0
description Healdsburg Network 
object network NETWORK-OLIVET 
subnet 10.11.0.0 255.255.0.0
object network NETWORK-SALES 
subnet 10.2.0.0 255.255.0.0
object network NETWORK-TRAINING 
subnet 10.6.0.0 255.255.0.0
object network NETWORK-SSLVPN-POOL 
subnet 10.205.0.0 255.255.0.0
description SSL VPN Client DHCP Pool 
object network NETWORK-OLIVET2 
subnet 10.11.0.0 255.255.0.0
description NETWORK-OLIVET2 
object network NETWORK-ADMIN 
subnet 10.12.0.0 255.255.255.0
object network NETWORK-HA-SSLVPN-POOL 
subnet 10.210.0.0 255.255.0.0
description HA SSL VPN Client DHCP Pool 
object network NETWORK-OLIVET-SSLVPN-POOL 
subnet 10.211.0.0 255.255.0.0
description Olivet SSL VPN Client DHCP Pool 
object network NETWORK-FITCH-SSLVPN-POOL 
subnet 10.213.0.0 255.255.0.0
description Fitch SSL VPN Client DHCP Pool 
object network 100.123.234-NAT-POOL 
range 100.123.234.190 100.123.234.225
object network vsvr-www-eandm_o 
host 100.123.234.189
description Intranet Webserver 
object network OUR_o 
host 100.123.234.12
description CA-Syslog Server 
object network OUR_i 
host 10.1.0.12
description CA-Syslog Server 
object network vsvr-exch2010_o 
host 100.123.234.15
description Exchange 2010 Mail Server 
object network vsvr-exch2010_i 
host 10.1.1.15
object network secure.norcal.wonderware.com_o 
host 100.123.234.176
description WWNC Secure Website IP Address 
object network secure.norcal.wonderware.com_i 
host 10.1.1.161
object network 101.123.234-NAT-POOL 
range 101.123.234.50 101.123.234.254
object network DNS_SERVER_o 
host 100.123.234.14
description Public DNS Server 
object network DNS_SERVER_i 
host 10.1.0.14
object network NETWORK-MEINZ 
subnet 10.16.0.0 255.255.0.0
object-group network NETWORK-FITCH-ALL
network-object object NETWORK-FITCH
object-group network NETWORK-OLIVET-ALL
network-object object NETWORK-OLIVET
object-group network NETWORK-235ALL
network-object object NETWORK-235HBG
object-group network NETWORK-HA-ALL
network-object object NETWORK-HA
object-group network LOCAL_NETWORK_REMOTE_VPN
network-object object NETWORK-CORP
network-object object NETWORK-SALES
network-object object NETWORK-TRAINING
network-object object NETWORK-OLIVET
network-object object NETWORK-HA
network-object object NETWORK-FITCH
network-object object NETWORK-235HBG
network-object object NETWORK-FITCH-SSLVPN-POOL
network-object object NETWORK-HA-SSLVPN-POOL
network-object object NETWORK-OLIVET-SSLVPN-POOL
network-object object NETWORK-OLIVET2
network-object object NETWORK-MEINZ
object-group network REMOTE_NETWORK
network-object object NETWORK-OLIVET
network-object object NETWORK-SSLVPN-POOL
network-object object NETWORK-OLIVET2
network-object object NETWORK-MEINZ
object-group network LOCAL_NETWORK
network-object object NETWORK-CORP
network-object object NETWORK-SALES
network-object object NETWORK-TRAINING
object-group network NETWORK-MEINZ-ALL
network-object object NETWORK-MEINZ
access-list SSLVPN-SplitTunnel extended permit ip object-group LOCAL_NETWORK_REMOTE_VPN object NETWORK-SSLVPN-POOL 
access-list SSLVPN-SplitTunnel extended permit ip object NETWORK-SSLVPN-POOL object-group LOCAL_NETWORK_REMOTE_VPN 
access-list outside-100_access_in extended permit icmp 100.123.234.0 255.255.255.0 10.1.0.0 255.255.0.0 
access-list outside-100_access_in extended permit udp any object DNS_SERVER_o eq domain 
access-list outside-100_access_in extended permit tcp any object DNS_SERVER_o eq domain 
access-list outside-100_access_in extended permit tcp any object DNS_SERVER_i eq domain 
access-list outside-100_access_in extended permit udp any object DNS_SERVER_i eq domain 
access-list Meinz_cryptomap extended permit ip object-group LOCAL_NETWORK object NETWORK-MEINZ log debugging 
access-list outside-101_access_in extended permit icmp 101.123.234.0 255.255.255.0 10.1.0.0 255.255.0.0 
access-list outside-101_access_in extended permit icmp any any 
pager lines 54
logging enable
logging timestamp
logging list xlate-log message 202001
logging list xlate-log message 305009-305012
logging list SMTP-log message 108002
logging list startup-log message 199001-199005
logging list GRE-log message 302017-302018
logging list verifycertdn-log message 320001
logging list IDS-log message 400000-400050
logging list sa-log message 602201
logging list sa-log message 602301-602302
logging list VPNCLIENT-log message 611301-611323
logging list ISAKMP-log message 702201-702212
logging list IPSecConnect-log message 113019
logging list MISC-Log message 713900-713906
logging list NACPolicy level warnings class nacpolicy
logging list All-Notifications level notifications
logging console notifications
logging monitor informational
logging buffered debugging
logging trap informational
logging asdm warnings
logging mail warnings
logging device-id string corp
logging host outside-100 OUR_o
logging host inside 10.1.0.12
logging debug-trace
logging permit-hostdown
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 304001
no logging message 609002
no logging message 609001
no logging message 302016
no logging message 302021
no logging message 302020
logging message 305012 level warnings
logging message 305011 level warnings
logging message 305010 level warnings
logging message 305009 level warnings
logging message 302013 level warnings
mtu outside-100 1500
mtu outside-101 1500
mtu inside 1500
mtu management 1500
ip local pool SSLVPN-IP-POOL NETWORK-SSLVPN-POOL-10.205.0.255 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside-100
icmp permit any inside
asdm image disk0:/asdm-634.bin
no asdm history enable
arp timeout 14400
nat (inside,any) source static NETWORK-CORP NETWORK-CORP destination static NETWORK-SSLVPN-POOL NETWORK-SSLVPN-POOL
nat (inside,outside-100) source static LOCAL_NETWORK LOCAL_NETWORK destination static REMOTE_NETWORK REMOTE_NETWORK description Do Not NAT Traffic to-from Remtoe LANs
nat (inside,outside-101) source static LOCAL_NETWORK LOCAL_NETWORK destination static REMOTE_NETWORK REMOTE_NETWORK description Do Not NAT Traffic to-from Remtoe LANs
nat (inside,outside-100) source dynamic any 100.123.234-NAT-POOL interface
nat (inside,outside-101) source dynamic any 101.123.234-NAT-POOL interface
nat (outside-100,any) source static NETWORK-SSLVPN-POOL NETWORK-SSLVPN-POOL
nat (outside-101,any) source static NETWORK-SSLVPN-POOL NETWORK-SSLVPN-POOL
nat (outside-101,any) source static REMOTE_NETWORK REMOTE_NETWORK
nat (outside-100,any) source static REMOTE_NETWORK REMOTE_NETWORK
!
object network DNS_SERVER_i
nat (inside,outside-100) static DNS_SERVER_o
access-group outside-100_access_in in interface outside-100
access-group outside-101_access_in in interface outside-101
route outside-100 0.0.0.0 0.0.0.0 100.123.234.1 2
route inside NETWORK-SALES 255.255.0.0 10.1.0.11 1
route inside NETWORK-TRAINING 255.255.0.0 10.1.0.11 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ADDCDOMAIN-R protocol radius
aaa-server ADDCDOMAIN-R (inside) host 10.1.0.6
key key
radius-common-pw 
aaa authentication ssh console LOCAL 
http server enable
http NETWORK-CORP 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set nat-t-disable
crypto dynamic-map olivet.ADDCDOMAIN.com 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map meinz.home 3 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside-100_map 2 ipsec-isakmp dynamic olivet.ADDCDOMAIN.com
crypto map outside-100_map 3 ipsec-isakmp dynamic meinz.home
crypto map outside-100_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside-100_map interface outside-100
crypto map outside-101_map 2 ipsec-isakmp dynamic olivet.ADDCDOMAIN.com
crypto map outside-101_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside-101_map interface outside-101
crypto ca trustpoint OUR-CA
enrollment url http://10.1.0.222:80//certsrv/mscep/mscep.dll
fqdn corp.ADDCDOMAIN.com
crl configure
crypto ca certificate chain OUR-CA
certificate ca 3a0dc5ed0429b8a942b7ef1bfd21ab59
quit
certificate 27bf22f600000000000a
quit
crypto isakmp identity address 
crypto isakmp enable outside-100
crypto isakmp enable outside-101
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet NETWORK-CORP 255.255.255.0 inside
telnet timeout 25
ssh timeout 5
console timeout 0
management-access management
threat-detection basic-threat
threat-detection scanning-threat shun duration 3600
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.1.0.6 source inside
ntp server 10.1.0.8 source inside prefer
ntp server 192.6.38.127 source outside-100 prefer
ssl trust-point OUR-CA outside-101
ssl trust-point OUR-CA outside-100
webvpn
enable outside-100
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.2006-k9.pkg 1 regex "Windows NT"
svc image disk0:/anyconnect-macosx-i386-2.5.2011-k9.pkg 2 regex "Intel Mac OS X"
svc profiles SSLVPNProfile disk0:/sslvpnprofile.xml
svc enable
group-policy SSLVPNGrpPolicy internal
group-policy SSLVPNGrpPolicy attributes
vpn-tunnel-protocol svc 
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SSLVPN-SplitTunnel
split-dns value ADDCDOMAIN.com 
webvpn
svc profiles value SSLVPNProfile type user
group-policy DfltGrpPolicy attributes
wins-server value 10.1.0.6 10.1.0.8
dns-server value 10.1.0.6 10.1.0.8
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
default-domain value ADDCDOMAIN.com
webvpn
svc ask none default svc
group-policy RemoteASA5505 internal
group-policy RemoteASA5505 attributes
vpn-tunnel-protocol IPSec 
group-policy RemotePIX501 internal
group-policy RemotePIX501 attributes
vpn-tunnel-protocol IPSec 
pfs enable
ipsec-udp enable
service-type admin
tunnel-group SSL-VPN type remote-access
tunnel-group SSL-VPN general-attributes
address-pool SSLVPN-IP-POOL
authentication-server-group ADDCDOMAIN-R
default-group-policy SSLVPNGrpPolicy
tunnel-group SSL-VPN webvpn-attributes
group-alias sslvpn enable
group-url https://100.123.234.16/sslvpn enable
group-url https://corp.ADDCDOMAIN.com/sslvpn enable
tunnel-group olivet.ADDCDOMAIN.com type ipsec-l2l
tunnel-group olivet.ADDCDOMAIN.com general-attributes
default-group-policy RemoteASA5505
tunnel-group olivet.ADDCDOMAIN.com ipsec-attributes
pre-shared-key ourkey
tunnel-group meinz.home.ADDCDOMAIN.com type ipsec-l2l
tunnel-group meinz.home.ADDCDOMAIN.com general-attributes
default-group-policy RemoteASA5505
tunnel-group meinz.home.ADDCDOMAIN.com ipsec-attributes
pre-shared-key ourotherkey
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1 
inspect ftp 
inspect h323 h225 
inspect h323 ras 
inspect rsh 
inspect rtsp 
inspect esmtp 
inspect sqlnet 
inspect skinny 
inspect sunrpc 
inspect xdmcp 
inspect sip 
inspect netbios 
inspect tftp 
inspect ip-options 
inspect icmp 
!
service-policy global_policy global
prompt hostname context 
service call-home
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:b0443758accc28d2695521d4feb41e07
: end

Remote Office Config.  (this is pretty close, though since I cannot Grab a copy from Corp at the moment It might be a bit off)

 
ASA Version 8.3(2) 
!
hostname OLIVET
names
name 10.1.0.0 NETWORK-CORP
name 10.10.0.0 NETWORK-HA
name 10.11.0.0 NETWORK-OLIVET
name 10.12.0.0 NETWORK-235HBG
name 10.13.0.0 NETWORK-FITCH
name 10.2.0.0 NETWORK-SALES
name 10.6.0.0 NETWORK-TRAINING
name 10.205.0.0 NETWORK-SSLVPN-POOL description SSL VPN Client DHCP Pool
!
interface Vlan1
nameif inside
security-level 100
ip address 10.11.0.1 255.255.0.0 
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute 
!
interface Vlan3
no forward interface Vlan1
nameif dmz
security-level 50
no ip address
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 10.11.0.6
name-server 10.1.0.6
domain-name haydon-mill.com
object network obj_any 
subnet 0.0.0.0 0.0.0.0
object network NETWORK-235HBG 
subnet 10.12.0.0 255.255.0.0
object network NETWORK-FITCH 
subnet 10.13.0.0 255.255.0.0
object network NETWORK-HA 
subnet 10.10.0.0 255.255.0.0
object network NETWORK-CORP 
subnet 10.1.0.0 255.255.0.0
object network NETWORK-SALES 
subnet 10.2.0.0 255.255.0.0
object network NETWORK-TRAINING 
subnet 10.6.0.0 255.255.0.0
object network NETWORK-OLIVET 
subnet 10.11.0.0 255.255.0.0
object network NETWORK-OLIVET2 
subnet 10.11.0.0 255.255.0.0
object network NETWORK-LOCAL-SSLVPN-POOL 
subnet 10.211.0.0 255.255.0.0
description OLIVET SSL VPN Client DHCP Pool 
object network NETWORK-HA-SSLVPN-POOL 
subnet 10.210.0.0 255.255.0.0
description HA SSL VPN Client DHCP Pool 
object network NETWORK-OLIVET-SSLVPN-POOL 
subnet 10.211.0.0 255.255.0.0
description OLIVET SSL VPN Client DHCP Pool 
object network NETWORK-FITCH-SSLVPN-POOL 
subnet 10.213.0.0 255.255.0.0
description Fitch SSL VPN Client DHCP Pool 
object network NETWORK-CORP-SSLVPN-POOL 
subnet 10.205.0.0 255.255.0.0
description Healdsburg SSL VPN Client DHCP Pool 
object network NETWORK-LOCAL-ADMIN 
subnet 10.11.0.0 255.255.255.0
object-group network NETWORK_LOCAL
description Local Networks
network-object object NETWORK-OLIVET
network-object object NETWORK-OLIVET2
object-group network NETWORK_REMOTE
description Remote Networks
network-object object NETWORK-HA
network-object object NETWORK-FITCH
network-object object NETWORK-235HBG
network-object object NETWORK-LOCAL-SSLVPN-POOL
network-object object NETWORK-OLIVET-SSLVPN-POOL
network-object object NETWORK-CORP
network-object object NETWORK-SALES
network-object object NETWORK-TRAINING
access-list outside_cryptomap_1 extended permit ip object NETWORK-OLIVET object-group NETWORK_REMOTE 
access-list outside_cryptomap_1 extended permit ip object NETWORK-OLIVET2 object-group NETWORK_REMOTE 
access-list SSLVPN-SplitTunnel extended permit ip object NETWORK-OLIVET-SSLVPN-POOL object-group NETWORK_LOCAL 
pager lines 54
logging enable
logging timestamp
logging list xlate-log message 202001
logging list xlate-log message 305009-305012
logging list SMTP-log message 108002
logging list startup-log message 199001-199005
logging list GRE-log message 302017-302018
logging list verifycertdn-log message 320001
logging list IDS-log message 400000-400050
logging list sa-log message 602201
logging list sa-log message 602301-602302
logging list VPNCLIENT-log message 611301-611323
logging list ISAKMP-log message 702201-702212
logging list IPSecConnect-log message 113019
logging list MISC-Log message 713900-713906
logging console notifications
logging monitor informational
logging buffered debugging
logging trap informational
logging asdm warnings
logging mail warnings
logging device-id hostname
logging debug-trace
logging permit-hostdown
no logging message 305012
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 304001
no logging message 609002
no logging message 609001
no logging message 302016
no logging message 302021
no logging message 302020
logging message 305012 level warnings
logging message 305011 level warnings
logging message 305010 level warnings
logging message 305009 level warnings
logging message 302013 level warnings
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool SSLVPN-IP-POOL NETWORK-OLIVET-SSLVPN-POOL-10.211.0.10 mask 255.255.0.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-634.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
nat (outside,any) source static NETWORK-LOCAL-SSLVPN-POOL NETWORK-LOCAL-SSLVPN-POOL
nat (inside,any) source static NETWORK_LOCAL NETWORK_LOCAL destination static NETWORK-LOCAL-SSLVPN-POOL NETWORK-LOCAL-SSLVPN-POOL
nat (inside,any) source static NETWORK_LOCAL NETWORK_LOCAL destination static NETWORK_REMOTE NETWORK_REMOTE description No not NAT traffic to/from Remote Networks
nat (outside,any) source static NETWORK_REMOTE NETWORK_REMOTE
nat (inside,outside) source static NETWORK_LOCAL NETWORK_LOCAL
!
object network obj_any
nat (inside,outside) dynamic interface
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ADDCDOMAIN-R protocol radius
aaa-server ADDCDOMAIN-R (inside) host 10.1.0.6
key key
radius-common-pw key
http server enable
http 10.11.0.0 255.255.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map1 1 match address outside_cryptomap_1
crypto map outside_map1 1 set connection-type originate-only
crypto map outside_map1 1 set peer 101.123.234.3
crypto map outside_map1 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map1 1 set nat-t-disable
crypto map outside_map1 1 set phase1-mode aggressive 
crypto map outside_map1 interface outside
crypto ca trustpoint OUR-CA
enrollment url http://100.123.234.222:80//certsrv/mscep/mscep.dll
ip-address 10.11.0.1
password 3A1471D251A12FFF
crl configure
crypto ca certificate chain OUR-CA
certificate 6fde5f2800000000000b
quit
certificate ca 3a0dc5ed0429b8a942b7ef1bfd21ab59
quit
crypto isakmp identity hostname 
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 25
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection scanning-threat shun duration 3600
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.6.38.127 source outside prefer
ssl trust-point OUR-CA outside
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.2006-k9.pkg 1 regex "Windows NT"
svc image disk0:/anyconnect-macosx-i386-2.5.2011-k9.pkg 2 regex "Intel Mac OS X"
svc profiles SSLVPNProfile disk0:/sslvpnprofile.xml
svc enable
group-policy SSLVPNGrpPolicy internal
group-policy SSLVPNGrpPolicy attributes
vpn-tunnel-protocol svc 
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SSLVPN-SplitTunnel
webvpn
svc profiles value SSLVPNProfile type user
group-policy DfltGrpPolicy attributes
wins-server value 10.1.0.6 10.1.0.8
dns-server value 10.1.0.6 10.1.0.8
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
default-domain value vpn.haydon-mill.com
webvpn
svc ask none default svc
group-policy ASA5505GrpPolicy internal
group-policy ASA5505GrpPolicy attributes
vpn-tunnel-protocol svc webvpn
webvpn
url-list none
svc ask enable
vpn-group-policy ASA5505GrpPolicy
vpn-group-policy ASA5505GrpPolicy
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key key
tunnel-group 101.123.234.3 type ipsec-l2l
tunnel-group 101.123.234.3 ipsec-attributes
pre-shared-key key
!
prompt hostname context 
: end

I am still seeing lots of "any" in your NAT statement.

From the CORP side, the followings are all NOT required (pls be advised that static NAT is bidirectional, so you don't need to configure NAT on the other direction). It should always be from high security level to low security level - just 1 statement, and traffic from the other direction will use the same NAT statement.

You can remove all the followings:

nat (inside,any) source static NETWORK-CORP NETWORK-CORP destination static NETWORK-SSLVPN-POOL NETWORK-SSLVPN-POOL

nat (outside-100,any) source static NETWORK-SSLVPN-POOL NETWORK-SSLVPN-POOL
nat (outside-101,any) source static NETWORK-SSLVPN-POOL NETWORK-SSLVPN-POOL
nat (outside-101,any) source static REMOTE_NETWORK REMOTE_NETWORK
nat (outside-100,any) source static REMOTE_NETWORK REMOTE_NETWORK

Same goes for remote side, the followings need to be changed:

The (outside,any) statements can be removed:
nat (outside,any) source static NETWORK-LOCAL-SSLVPN-POOL NETWORK-LOCAL-SSLVPN-POOL

nat (outside,any) source static NETWORK_REMOTE NETWORK_REMOTE

The (inside,any) statements need to be changed to (inside,outside):

nat (inside,any) source static NETWORK_LOCAL NETWORK_LOCAL destination static NETWORK-LOCAL-SSLVPN-POOL NETWORK-LOCAL-SSLVPN-POOL
nat (inside,any) source static NETWORK_LOCAL NETWORK_LOCAL destination static NETWORK_REMOTE NETWORK_REMOTE description No not NAT traffic to/from Remote Networks

Hey Jennifer,

Sorry its been a bit since I've replied. We had a SQL Server Migration that was Occupying my time. )-:

So late lastnight I was able to make the changes to the remote ASA. Then at some point I lost Connection to the Office. Then one of the web developers called with SQL problems! so I tried to enter back in the NAT commands I did the no nat on and no luck. I reloaded. then was back online. By the time I got the SQL issue fixed I didn't have time to try it again.

Though here is an interesting thing.   I'm unable to connect to the remote site from HQ.   Remote can get to HQ no issues.

When I ping a server at the remote site I get

        Reply from 84.111.111.112: Destination net unreachable.

Where 84.111.111.112 is the IP address of the ISP's Interface off my Connection to them.

So it seems like once the VPN tunnel is connected tha HQ ASA knows how to get the packets back, but does not know to NAT the Packet going to the remote site and is sending it out the Gateway to the internet.

I'm thinking 21 years of this is enough... I'm thinking the Local ACE Hardware store or a Landscape Supply place...

Thanks!

Your remote site has ip address of the external interface which is dynamically assigned. That means, only the remote side can establish the VPN tunnel towards the HQ. HQ can't initiate the VPN connection.

If remote site can access HQ, that means the VPN tunnel is up and running. Are you able to access resources behind the remote side ?

and traffic between the 2 LANs should not be NATed, but gets encrypted since you have VPN tunnel between the 2 sites.

I would suggest that you open a TAC case, so the issue can be troubleshot live with access to both sides. It's a little hard troubleshooting this particular issue via forum.