cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
567
Views
10
Helpful
10
Replies
Highlighted

VPN on ASA 5506 - Client has internet access & email - cannot ping internal network or access servers such as NAS

I am stuck on completing AnyConnect VPN Client configuration.We are using OpenLDAP and I have just completed integrating to ASA 5506. User authentication test worked so I moved on to setting up AnyConnectI have successfully enabled connecting to ASA 5506 and download AnyConnect software. Using that when a VPN Client uses AnyConnect and successfully logs in I have internet access and email but I cannot access internal devices such as NAS nor can I ping internal networks.

Our VPN pool is 10.8.40.0/24 and is named VPN-Pool

Our internal network is
10.8.32.0/24 Servers
10.8.34.0/24 Users
10.8.36.0/24 VoIP
10.8.38.0/24 SecCam

Internally DNS, DHCP, OpenLDAP comes from 10.8.32.9

I have attempted several NAT Rules specifically for VPN Clients but have failed to create a solution and am not sure what I am not setting correctly.

Here's my config. Any suggestions on what I am not doing correctly?

Result of the command: "sho run"

: Saved

: 
: Serial Number: 
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.5(1) 
!
hostname SCG-ASA-01
domain-name hq.scgconnect.com
enable password 0TAz8qRS9LuZZzJv encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd zJXfJytEpmEl08Wj encrypted
names
ip local pool VPN-Pool 10.8.40.200-10.8.40.220 mask 255.255.255.0
!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address 24.213.128.10 255.255.255.248 
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 10.8.31.2 255.255.255.0 
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 nameif management
 security-level 100
 ip address 10.8.30.9 255.255.255.0 
!
boot system disk0:/asa961-lfbff-k8.SPA
boot system disk0:/asa952-6-lfbff-k8.SPA
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 10.8.32.9 inside
 name-server 24.92.226.11 outside
 name-server 24.92.226.12 outside
 domain-name hq.scgconnect.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network NET_10.8.32.0_24_Servers
 subnet 10.8.32.0 255.255.255.0
object network NET_10.8.34.0_24_Users
 subnet 10.8.34.0 255.255.255.0
object network NET_10.8.36.0_24_VOIP
 subnet 10.8.36.0 255.255.255.0
object network NET_10.8.38.0_24_SecCam
 subnet 10.8.38.0 255.255.255.0
object network NET_192.168.1.0_24_Dev
 subnet 192.168.1.0 255.255.255.0
object network NET_10.2.1.0_24_Dev2
 subnet 10.2.1.0 255.255.255.0
object network NET_10.0.0.0_8
 subnet 10.0.0.0 255.0.0.0
object network HOST_10.8.32.9_tcp1723
 host 10.8.32.9
object network HOST_10.8.32.10_gre
 host 10.8.32.10
object network HOST_88.150.240.0
 subnet 88.150.240.0 255.255.255.0
object network NET_113.105.128.0_24
 subnet 113.105.128.0 255.255.255.0
object network NET_66.241.99.0_24
 subnet 66.241.99.0 255.255.255.0
object network HOST_10.8.32.10
 host 10.8.32.10
object network HOST_10.1.1.8
 host 10.1.1.8
object network HOST_10.8.32.12
 host 10.8.32.12
object network HOST_10.8.32.13
 host 10.8.32.13
object network HOST_10.8.38.81
 host 10.8.38.81
 description Axis Camera
object network HOST_10.8.38.82
 host 10.8.38.82
 description Axis Camera
object network HOST_10.8.38.83
 host 10.8.38.83
 description Axis Camera
object network HOST_10.8.38.84
 host 10.8.38.84
 description Axis Camera
object network HOST_10.8.38.85
 host 10.8.38.85
 description Axis Camera
object network HOST_10.8.32.13_tcp6180
 host 10.8.32.13
object network HOST_10.8.32.13_tcp6181
 host 10.8.32.13
object network HOST_10.8.32.13_tcp6182
 host 10.8.32.13
object network HOST_10.8.32.13_tcp6183
 host 10.8.32.13
object network HOST_10.8.32.13_tcp6185
 host 10.8.32.13
object network HOST_10.8.32.13_tcp6188
 host 10.8.32.13
object network HOST_10.8.32.9_udp500
 host 10.8.32.9
object network HOST_10.8.32.9_udp4500
 host 10.8.32.9
object network HOST_10.8.32.10_tcp443
 host 10.8.32.10
object network HOST_10.8.32.10_443
object network HOST_10.1.1.8_tcp9000
 host 10.1.1.8
object network HOST_10.1.1.8_tcp8081
 host 10.1.1.8
object network HOST_10.8.32.9_tcp1701
 host 10.8.32.9
object network NET_172.16.1.0
 subnet 172.16.1.0 255.255.255.0
object network HOST_10.8.36.2_udp5060
 host 10.8.36.2
object network NETWORK_OBJ_10.8.40.0_24
 subnet 10.8.40.0 255.255.255.0
 description VPN users
object network HOST_172.16.1.2_udp5060
 host 172.16.1.2
object network HOST_10.8.32.12_tcp9101
 host 10.8.32.12
 description SCG AXIS ADMIN DEVELOPMENT
object network HOST_10.8.38.86
 host 10.8.38.86
 description Axis Camera
object network HOST_10.8.38.87
 host 10.8.38.87
 description Axis Camera
object network HOST_10.8.32.12_tcp9201
 host 10.8.32.12
 description Voter Viewer web interface
object network HOST_10.8.32.12_tcp9301
 host 10.8.32.12
 description PDS web interface
object network HOST_10.8.32.9_tcp5001
 host 10.8.32.9
 description Synology NAS
object network Host_10.8.32.9_tcp5005
 host 10.8.32.9
 description Synology NAS
object network VPN-Pool
 range 10.8.40.200 10.8.40.220
 description VPN Users
object network HOST_10.8.40.200_10.8.40.220
 range 10.8.40.200 10.8.40.220
 description VPN Users
object-group service DM_INLINE_TCPUDP_1 tcp-udp
 port-object eq 5061
 port-object eq sip
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list outside_access_in extended permit ip object NETWORK_OBJ_10.8.40.0_24 any 
access-list outside_access_in extended deny ip object HOST_88.150.240.0 any 
access-list outside_access_in extended deny ip object NET_113.105.128.0_24 any 
access-list outside_access_in extended permit object-group TCPUDP object NET_66.241.99.0_24 any object-group DM_INLINE_TCPUDP_1 log 
access-list outside_access_in extended deny udp any any eq sip log 
access-list outside_access_in extended permit tcp any any eq https 
access-list outside_access_in extended permit tcp any any eq 500 
access-list outside_access_in extended permit udp any any eq 1701 
access-list outside_access_in extended permit tcp any any eq pptp 
access-list outside_access_in extended permit tcp any any eq 3306 log 
access-list outside_access_in extended permit tcp any any eq 4500 
access-list outside_access_in extended permit tcp any any eq 5001 
access-list outside_access_in extended permit tcp any any eq 6180 
access-list outside_access_in extended permit tcp any any eq 6181 
access-list outside_access_in extended permit tcp any any eq 6182 
access-list outside_access_in extended permit tcp any any eq 6183 
access-list outside_access_in extended permit tcp any any eq 6185 
access-list outside_access_in extended permit tcp any any eq 6188 
access-list outside_access_in extended permit tcp any any eq 9000 
access-list outside_access_in extended permit tcp any any eq 8081 log 
access-list outside_access_in extended permit udp any any log 
access-list outside_access_in extended permit tcp any any log 
access-list outside_access_in extended permit gre any any 
access-list outside_access_in extended permit ipinip any any 
access-list outside_access_in extended permit esp any any 
access-list outside_access_in extended permit ip any any log 
access-list outside_access_in extended permit ip host 10.1.1.22 host 10.1.1.13 
access-list VPN-SCG2 standard permit 10.8.0.0 255.255.192.0 
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4 
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd 
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631 
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100 
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353 
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355 
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137 
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
no monitor-interface service-module 
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-751.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_10.8.40.0_24 NETWORK_OBJ_10.8.40.0_24 destination static NETWORK_OBJ_10.8.40.0_24 NETWORK_OBJ_10.8.40.0_24 no-proxy-arp
!
object network HOST_10.8.32.9_tcp1723
 nat (inside,outside) static interface service tcp pptp pptp 
object network HOST_10.8.32.12
 nat (inside,outside) static interface service tcp 3306 3306 
object network HOST_10.8.32.13
 nat (inside,outside) static interface service tcp 6188 6188 
object network HOST_10.8.38.81
 nat (inside,outside) static interface service tcp 9111 9111 
object network HOST_10.8.38.82
 nat (inside,outside) static interface service tcp 9112 9112 
object network HOST_10.8.38.83
 nat (inside,outside) static interface service tcp 9113 9113 
object network HOST_10.8.38.84
 nat (inside,outside) static interface service tcp 9114 9114 
object network HOST_10.8.38.85
 nat (inside,outside) static interface service tcp 9115 9115 
object network HOST_10.8.32.13_tcp6180
 nat (inside,outside) static interface service tcp 6180 6180 
object network HOST_10.8.32.13_tcp6181
 nat (inside,outside) static interface service tcp 6181 6181 
object network HOST_10.8.32.13_tcp6182
 nat (inside,outside) static interface service tcp 6182 6182 
object network HOST_10.8.32.13_tcp6183
 nat (inside,outside) static interface service tcp 6183 6183 
object network HOST_10.8.32.13_tcp6185
 nat (inside,outside) static interface service tcp 6185 6185 
object network HOST_10.8.32.13_tcp6188
 nat (inside,outside) static interface service tcp 6188 6188 
object network HOST_10.8.32.9_udp500
 nat (inside,outside) static interface service udp isakmp isakmp 
object network HOST_10.8.32.9_udp4500
 nat (inside,outside) static interface service udp 4500 4500 
object network HOST_10.1.1.8_tcp9000
 nat (inside,outside) static interface service tcp 9000 9000 
object network HOST_10.1.1.8_tcp8081
 nat (inside,outside) static interface service tcp 8081 8081 
object network HOST_10.8.32.9_tcp1701
 nat (inside,outside) static interface service tcp 1701 1701 
object network HOST_172.16.1.2_udp5060
 nat (inside,outside) static interface service udp sip sip 
object network HOST_10.8.32.12_tcp9101
 nat (inside,outside) static interface service tcp 9101 9101 
object network HOST_10.8.38.86
 nat (inside,outside) static interface service tcp 9116 9116 
object network HOST_10.8.38.87
 nat (inside,outside) static interface service tcp 9117 9117 
object network HOST_10.8.32.12_tcp9201
 nat (inside,outside) static interface service tcp 9201 9201 
object network HOST_10.8.32.12_tcp9301
 nat (inside,outside) static interface net-to-net service tcp 9301 9301 
object network HOST_10.8.32.9_tcp5001
 nat (inside,outside) static interface service tcp 5001 5001 
object network Host_10.8.32.9_tcp5005
 nat (inside,outside) static interface service tcp 5005 5005 
!
nat (outside,outside) after-auto source dynamic NETWORK_OBJ_10.8.40.0_24 interface
nat (inside,outside) after-auto source dynamic any interface
nat (outside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 24.213.128.9 1
route inside 10.0.0.0 255.0.0.0 10.8.31.1 1
route inside 172.16.1.0 255.255.255.0 10.8.31.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map CiscoMAP
  map-name  memberOf IETF-Radius-Class
  map-value memberOf CN=workgroup,DC=hq,DC=scgconnect,DC=com UID
aaa-server SCG protocol ldap
aaa-server SCG (inside) host 10.8.32.9
 server-port 636
 ldap-base-dn cn=users,dc=hq,dc=scgconnect,dc=com
 ldap-scope subtree
 ldap-naming-attribute uid
 ldap-over-ssl enable
 server-type microsoft
 ldap-attribute-map CiscoMAP
no user-identity enable
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
http server enable 5000
http 192.168.1.0 255.255.255.0 inside
http 10.8.32.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=remote.scgconnect.com
 no ca-check
 crl configure
crypto ca trustpoint Cisco_Manufacturing_CA
 enrollment terminal
 crl configure
crypto ca trustpoint CAP-RTP-001
 enrollment terminal
 crl configure
crypto ca trustpoint CAP-RTP-002
 enrollment terminal
 crl configure
crypto ca trustpoint CAPF
 enrollment terminal
 no ca-check
 crl configure
crypto ca trustpoint asdm_cuma_local
 enrollment terminal
 crl configure
crypto ca trustpoint asdm_cuma_root_ca
 enrollment terminal
 crl configure
crypto ca trustpoint asdm_cuma_local_proxy
 enrollment terminal
 validation-usage ssl-client
 crl configure
crypto ca trustpoint Cisco_Root_CA_2048
 enrollment terminal
 crl configure
crypto ca trustpoint CallManager
 enrollment terminal
 no ca-check
 crl configure
crypto ca trustpoint ASDM_TrustPoint1
 enrollment terminal
 crl configure
crypto ca trustpoint ccm_proxy
 enrollment self
 fqdn none
 subject-name cn=Proxy
 serial-number
 crl configure
crypto ca trustpoint ldc_server
 enrollment self
 fqdn ldc.scgconnect.com
 subject-name cn=LDC_SIGNER
 serial-number
 proxy-ldc-issuer
 crl configure
crypto ca trustpoint ASDM_TrustPoint5
 enrollment self
 subject-name CN=hq.scgconnect.com
 crl configure
crypto ca trustpoint ASDM_TrustPoint3
 enrollment self
 subject-name CN=SCG-ASA-01
 crl configure
crypto ca trustpool policy
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet 10.8.32.0 255.255.255.0 inside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 inside
ssh 10.8.32.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
!
tls-proxy maximum-session 160
!
!
tls-proxy my_proxy
 server trust-point ccm_proxy
 client ldc issuer ldc_server
 client cipher-suite aes128-sha1 aes256-sha1
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp authenticate
ntp server 129.6.15.28 source inside
ntp server 10.8.32.20 source inside prefer
ssl trust-point ASDM_TrustPoint5 outside
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-4.8.01090-webdeploy-k9.pkg 1
 anyconnect image disk0:/anyconnect-macos-4.8.01090-webdeploy-k9.pkg 2
 anyconnect image disk0:/anyconnect-linux64-4.8.01090-webdeploy-k9.pkg 3
 anyconnect profiles SCG2_anyconnect disk0:/scg2_anyconnect.xml
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
!
ctl-provider my_ctl
 client interface inside address 10.8.32.20
 client username rubenc password IxJu2LI1uG0ssLO6 encrypted
 export certificate ccm_proxy
!
group-policy GroupPolicy_SSL internal
group-policy GroupPolicy_SSL attributes
 wins-server none
 dns-server value 10.8.32.9
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelall
 default-domain value hq.scgconnect.com
 split-tunnel-all-dns enable
group-policy GroupPolicy_SGC2 internal
group-policy GroupPolicy_SGC2 attributes
 wins-server none
 dns-server value 10.8.32.9
 vpn-filter value outside_access_in
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN-SCG2
 default-domain value hq.scgconnect.com
 split-dns value hq.scgconnect.com
 split-tunnel-all-dns disable
 client-bypass-protocol enable
 webvpn
  anyconnect profiles value SCG2_anyconnect type user
dynamic-access-policy-record DfltAccessPolicy
tunnel-group SGC2 type remote-access
tunnel-group SGC2 general-attributes
 address-pool VPN-Pool
 authentication-server-group SCG
 default-group-policy GroupPolicy_SGC2
tunnel-group SGC2 webvpn-attributes
 group-alias SGC2 enable
tunnel-group SSL type remote-access
tunnel-group SSL general-attributes
 address-pool VPN-Pool
 default-group-policy GroupPolicy_SSL
tunnel-group SSL webvpn-attributes
 authentication certificate
 group-url https://hq.scgconnect.com/SSL enable
!
class-map sec_skinny
 match port tcp eq 2443
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map type inspect skinny skinny_inspect
 parameters
policy-map global_policy
 class inspection_default
  inspect ftp 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect xdmcp 
  inspect dns preset_dns_map 
  inspect skinny skinny_inspect 
 class sec_skinny
  inspect skinny skinny_inspect tls-proxy my_proxy 
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
!
service-policy global_policy global
prompt hostname context 
service call-home
call-home reporting anonymous
call-home
 contact-email-addr cfitzsimmons@scgconnect.com
 profile CiscoTAC-1
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:b85da98bf45fe4104d7360a320a935e0
: end 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advisor

Re: VPN on ASA 5506 - Client has internet access & email - cannot ping internal network or access servers such as NAS

Remove interface VLAN40 from your 3750, it thinks that /24 network is directly connected so won't route the traffic to the ASA. The 3750 will rely it's default route to communicate with the RAVPN network, which will route the traffic to the ASA.

View solution in original post

10 REPLIES 10
Highlighted
VIP Advisor

Re: VPN on ASA 5506 - Client has internet access & email - cannot ping internal network or access servers such as NAS

Hi,

You will need NAT exemption rules to ensure traffic between the internal LAN networks and the VPN Pool network is not natted.

 

Example:-

 

nat (inside,outside) source static NET_10.8.32.0_24_Servers NET_10.8.32.0_24_Servers destination static NETWORK_OBJ_10.8.40.0_24 NETWORK_OBJ_10.8.40.0_24 no-proxy-arp
nat (inside,outside) source static NET_10.8.34.0_24_Users NET_10.8.34.0_24_Users destination static NETWORK_OBJ_10.8.40.0_24 NETWORK_OBJ_10.8.40.0_24 no-proxy-arp

 

 HTH

Highlighted

Re: VPN on ASA 5506 - Client has internet access & email - cannot ping internal network or access servers such as NAS

Rob,

Thanks for you response. I just wrote that to the ASA and logged in using AnyConnect. I still cannot ping 10.8.32.0 or any other internal network.

Email and internet still work

I include the latest config

Carl

Result of the command: "sho run"

: Saved

: 
: Serial Number: 
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.5(1) 
!
hostname SCG-ASA-01
domain-name hq.scgconnect.com
enable password 0TAz8qRS9LuZZzJv encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd zJXfJytEpmEl08Wj encrypted
names
ip local pool VPN-Pool 10.8.40.200-10.8.40.220 mask 255.255.255.0
!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address 24.213.128.10 255.255.255.248 
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 10.8.31.2 255.255.255.0 
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 nameif management
 security-level 100
 ip address 10.8.30.9 255.255.255.0 
!
boot system disk0:/asa961-lfbff-k8.SPA
boot system disk0:/asa952-6-lfbff-k8.SPA
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 10.8.32.9 inside
 name-server 24.92.226.11 outside
 name-server 24.92.226.12 outside
 domain-name hq.scgconnect.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network NET_10.8.32.0_24_Servers
 subnet 10.8.32.0 255.255.255.0
object network NET_10.8.34.0_24_Users
 subnet 10.8.34.0 255.255.255.0
object network NET_10.8.36.0_24_VOIP
 subnet 10.8.36.0 255.255.255.0
object network NET_10.8.38.0_24_SecCam
 subnet 10.8.38.0 255.255.255.0
object network NET_192.168.1.0_24_Dev
 subnet 192.168.1.0 255.255.255.0
object network NET_10.2.1.0_24_Dev2
 subnet 10.2.1.0 255.255.255.0
object network NET_10.0.0.0_8
 subnet 10.0.0.0 255.0.0.0
object network HOST_10.8.32.9_tcp1723
 host 10.8.32.9
object network HOST_10.8.32.10_gre
 host 10.8.32.10
object network HOST_88.150.240.0
 subnet 88.150.240.0 255.255.255.0
object network NET_113.105.128.0_24
 subnet 113.105.128.0 255.255.255.0
object network NET_66.241.99.0_24
 subnet 66.241.99.0 255.255.255.0
object network HOST_10.8.32.10
 host 10.8.32.10
object network HOST_10.1.1.8
 host 10.1.1.8
object network HOST_10.8.32.12
 host 10.8.32.12
object network HOST_10.8.32.13
 host 10.8.32.13
object network HOST_10.8.38.81
 host 10.8.38.81
 description Axis Camera
object network HOST_10.8.38.82
 host 10.8.38.82
 description Axis Camera
object network HOST_10.8.38.83
 host 10.8.38.83
 description Axis Camera
object network HOST_10.8.38.84
 host 10.8.38.84
 description Axis Camera
object network HOST_10.8.38.85
 host 10.8.38.85
 description Axis Camera
object network HOST_10.8.32.13_tcp6180
 host 10.8.32.13
object network HOST_10.8.32.13_tcp6181
 host 10.8.32.13
object network HOST_10.8.32.13_tcp6182
 host 10.8.32.13
object network HOST_10.8.32.13_tcp6183
 host 10.8.32.13
object network HOST_10.8.32.13_tcp6185
 host 10.8.32.13
object network HOST_10.8.32.13_tcp6188
 host 10.8.32.13
object network HOST_10.8.32.9_udp500
 host 10.8.32.9
object network HOST_10.8.32.9_udp4500
 host 10.8.32.9
object network HOST_10.8.32.10_tcp443
 host 10.8.32.10
object network HOST_10.8.32.10_443
object network HOST_10.1.1.8_tcp9000
 host 10.1.1.8
object network HOST_10.1.1.8_tcp8081
 host 10.1.1.8
object network HOST_10.8.32.9_tcp1701
 host 10.8.32.9
object network NET_172.16.1.0
 subnet 172.16.1.0 255.255.255.0
object network HOST_10.8.36.2_udp5060
 host 10.8.36.2
object network NETWORK_OBJ_10.8.40.0_24
 subnet 10.8.40.0 255.255.255.0
 description VPN users
object network HOST_172.16.1.2_udp5060
 host 172.16.1.2
object network HOST_10.8.32.12_tcp9101
 host 10.8.32.12
 description SCG AXIS ADMIN DEVELOPMENT
object network HOST_10.8.38.86
 host 10.8.38.86
 description Axis Camera
object network HOST_10.8.38.87
 host 10.8.38.87
 description Axis Camera
object network HOST_10.8.32.12_tcp9201
 host 10.8.32.12
 description Voter Viewer web interface
object network HOST_10.8.32.12_tcp9301
 host 10.8.32.12
 description PDS web interface
object network HOST_10.8.32.9_tcp5001
 host 10.8.32.9
 description Synology NAS
object network Host_10.8.32.9_tcp5005
 host 10.8.32.9
 description Synology NAS
object network VPN-Pool
 range 10.8.40.200 10.8.40.220
 description VPN Users
object network HOST_10.8.40.200_10.8.40.220
 range 10.8.40.200 10.8.40.220
 description VPN Users
object-group service DM_INLINE_TCPUDP_1 tcp-udp
 port-object eq 5061
 port-object eq sip
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list outside_access_in extended permit ip object NETWORK_OBJ_10.8.40.0_24 any 
access-list outside_access_in extended deny ip object HOST_88.150.240.0 any 
access-list outside_access_in extended deny ip object NET_113.105.128.0_24 any 
access-list outside_access_in extended permit object-group TCPUDP object NET_66.241.99.0_24 any object-group DM_INLINE_TCPUDP_1 log 
access-list outside_access_in extended deny udp any any eq sip log 
access-list outside_access_in extended permit tcp any any eq https 
access-list outside_access_in extended permit tcp any any eq 500 
access-list outside_access_in extended permit udp any any eq 1701 
access-list outside_access_in extended permit tcp any any eq pptp 
access-list outside_access_in extended permit tcp any any eq 3306 log 
access-list outside_access_in extended permit tcp any any eq 4500 
access-list outside_access_in extended permit tcp any any eq 5001 
access-list outside_access_in extended permit tcp any any eq 6180 
access-list outside_access_in extended permit tcp any any eq 6181 
access-list outside_access_in extended permit tcp any any eq 6182 
access-list outside_access_in extended permit tcp any any eq 6183 
access-list outside_access_in extended permit tcp any any eq 6185 
access-list outside_access_in extended permit tcp any any eq 6188 
access-list outside_access_in extended permit tcp any any eq 9000 
access-list outside_access_in extended permit tcp any any eq 8081 log 
access-list outside_access_in extended permit udp any any log 
access-list outside_access_in extended permit tcp any any log 
access-list outside_access_in extended permit gre any any 
access-list outside_access_in extended permit ipinip any any 
access-list outside_access_in extended permit esp any any 
access-list outside_access_in extended permit ip any any log 
access-list outside_access_in extended permit ip host 10.1.1.22 host 10.1.1.13 
access-list VPN-SCG2 standard permit 10.8.0.0 255.255.192.0 
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4 
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd 
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631 
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100 
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353 
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355 
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137 
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
no monitor-interface service-module 
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-751.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_10.8.40.0_24 NETWORK_OBJ_10.8.40.0_24 destination static NETWORK_OBJ_10.8.40.0_24 NETWORK_OBJ_10.8.40.0_24 no-proxy-arp
nat (inside,outside) source static NET_10.8.32.0_24_Servers NET_10.8.32.0_24_Servers destination static NETWORK_OBJ_10.8.40.0_24 NETWORK_OBJ_10.8.40.0_24 no-proxy-arp
nat (inside,outside) source static NET_10.8.34.0_24_Users NET_10.8.34.0_24_Users destination static NETWORK_OBJ_10.8.40.0_24 NETWORK_OBJ_10.8.40.0_24 no-proxy-arp
!
object network HOST_10.8.32.9_tcp1723
 nat (inside,outside) static interface service tcp pptp pptp 
object network HOST_10.8.32.12
 nat (inside,outside) static interface service tcp 3306 3306 
object network HOST_10.8.32.13
 nat (inside,outside) static interface service tcp 6188 6188 
object network HOST_10.8.38.81
 nat (inside,outside) static interface service tcp 9111 9111 
object network HOST_10.8.38.82
 nat (inside,outside) static interface service tcp 9112 9112 
object network HOST_10.8.38.83
 nat (inside,outside) static interface service tcp 9113 9113 
object network HOST_10.8.38.84
 nat (inside,outside) static interface service tcp 9114 9114 
object network HOST_10.8.38.85
 nat (inside,outside) static interface service tcp 9115 9115 
object network HOST_10.8.32.13_tcp6180
 nat (inside,outside) static interface service tcp 6180 6180 
object network HOST_10.8.32.13_tcp6181
 nat (inside,outside) static interface service tcp 6181 6181 
object network HOST_10.8.32.13_tcp6182
 nat (inside,outside) static interface service tcp 6182 6182 
object network HOST_10.8.32.13_tcp6183
 nat (inside,outside) static interface service tcp 6183 6183 
object network HOST_10.8.32.13_tcp6185
 nat (inside,outside) static interface service tcp 6185 6185 
object network HOST_10.8.32.13_tcp6188
 nat (inside,outside) static interface service tcp 6188 6188 
object network HOST_10.8.32.9_udp500
 nat (inside,outside) static interface service udp isakmp isakmp 
object network HOST_10.8.32.9_udp4500
 nat (inside,outside) static interface service udp 4500 4500 
object network HOST_10.1.1.8_tcp9000
 nat (inside,outside) static interface service tcp 9000 9000 
object network HOST_10.1.1.8_tcp8081
 nat (inside,outside) static interface service tcp 8081 8081 
object network HOST_10.8.32.9_tcp1701
 nat (inside,outside) static interface service tcp 1701 1701 
object network HOST_172.16.1.2_udp5060
 nat (inside,outside) static interface service udp sip sip 
object network HOST_10.8.32.12_tcp9101
 nat (inside,outside) static interface service tcp 9101 9101 
object network HOST_10.8.38.86
 nat (inside,outside) static interface service tcp 9116 9116 
object network HOST_10.8.38.87
 nat (inside,outside) static interface service tcp 9117 9117 
object network HOST_10.8.32.12_tcp9201
 nat (inside,outside) static interface service tcp 9201 9201 
object network HOST_10.8.32.12_tcp9301
 nat (inside,outside) static interface net-to-net service tcp 9301 9301 
object network HOST_10.8.32.9_tcp5001
 nat (inside,outside) static interface service tcp 5001 5001 
object network Host_10.8.32.9_tcp5005
 nat (inside,outside) static interface service tcp 5005 5005 
!
nat (outside,outside) after-auto source dynamic NETWORK_OBJ_10.8.40.0_24 interface
nat (inside,outside) after-auto source dynamic any interface
nat (outside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 24.213.128.9 1
route inside 10.0.0.0 255.0.0.0 10.8.31.1 1
route inside 172.16.1.0 255.255.255.0 10.8.31.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map CiscoMAP
  map-name  memberOf IETF-Radius-Class
  map-value memberOf CN=workgroup,DC=hq,DC=scgconnect,DC=com UID
aaa-server SCG protocol ldap
aaa-server SCG (inside) host 10.8.32.9
 server-port 636
 ldap-base-dn cn=users,dc=hq,dc=scgconnect,dc=com
 ldap-scope subtree
 ldap-naming-attribute uid
 ldap-over-ssl enable
 server-type microsoft
 ldap-attribute-map CiscoMAP
no user-identity enable
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
http server enable 5000
http 192.168.1.0 255.255.255.0 inside
http 10.8.32.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=remote.scgconnect.com
 no ca-check
 crl configure
crypto ca trustpoint Cisco_Manufacturing_CA
 enrollment terminal
 crl configure
crypto ca trustpoint CAP-RTP-001
 enrollment terminal
 crl configure
crypto ca trustpoint CAP-RTP-002
 enrollment terminal
 crl configure
crypto ca trustpoint CAPF
 enrollment terminal
 no ca-check
 crl configure
crypto ca trustpoint asdm_cuma_local
 enrollment terminal
 crl configure
crypto ca trustpoint asdm_cuma_root_ca
 enrollment terminal
 crl configure
crypto ca trustpoint asdm_cuma_local_proxy
 enrollment terminal
 validation-usage ssl-client
 crl configure
crypto ca trustpoint Cisco_Root_CA_2048
 enrollment terminal
 crl configure
crypto ca trustpoint CallManager
 enrollment terminal
 no ca-check
 crl configure
crypto ca trustpoint ASDM_TrustPoint1
 enrollment terminal
 crl configure
crypto ca trustpoint ccm_proxy
 enrollment self
 fqdn none
 subject-name cn=Proxy
 serial-number
 crl configure
crypto ca trustpoint ldc_server
 enrollment self
 fqdn ldc.scgconnect.com
 subject-name cn=LDC_SIGNER
 serial-number
 proxy-ldc-issuer
 crl configure
crypto ca trustpoint ASDM_TrustPoint5
 enrollment self
 subject-name CN=hq.scgconnect.com
 crl configure
crypto ca trustpoint ASDM_TrustPoint3
 enrollment self
 subject-name CN=SCG-ASA-01
 crl configure
crypto ca trustpool policy
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet 10.8.32.0 255.255.255.0 inside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 inside
ssh 10.8.32.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
!
tls-proxy maximum-session 160
!
!
tls-proxy my_proxy
 server trust-point ccm_proxy
 client ldc issuer ldc_server
 client cipher-suite aes128-sha1 aes256-sha1
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp authenticate
ntp server 129.6.15.28 source inside
ntp server 10.8.32.20 source inside prefer
ssl trust-point ASDM_TrustPoint5 outside
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-4.8.01090-webdeploy-k9.pkg 1
 anyconnect image disk0:/anyconnect-macos-4.8.01090-webdeploy-k9.pkg 2
 anyconnect image disk0:/anyconnect-linux64-4.8.01090-webdeploy-k9.pkg 3
 anyconnect profiles SCG2_anyconnect disk0:/scg2_anyconnect.xml
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
!
ctl-provider my_ctl
 client interface inside address 10.8.32.20
 client username rubenc password IxJu2LI1uG0ssLO6 encrypted
 export certificate ccm_proxy
!
group-policy GroupPolicy_SSL internal
group-policy GroupPolicy_SSL attributes
 wins-server none
 dns-server value 10.8.32.9
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelall
 default-domain value hq.scgconnect.com
 split-tunnel-all-dns enable
group-policy GroupPolicy_SGC2 internal
group-policy GroupPolicy_SGC2 attributes
 wins-server none
 dns-server value 10.8.32.9
 vpn-filter value outside_access_in
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN-SCG2
 default-domain value hq.scgconnect.com
 split-dns value hq.scgconnect.com
 split-tunnel-all-dns disable
 client-bypass-protocol enable
 webvpn
  anyconnect profiles value SCG2_anyconnect type user
dynamic-access-policy-record DfltAccessPolicy
tunnel-group SGC2 type remote-access
tunnel-group SGC2 general-attributes
 address-pool VPN-Pool
 authentication-server-group SCG
 default-group-policy GroupPolicy_SGC2
tunnel-group SGC2 webvpn-attributes
 group-alias SGC2 enable
tunnel-group SSL type remote-access
tunnel-group SSL general-attributes
 address-pool VPN-Pool
 default-group-policy GroupPolicy_SSL
tunnel-group SSL webvpn-attributes
 authentication certificate
 group-url https://hq.scgconnect.com/SSL enable
!
class-map sec_skinny
 match port tcp eq 2443
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map type inspect skinny skinny_inspect
 parameters
policy-map global_policy
 class inspection_default
  inspect ftp 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect xdmcp 
  inspect dns preset_dns_map 
  inspect skinny skinny_inspect 
 class sec_skinny
  inspect skinny skinny_inspect tls-proxy my_proxy 
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
!
service-policy global_policy global
prompt hostname context 
service call-home
call-home reporting anonymous
call-home
 contact-email-addr cfitzsimmons@scgconnect.com
 profile CiscoTAC-1
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:b85da98bf45fe4104d7360a320a935e0
: end
Highlighted
VIP Advisor

Re: VPN on ASA 5506 - Client has internet access & email - cannot ping internal network or access servers such as NAS

Can you provide the output of "show nat detail" and "show vpn-sessiondb detail anyconnect" < log in as a user before you do this.

Which tunnel-group are you connecting to?
Highlighted

Re: VPN on ASA 5506 - Client has internet access & email - cannot ping internal network or access servers such as NAS

tunnel-group SCG2

show nat detail

Result of the command: "show nat detail"

Manual NAT Policies (Section 1)
1 (inside) to (outside) source static NETWORK_OBJ_10.8.40.0_24 NETWORK_OBJ_10.8.40.0_24  destination static NETWORK_OBJ_10.8.40.0_24 NETWORK_OBJ_10.8.40.0_24 no-proxy-arp
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.8.40.0/24, Translated: 10.8.40.0/24
    Destination - Origin: 10.8.40.0/24, Translated: 10.8.40.0/24
2 (inside) to (outside) source static NET_10.8.32.0_24_Servers NET_10.8.32.0_24_Servers  destination static NETWORK_OBJ_10.8.40.0_24 NETWORK_OBJ_10.8.40.0_24 no-proxy-arp
    translate_hits = 231, untranslate_hits = 231
    Source - Origin: 10.8.32.0/24, Translated: 10.8.32.0/24
    Destination - Origin: 10.8.40.0/24, Translated: 10.8.40.0/24
3 (inside) to (outside) source static NET_10.8.34.0_24_Users NET_10.8.34.0_24_Users  destination static NETWORK_OBJ_10.8.40.0_24 NETWORK_OBJ_10.8.40.0_24 no-proxy-arp
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.8.34.0/24, Translated: 10.8.34.0/24
    Destination - Origin: 10.8.40.0/24, Translated: 10.8.40.0/24
4 (inside) to (outside) source static NET_10.8.36.0_24_VOIP NET_10.8.36.0_24_VOIP  destination static NETWORK_OBJ_10.8.40.0_24 NETWORK_OBJ_10.8.40.0_24 no-proxy-arp
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.8.36.0/24, Translated: 10.8.36.0/24
    Destination - Origin: 10.8.40.0/24, Translated: 10.8.40.0/24
5 (inside) to (outside) source static NET_10.8.38.0_24_SecCam NET_10.8.38.0_24_SecCam  destination static NETWORK_OBJ_10.8.40.0_24 NETWORK_OBJ_10.8.40.0_24 no-proxy-arp
    translate_hits = 1, untranslate_hits = 1
    Source - Origin: 10.8.38.0/24, Translated: 10.8.38.0/24
    Destination - Origin: 10.8.40.0/24, Translated: 10.8.40.0/24

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static HOST_10.1.1.8_tcp8081 interface  service tcp 8081 8081 
    translate_hits = 0, untranslate_hits = 31
    Source - Origin: 10.1.1.8/32, Translated: 24.213.128.10/29
    Service - Protocol: tcp Real: 8081 Mapped: 8081 
2 (inside) to (outside) source static HOST_10.1.1.8_tcp9000 interface  service tcp 9000 9000 
    translate_hits = 0, untranslate_hits = 23
    Source - Origin: 10.1.1.8/32, Translated: 24.213.128.10/29
    Service - Protocol: tcp Real: 9000 Mapped: 9000 
3 (inside) to (outside) source static HOST_10.8.32.9_tcp1701 interface  service tcp 1701 1701 
    translate_hits = 0, untranslate_hits = 3
    Source - Origin: 10.8.32.9/32, Translated: 24.213.128.10/29
    Service - Protocol: tcp Real: 1701 Mapped: 1701 
4 (inside) to (outside) source static HOST_10.8.32.9_tcp1723 interface  service tcp pptp pptp 
    translate_hits = 0, untranslate_hits = 8
    Source - Origin: 10.8.32.9/32, Translated: 24.213.128.10/29
    Service - Protocol: tcp Real: pptp Mapped: pptp 
5 (inside) to (outside) source static HOST_10.8.32.9_tcp5001 interface  service tcp 5001 5001 
    translate_hits = 0, untranslate_hits = 11
    Source - Origin: 10.8.32.9/32, Translated: 24.213.128.10/29
    Service - Protocol: tcp Real: 5001 Mapped: 5001 
6 (inside) to (outside) source static HOST_10.8.32.9_udp4500 interface  service udp 4500 4500 
    translate_hits = 0, untranslate_hits = 12
    Source - Origin: 10.8.32.9/32, Translated: 24.213.128.10/29
    Service - Protocol: udp Real: 4500 Mapped: 4500 
7 (inside) to (outside) source static HOST_10.8.32.9_udp500 interface  service udp isakmp isakmp 
    translate_hits = 0, untranslate_hits = 9
    Source - Origin: 10.8.32.9/32, Translated: 24.213.128.10/29
    Service - Protocol: udp Real: isakmp Mapped: isakmp 
8 (inside) to (outside) source static Host_10.8.32.9_tcp5005 interface  service tcp 5005 5005 
    translate_hits = 0, untranslate_hits = 4
    Source - Origin: 10.8.32.9/32, Translated: 24.213.128.10/29
    Service - Protocol: tcp Real: 5005 Mapped: 5005 
9 (inside) to (outside) source static HOST_10.8.32.12 interface  service tcp 3306 3306 
    translate_hits = 0, untranslate_hits = 33
    Source - Origin: 10.8.32.12/32, Translated: 24.213.128.10/29
    Service - Protocol: tcp Real: 3306 Mapped: 3306 
10 (inside) to (outside) source static HOST_10.8.32.12_tcp9101 interface  service tcp 9101 9101 
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.8.32.12/32, Translated: 24.213.128.10/29
    Service - Protocol: tcp Real: 9101 Mapped: 9101 
11 (inside) to (outside) source static HOST_10.8.32.12_tcp9201 interface  service tcp 9201 9201 
    translate_hits = 0, untranslate_hits = 2
    Source - Origin: 10.8.32.12/32, Translated: 24.213.128.10/29
    Service - Protocol: tcp Real: 9201 Mapped: 9201 
12 (inside) to (outside) source static HOST_10.8.32.12_tcp9301 interface  service tcp 9301 9301  net-to-net
    translate_hits = 0, untranslate_hits = 2
    Source - Origin: 10.8.32.12/32, Translated: 24.213.128.10/29
    Service - Protocol: tcp Real: 9301 Mapped: 9301 
13 (inside) to (outside) source static HOST_10.8.32.13 interface  service tcp 6188 6188 
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.8.32.13/32, Translated: 24.213.128.10/29
    Service - Protocol: tcp Real: 6188 Mapped: 6188 
14 (inside) to (outside) source static HOST_10.8.32.13_tcp6180 interface  service tcp 6180 6180 
    translate_hits = 0, untranslate_hits = 31
    Source - Origin: 10.8.32.13/32, Translated: 24.213.128.10/29
    Service - Protocol: tcp Real: 6180 Mapped: 6180 
15 (inside) to (outside) source static HOST_10.8.32.13_tcp6181 interface  service tcp 6181 6181 
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.8.32.13/32, Translated: 24.213.128.10/29
    Service - Protocol: tcp Real: 6181 Mapped: 6181 
16 (inside) to (outside) source static HOST_10.8.32.13_tcp6182 interface  service tcp 6182 6182 
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.8.32.13/32, Translated: 24.213.128.10/29
    Service - Protocol: tcp Real: 6182 Mapped: 6182 
17 (inside) to (outside) source static HOST_10.8.32.13_tcp6183 interface  service tcp 6183 6183 
    translate_hits = 0, untranslate_hits = 1
    Source - Origin: 10.8.32.13/32, Translated: 24.213.128.10/29
    Service - Protocol: tcp Real: 6183 Mapped: 6183 
18 (inside) to (outside) source static HOST_10.8.32.13_tcp6185 interface  service tcp 6185 6185 
    translate_hits = 0, untranslate_hits = 1
    Source - Origin: 10.8.32.13/32, Translated: 24.213.128.10/29
    Service - Protocol: tcp Real: 6185 Mapped: 6185 
19 (inside) to (outside) source static HOST_10.8.32.13_tcp6188 interface  service tcp 6188 6188 
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.8.32.13/32, Translated: 24.213.128.10/29
    Service - Protocol: tcp Real: 6188 Mapped: 6188 
20 (inside) to (outside) source static HOST_10.8.38.81 interface  service tcp 9111 9111 
    translate_hits = 0, untranslate_hits = 2
    Source - Origin: 10.8.38.81/32, Translated: 24.213.128.10/29
    Service - Protocol: tcp Real: 9111 Mapped: 9111 
21 (inside) to (outside) source static HOST_10.8.38.82 interface  service tcp 9112 9112 
    translate_hits = 0, untranslate_hits = 2
    Source - Origin: 10.8.38.82/32, Translated: 24.213.128.10/29
    Service - Protocol: tcp Real: 9112 Mapped: 9112 
22 (inside) to (outside) source static HOST_10.8.38.83 interface  service tcp 9113 9113 
    translate_hits = 0, untranslate_hits = 4
    Source - Origin: 10.8.38.83/32, Translated: 24.213.128.10/29
    Service - Protocol: tcp Real: 9113 Mapped: 9113 
23 (inside) to (outside) source static HOST_10.8.38.84 interface  service tcp 9114 9114 
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.8.38.84/32, Translated: 24.213.128.10/29
    Service - Protocol: tcp Real: 9114 Mapped: 9114 
24 (inside) to (outside) source static HOST_10.8.38.85 interface  service tcp 9115 9115 
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.8.38.85/32, Translated: 24.213.128.10/29
    Service - Protocol: tcp Real: 9115 Mapped: 9115 
25 (inside) to (outside) source static HOST_10.8.38.86 interface  service tcp 9116 9116 
    translate_hits = 0, untranslate_hits = 2
    Source - Origin: 10.8.38.86/32, Translated: 24.213.128.10/29
    Service - Protocol: tcp Real: 9116 Mapped: 9116 
26 (inside) to (outside) source static HOST_10.8.38.87 interface  service tcp 9117 9117 
    translate_hits = 0, untranslate_hits = 2
    Source - Origin: 10.8.38.87/32, Translated: 24.213.128.10/29
    Service - Protocol: tcp Real: 9117 Mapped: 9117 
27 (inside) to (outside) source static HOST_172.16.1.2_udp5060 interface  service udp sip sip 
    translate_hits = 0, untranslate_hits = 136
    Source - Origin: 172.16.1.2/32, Translated: 24.213.128.10/29
    Service - Protocol: udp Real: sip Mapped: sip 

Manual NAT Policies (Section 3)
1 (outside) to (outside) source dynamic NETWORK_OBJ_10.8.40.0_24 interface 
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 10.8.40.0/24, Translated: 24.213.128.10/29
2 (inside) to (outside) source dynamic any interface 
    translate_hits = 40868, untranslate_hits = 4781
    Source - Origin: 0.0.0.0/0, Translated: 24.213.128.10/29
3 (outside) to (outside) source dynamic any interface 
    translate_hits = 0, untranslate_hits = 0
    Source - Origin: 0.0.0.0/0, Translated: 24.213.128.10/29

show vpn-sessiondb detail anyconnect

Result of the command: "show vpn-sessiondb detail anyconnect"

Session Type: AnyConnect Detailed

Username     : carlfitzsimmons        Index        : 26
Assigned IP  : 10.8.40.200            Public IP    : 107.77.224.90
Protocol     : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License      : AnyConnect Premium
Encryption   : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)AES-GCM-256  DTLS-Tunnel: (1)AES256
Hashing      : AnyConnect-Parent: (1)none  SSL-Tunnel: (1)SHA384  DTLS-Tunnel: (1)SHA1
Bytes Tx     : 30472                  Bytes Rx     : 31070
Pkts Tx      : 20                     Pkts Rx      : 390
Pkts Tx Drop : 0                      Pkts Rx Drop : 0
Group Policy : GroupPolicy_SGC2       Tunnel Group : SGC2
Login Time   : 12:18:57 EDT Sat Jun 27 2020
Duration     : 0h:27m:49s
Inactivity   : 0h:00m:00s
VLAN Mapping : N/A                    VLAN         : none
Audt Sess ID : 0a081f020001a0005ef77171
Security Grp : none

AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1

AnyConnect-Parent:
  Tunnel ID    : 26.1
  Public IP    : 107.77.224.90
  Encryption   : none                   Hashing      : none                   
  TCP Src Port : 37322                  TCP Dst Port : 443                    
  Auth Mode    : userPassword           
  Idle Time Out: 30 Minutes             Idle TO Left : 2 Minutes              
  Client OS    : mac-intel              
  Client OS Ver: 10.13.6                
  Client Type  : AnyConnect
  Client Ver   : Cisco AnyConnect VPN Agent for Mac OS X 4.8.01090
  Bytes Tx     : 15236                  Bytes Rx     : 3397                   
  Pkts Tx      : 10                     Pkts Rx      : 3                      
  Pkts Tx Drop : 0                      Pkts Rx Drop : 0                      
  
SSL-Tunnel:
  Tunnel ID    : 26.4
  Assigned IP  : 10.8.40.200            Public IP    : 107.77.224.90
  Encryption   : AES-GCM-256            Hashing      : SHA384                 
  Ciphersuite  : ECDHE-ECDSA-AES256-GCM-SHA384                     
  Encapsulation: TLSv1.2                TCP Src Port : 61338                  
  TCP Dst Port : 443                    Auth Mode    : userPassword           
  Idle Time Out: 30 Minutes             Idle TO Left : 16 Minutes             
  Client OS    : Mac OS X               
  Client Type  : SSL VPN Client
  Client Ver   : Cisco AnyConnect VPN Agent for Mac OS X 4.8.01090
  Bytes Tx     : 7618                   Bytes Rx     : 1966                   
  Pkts Tx      : 5                      Pkts Rx      : 26                     
  Pkts Tx Drop : 0                      Pkts Rx Drop : 0                      
  Filter Name  : outside_access_in
  
DTLS-Tunnel:
  Tunnel ID    : 26.5
  Assigned IP  : 10.8.40.200            Public IP    : 107.77.224.90
  Encryption   : AES256                 Hashing      : SHA1                   
  Ciphersuite  : DHE-RSA-AES256-SHA                                
  Encapsulation: DTLSv1.0               UDP Src Port : 59894                  
  UDP Dst Port : 443                    Auth Mode    : userPassword           
  Idle Time Out: 30 Minutes             Idle TO Left : 29 Minutes             
  Client OS    : Mac OS X               
  Client Type  : DTLS VPN Client
  Client Ver   : Cisco AnyConnect VPN Agent for Mac OS X 4.8.01090
  Bytes Tx     : 0                      Bytes Rx     : 21846                  
  Pkts Tx      : 0                      Pkts Rx      : 312                    
  Pkts Tx Drop : 0                      Pkts Rx Drop : 0                      
  Filter Name  : outside_access_in
 

User logged in

 

Highlighted
VIP Advisor

Re: VPN on ASA 5506 - Client has internet access & email - cannot ping internal network or access servers such as NAS

I can see you are hitting the second Nat rule. Do the internal devices have a local firewall that could be blocking your access from the RAVPN network?

 

Can you remove your VPN filter and try again.

 

Is this ASA the default gateway for the internal networks?

Do the internal networks have a route to the RAVPN pool network?

Highlighted

Re: VPN on ASA 5506 - Client has internet access & email - cannot ping internal network or access servers such as NAS

When you say 'Remove VPN Filter' do you mean remove NETWORK_OBJ_10.8.40.0_24 from ACL?

The ASA is on the edge and internally is directly connected to the 3750G

Traffic is passed to a 3750G. VLANS are setup inside the 3750G to enable routing.Here is VLAN 40

Interface Vlan40
 description AnyConnect VPN Clients
 ip address 10.8.40.1 255.255.255.0

On the 3750G these are the specific ports connected to the ASA

interface GigabitEthernet2/0/9
 description ASA-INSIDE-G1/2
 switchport access vlan 31
power inline never

interface GigabitEthernet2/0/11
description SCG Data net
switchport access vlan 32
power inline never

Trunking is setup on G25-28 to pass all VLANS

 

Here is SHO IP ARP and SHO IP RO

SCG-1-3750G-24-POE#sho ip arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.2.1.1               90   0011.93b0.9301  ARPA   Vlan15
Internet  10.99.99.1              -   0019.56ed.334c  ARPA   Vlan99
Internet  10.8.30.4              91   b862.1fc7.1d43  ARPA   Vlan30
Internet  10.8.30.5              92   001c.57b8.eb42  ARPA   Vlan30
Internet  10.8.31.1               -   0019.56ed.3344  ARPA   Vlan31
Internet  10.8.30.1               -   0019.56ed.3343  ARPA   Vlan30
Internet  10.8.31.2              70   5897.bd27.852f  ARPA   Vlan31
Internet  10.8.32.2              89   001f.cae3.4ca1  ARPA   Vlan32
Internet  10.8.38.5             182   001c.57b8.eb46  ARPA   Vlan38
Internet  10.8.34.1               -   0019.56ed.3346  ARPA   Vlan34
Internet  10.8.36.5              89   001c.57b8.eb45  ARPA   Vlan36
Internet  10.8.32.1               -   0019.56ed.3345  ARPA   Vlan32
Internet  10.8.36.2              88   001f.cae3.4ca1  ARPA   Vlan36
Internet  10.8.32.6               9   a02b.b862.3bfa  ARPA   Vlan32
Internet  10.8.34.5              92   001c.57b8.eb44  ARPA   Vlan34
Internet  10.8.32.7               0   0090.a9dd.f700  ARPA   Vlan32
Internet  10.8.38.1               -   0019.56ed.3349  ARPA   Vlan38
Internet  10.8.32.5              84   001c.57b8.eb43  ARPA   Vlan32
Internet  10.8.36.1               -   0019.56ed.3348  ARPA   Vlan36
Internet  10.8.32.10            187   003e.e1c7.3b18  ARPA   Vlan32
Internet  10.8.41.1               -   0019.56ed.334b  ARPA   Vlan41
Internet  10.8.32.9               0   0011.32c5.6c59  ARPA   Vlan32
Internet  10.8.40.1               -   0019.56ed.334a  ARPA   Vlan40
Internet  10.8.32.14             39   0024.369f.c2d3  ARPA   Vlan32
Internet  10.8.32.15              8   20c9.d09a.720c  ARPA   Vlan32
Internet  10.8.32.12              6   10dd.b1e3.b73e  ARPA   Vlan32
Internet  10.8.32.19              0   6c70.9fd5.51cf  ARPA   Vlan32
Internet  10.8.32.16              9   6c70.9fd5.51cf  ARPA   Vlan32
Internet  10.8.32.20            113   000c.2906.3d2d  ARPA   Vlan32
Internet  10.8.32.30              0   000c.29df.aea5  ARPA   Vlan32
Internet  10.8.36.103             3   c8f9.f969.198d  ARPA   Vlan36
Internet  10.8.36.101             3   001f.6c7f.36ef  ARPA   Vlan36
Internet  10.8.32.100             4   38f9.d303.3d39  ARPA   Vlan32
Internet  10.8.32.101             9   685b.359b.4db4  ARPA   Vlan32
Internet  10.8.32.106            56   d081.7ac3.7b1a  ARPA   Vlan32
Internet  10.8.32.105            66   0c08.b4d6.b075  ARPA   Vlan32
Internet  10.8.32.110             0   6c70.9fd5.51cf  ARPA   Vlan32
Internet  10.8.36.106             3   2c3e.cf76.c6fb  ARPA   Vlan36
Internet  10.8.36.107             0   0057.d2c1.7362  ARPA   Vlan36
Internet  10.8.36.104             3   0022.9003.7fd9  ARPA   Vlan36
Internet  10.8.36.105             3   2c3e.cf76.c561  ARPA   Vlan36
Internet  192.168.254.254         -   0019.56ed.334d  ARPA   Vlan192
Internet  10.8.38.84              0   accc.8e2b.470f  ARPA   Vlan38
Internet  10.8.38.85              1   accc.8e14.aa5f  ARPA   Vlan38
Internet  10.8.38.86              2   0040.8cfd.c54c  ARPA   Vlan38
Internet  10.8.38.87              1   accc.8e2b.0aac  ARPA   Vlan38
Internet  10.8.38.81              0   accc.8e2b.6159  ARPA   Vlan38
Internet  10.8.38.82            206   accc.8e2b.6c6a  ARPA   Vlan38
Internet  10.8.38.83              0   0040.8cda.f818  ARPA   Vlan38
Internet  192.168.1.254           -   0019.56ed.3342  ARPA   Vlan19
Internet  10.8.32.191             0   0009.b0f4.64a4  ARPA   Vlan32
Internet  10.8.32.132             0   3412.9891.f5da  ARPA   Vlan32
Internet  10.8.32.137             0   88a9.a714.f916  ARPA   Vlan32
Internet  10.8.32.141             1   d0d2.b012.8bb6  ARPA   Vlan32
Internet  172.16.1.1              -   0019.56ed.3347  ARPA   Vlan35
Internet  172.16.1.2             91   001f.cae3.4ca1  ARPA   Vlan35
Internet  10.8.200.1              -   0019.56ed.334e  ARPA   Vlan1003
Internet  10.8.40.200             0   Incomplete      ARPA   
Internet  10.2.1.253              -   0019.56ed.3341  ARPA   Vlan15
Internet  10.2.1.254             92   001c.57b8.eb41  ARPA   Vlan15
SCG-1-3750G-24-POE#sho ip ro
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is 10.8.31.2 to network 0.0.0.0

     20.0.0.0/24 is subnetted, 1 subnets
S       20.3.9.0 [1/0] via 10.2.1.254
     172.16.0.0/24 is subnetted, 1 subnets
C       172.16.1.0 is directly connected, Vlan35
     10.0.0.0/24 is subnetted, 12 subnets
C       10.2.1.0 is directly connected, Vlan15
S       10.1.2.0 [1/0] via 10.2.1.254
C       10.99.99.0 is directly connected, Vlan99
S       10.1.1.0 [1/0] via 10.2.1.254
C       10.8.30.0 is directly connected, Vlan30
C       10.8.31.0 is directly connected, Vlan31
C       10.8.34.0 is directly connected, Vlan34
C       10.8.32.0 is directly connected, Vlan32
C       10.8.38.0 is directly connected, Vlan38
C       10.8.36.0 is directly connected, Vlan36
C       10.8.40.0 is directly connected, Vlan40
C       10.8.41.0 is directly connected, Vlan41
C    192.168.254.0/24 is directly connected, Vlan192
C    192.168.1.0/24 is directly connected, Vlan19
C    192.168.3.0/24 is directly connected, Tunnel0
S*   0.0.0.0/0 [1/0] via 10.8.31.2
SCG-1-3750G-24-POE#

internally is 

Highlighted
VIP Advisor

Re: VPN on ASA 5506 - Client has internet access & email - cannot ping internal network or access servers such as NAS

Under the group-policy

 

group-policy GroupPolicy_SGC2 attributes
 no vpn-filter value outside_access_in

 

Highlighted

Re: VPN on ASA 5506 - Client has internet access & email - cannot ping internal network or access servers such as NAS

Removed

Still cannot ping inside

FYI: When SSH into ASA I did a ping and here are the results

SCG-ASA-01# ping 10.8.32.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.8.32.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
SCG-ASA-01# 

Also for clarity sake I noticed SYNTAX errors in naming so I changed all SGC to SCG and attach that config with your change request

Result of the command: "sho run"

: Saved

: 
: Serial Number: 
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.5(1) 
!
hostname SCG-ASA-01
domain-name hq.scgconnect.com
enable password 0TAz8qRS9LuZZzJv encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd zJXfJytEpmEl08Wj encrypted
names
ip local pool VPN-Pool 10.8.40.200-10.8.40.220 mask 255.255.255.0
!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address 24.213.128.10 255.255.255.248 
!
interface GigabitEthernet1/2
 nameif inside
 security-level 100
 ip address 10.8.31.2 255.255.255.0 
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 nameif management
 security-level 100
 ip address 10.8.30.9 255.255.255.0 
!
boot system disk0:/asa961-lfbff-k8.SPA
boot system disk0:/asa952-6-lfbff-k8.SPA
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
 name-server 10.8.32.9 inside
 name-server 24.92.226.11 outside
 name-server 24.92.226.12 outside
 domain-name hq.scgconnect.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network NET_10.8.32.0_24_Servers
 subnet 10.8.32.0 255.255.255.0
object network NET_10.8.34.0_24_Users
 subnet 10.8.34.0 255.255.255.0
object network NET_10.8.36.0_24_VOIP
 subnet 10.8.36.0 255.255.255.0
object network NET_10.8.38.0_24_SecCam
 subnet 10.8.38.0 255.255.255.0
object network NET_192.168.1.0_24_Dev
 subnet 192.168.1.0 255.255.255.0
object network NET_10.2.1.0_24_Dev2
 subnet 10.2.1.0 255.255.255.0
object network NET_10.0.0.0_8
 subnet 10.0.0.0 255.0.0.0
object network HOST_10.8.32.9_tcp1723
 host 10.8.32.9
object network HOST_10.8.32.10_gre
 host 10.8.32.10
object network HOST_88.150.240.0
 subnet 88.150.240.0 255.255.255.0
object network NET_113.105.128.0_24
 subnet 113.105.128.0 255.255.255.0
object network NET_66.241.99.0_24
 subnet 66.241.99.0 255.255.255.0
object network HOST_10.8.32.10
 host 10.8.32.10
object network HOST_10.1.1.8
 host 10.1.1.8
object network HOST_10.8.32.12
 host 10.8.32.12
object network HOST_10.8.32.13
 host 10.8.32.13
object network HOST_10.8.38.81
 host 10.8.38.81
 description Axis Camera
object network HOST_10.8.38.82
 host 10.8.38.82
 description Axis Camera
object network HOST_10.8.38.83
 host 10.8.38.83
 description Axis Camera
object network HOST_10.8.38.84
 host 10.8.38.84
 description Axis Camera
object network HOST_10.8.38.85
 host 10.8.38.85
 description Axis Camera
object network HOST_10.8.32.13_tcp6180
 host 10.8.32.13
object network HOST_10.8.32.13_tcp6181
 host 10.8.32.13
object network HOST_10.8.32.13_tcp6182
 host 10.8.32.13
object network HOST_10.8.32.13_tcp6183
 host 10.8.32.13
object network HOST_10.8.32.13_tcp6185
 host 10.8.32.13
object network HOST_10.8.32.13_tcp6188
 host 10.8.32.13
object network HOST_10.8.32.9_udp500
 host 10.8.32.9
object network HOST_10.8.32.9_udp4500
 host 10.8.32.9
object network HOST_10.8.32.10_tcp443
 host 10.8.32.10
object network HOST_10.8.32.10_443
object network HOST_10.1.1.8_tcp9000
 host 10.1.1.8
object network HOST_10.1.1.8_tcp8081
 host 10.1.1.8
object network HOST_10.8.32.9_tcp1701
 host 10.8.32.9
object network NET_172.16.1.0
 subnet 172.16.1.0 255.255.255.0
object network HOST_10.8.36.2_udp5060
 host 10.8.36.2
object network NETWORK_OBJ_10.8.40.0_24
 subnet 10.8.40.0 255.255.255.0
 description VPN users
object network HOST_172.16.1.2_udp5060
 host 172.16.1.2
object network HOST_10.8.32.12_tcp9101
 host 10.8.32.12
 description SCG AXIS ADMIN DEVELOPMENT
object network HOST_10.8.38.86
 host 10.8.38.86
 description Axis Camera
object network HOST_10.8.38.87
 host 10.8.38.87
 description Axis Camera
object network HOST_10.8.32.12_tcp9201
 host 10.8.32.12
 description Voter Viewer web interface
object network HOST_10.8.32.12_tcp9301
 host 10.8.32.12
 description PDS web interface
object network HOST_10.8.32.9_tcp5001
 host 10.8.32.9
 description Synology NAS
object network Host_10.8.32.9_tcp5005
 host 10.8.32.9
 description Synology NAS
object network VPN-Pool
 range 10.8.40.200 10.8.40.220
 description VPN Users
object network HOST_10.8.40.200_10.8.40.220
 range 10.8.40.200 10.8.40.220
 description VPN Users
object-group service DM_INLINE_TCPUDP_1 tcp-udp
 port-object eq 5061
 port-object eq sip
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list outside_access_in extended permit ip object NETWORK_OBJ_10.8.40.0_24 any 
access-list outside_access_in extended deny ip object HOST_88.150.240.0 any 
access-list outside_access_in extended deny ip object NET_113.105.128.0_24 any 
access-list outside_access_in extended permit object-group TCPUDP object NET_66.241.99.0_24 any object-group DM_INLINE_TCPUDP_1 log 
access-list outside_access_in extended deny udp any any eq sip log 
access-list outside_access_in extended permit tcp any any eq https 
access-list outside_access_in extended permit tcp any any eq 500 
access-list outside_access_in extended permit udp any any eq 1701 
access-list outside_access_in extended permit tcp any any eq pptp 
access-list outside_access_in extended permit tcp any any eq 3306 log 
access-list outside_access_in extended permit tcp any any eq 4500 
access-list outside_access_in extended permit tcp any any eq 5001 
access-list outside_access_in extended permit tcp any any eq 6180 
access-list outside_access_in extended permit tcp any any eq 6181 
access-list outside_access_in extended permit tcp any any eq 6182 
access-list outside_access_in extended permit tcp any any eq 6183 
access-list outside_access_in extended permit tcp any any eq 6185 
access-list outside_access_in extended permit tcp any any eq 6188 
access-list outside_access_in extended permit tcp any any eq 9000 
access-list outside_access_in extended permit tcp any any eq 8081 log 
access-list outside_access_in extended permit udp any any log 
access-list outside_access_in extended permit tcp any any log 
access-list outside_access_in extended permit gre any any 
access-list outside_access_in extended permit ipinip any any 
access-list outside_access_in extended permit esp any any 
access-list outside_access_in extended permit ip any any log 
access-list outside_access_in extended permit ip host 10.1.1.22 host 10.1.1.13 
access-list VPN-SCG2 standard permit 10.8.0.0 255.255.192.0 
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4 
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd 
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631 
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100 
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353 
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355 
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137 
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu management 1500
no failover
no monitor-interface service-module 
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-751.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_10.8.40.0_24 NETWORK_OBJ_10.8.40.0_24 destination static NETWORK_OBJ_10.8.40.0_24 NETWORK_OBJ_10.8.40.0_24 no-proxy-arp
nat (inside,outside) source static NET_10.8.32.0_24_Servers NET_10.8.32.0_24_Servers destination static NETWORK_OBJ_10.8.40.0_24 NETWORK_OBJ_10.8.40.0_24 no-proxy-arp
nat (inside,outside) source static NET_10.8.34.0_24_Users NET_10.8.34.0_24_Users destination static NETWORK_OBJ_10.8.40.0_24 NETWORK_OBJ_10.8.40.0_24 no-proxy-arp
!
object network HOST_10.8.32.9_tcp1723
 nat (inside,outside) static interface service tcp pptp pptp 
object network HOST_10.8.32.12
 nat (inside,outside) static interface service tcp 3306 3306 
object network HOST_10.8.32.13
 nat (inside,outside) static interface service tcp 6188 6188 
object network HOST_10.8.38.81
 nat (inside,outside) static interface service tcp 9111 9111 
object network HOST_10.8.38.82
 nat (inside,outside) static interface service tcp 9112 9112 
object network HOST_10.8.38.83
 nat (inside,outside) static interface service tcp 9113 9113 
object network HOST_10.8.38.84
 nat (inside,outside) static interface service tcp 9114 9114 
object network HOST_10.8.38.85
 nat (inside,outside) static interface service tcp 9115 9115 
object network HOST_10.8.32.13_tcp6180
 nat (inside,outside) static interface service tcp 6180 6180 
object network HOST_10.8.32.13_tcp6181
 nat (inside,outside) static interface service tcp 6181 6181 
object network HOST_10.8.32.13_tcp6182
 nat (inside,outside) static interface service tcp 6182 6182 
object network HOST_10.8.32.13_tcp6183
 nat (inside,outside) static interface service tcp 6183 6183 
object network HOST_10.8.32.13_tcp6185
 nat (inside,outside) static interface service tcp 6185 6185 
object network HOST_10.8.32.13_tcp6188
 nat (inside,outside) static interface service tcp 6188 6188 
object network HOST_10.8.32.9_udp500
 nat (inside,outside) static interface service udp isakmp isakmp 
object network HOST_10.8.32.9_udp4500
 nat (inside,outside) static interface service udp 4500 4500 
object network HOST_10.1.1.8_tcp9000
 nat (inside,outside) static interface service tcp 9000 9000 
object network HOST_10.1.1.8_tcp8081
 nat (inside,outside) static interface service tcp 8081 8081 
object network HOST_10.8.32.9_tcp1701
 nat (inside,outside) static interface service tcp 1701 1701 
object network HOST_172.16.1.2_udp5060
 nat (inside,outside) static interface service udp sip sip 
object network HOST_10.8.32.12_tcp9101
 nat (inside,outside) static interface service tcp 9101 9101 
object network HOST_10.8.38.86
 nat (inside,outside) static interface service tcp 9116 9116 
object network HOST_10.8.38.87
 nat (inside,outside) static interface service tcp 9117 9117 
object network HOST_10.8.32.12_tcp9201
 nat (inside,outside) static interface service tcp 9201 9201 
object network HOST_10.8.32.12_tcp9301
 nat (inside,outside) static interface net-to-net service tcp 9301 9301 
object network HOST_10.8.32.9_tcp5001
 nat (inside,outside) static interface service tcp 5001 5001 
object network Host_10.8.32.9_tcp5005
 nat (inside,outside) static interface service tcp 5005 5005 
!
nat (outside,outside) after-auto source dynamic NETWORK_OBJ_10.8.40.0_24 interface
nat (inside,outside) after-auto source dynamic any interface
nat (outside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 24.213.128.9 1
route inside 10.0.0.0 255.0.0.0 10.8.31.1 1
route inside 172.16.1.0 255.255.255.0 10.8.31.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map CiscoMAP
  map-name  memberOf IETF-Radius-Class
  map-value memberOf CN=workgroup,DC=hq,DC=scgconnect,DC=com UID
aaa-server SCG protocol ldap
aaa-server SCG (inside) host 10.8.32.9
 server-port 636
 ldap-base-dn cn=users,dc=hq,dc=scgconnect,dc=com
 ldap-scope subtree
 ldap-naming-attribute uid
 ldap-over-ssl enable
 server-type microsoft
 ldap-attribute-map CiscoMAP
no user-identity enable
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL 
http server enable 5000
http 192.168.1.0 255.255.255.0 inside
http 10.8.32.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 subject-name CN=remote.scgconnect.com
 no ca-check
 crl configure
crypto ca trustpoint Cisco_Manufacturing_CA
 enrollment terminal
 crl configure
crypto ca trustpoint CAP-RTP-001
 enrollment terminal
 crl configure
crypto ca trustpoint CAP-RTP-002
 enrollment terminal
 crl configure
crypto ca trustpoint CAPF
 enrollment terminal
 no ca-check
 crl configure
crypto ca trustpoint asdm_cuma_local
 enrollment terminal
 crl configure
crypto ca trustpoint asdm_cuma_root_ca
 enrollment terminal
 crl configure
crypto ca trustpoint asdm_cuma_local_proxy
 enrollment terminal
 validation-usage ssl-client
 crl configure
crypto ca trustpoint Cisco_Root_CA_2048
 enrollment terminal
 crl configure
crypto ca trustpoint CallManager
 enrollment terminal
 no ca-check
 crl configure
crypto ca trustpoint ASDM_TrustPoint1
 enrollment terminal
 crl configure
crypto ca trustpoint ccm_proxy
 enrollment self
 fqdn none
 subject-name cn=Proxy
 serial-number
 crl configure
crypto ca trustpoint ldc_server
 enrollment self
 fqdn ldc.scgconnect.com
 subject-name cn=LDC_SIGNER
 serial-number
 proxy-ldc-issuer
 crl configure
crypto ca trustpoint ASDM_TrustPoint5
 enrollment self
 subject-name CN=hq.scgconnect.com
 crl configure
crypto ca trustpoint ASDM_TrustPoint3
 enrollment self
 subject-name CN=SCG-ASA-01
 crl configure
crypto ca trustpool policy
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 remote-access trustpoint ASDM_TrustPoint0
telnet 10.8.32.0 255.255.255.0 inside
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 inside
ssh 10.8.32.0 255.255.255.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
!
tls-proxy maximum-session 160
!
!
tls-proxy my_proxy
 server trust-point ccm_proxy
 client ldc issuer ldc_server
 client cipher-suite aes128-sha1 aes256-sha1
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp authenticate
ntp server 129.6.15.28 source inside
ntp server 10.8.32.20 source inside prefer
ssl trust-point ASDM_TrustPoint5 outside
webvpn
 enable outside
 anyconnect image disk0:/anyconnect-win-4.8.01090-webdeploy-k9.pkg 1
 anyconnect image disk0:/anyconnect-macos-4.8.01090-webdeploy-k9.pkg 2
 anyconnect image disk0:/anyconnect-linux64-4.8.01090-webdeploy-k9.pkg 3
 anyconnect profiles SCG2_anyconnect disk0:/scg2_anyconnect.xml
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
!
ctl-provider my_ctl
 client interface inside address 10.8.32.20
 client username rubenc password IxJu2LI1uG0ssLO6 encrypted
 export certificate ccm_proxy
!
group-policy GroupPolicy_SSL internal
group-policy GroupPolicy_SSL attributes
 wins-server none
 dns-server value 10.8.32.9
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelall
 default-domain value hq.scgconnect.com
 split-tunnel-all-dns enable
group-policy GroupPolicy_SCG2 internal
group-policy GroupPolicy_SCG2 attributes
 wins-server none
 dns-server value 10.8.32.9
 vpn-tunnel-protocol ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN-SCG2
 default-domain value hq.scgconnect.com
 split-dns value hq.scgconnect.com
 split-tunnel-all-dns disable
 client-bypass-protocol enable
 webvpn
  anyconnect profiles value SCG2_anyconnect type user
dynamic-access-policy-record DfltAccessPolicy
tunnel-group SCG2 type remote-access
tunnel-group SCG2 general-attributes
 address-pool VPN-Pool
 authentication-server-group SCG
 default-group-policy GroupPolicy_SCG2
tunnel-group SCG2 webvpn-attributes
 group-alias SCG2 enable
tunnel-group SSL type remote-access
tunnel-group SSL general-attributes
 address-pool VPN-Pool
 default-group-policy GroupPolicy_SSL
tunnel-group SSL webvpn-attributes
 authentication certificate
 group-url https://hq.scgconnect.com/SSL enable
!
class-map sec_skinny
 match port tcp eq 2443
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map type inspect skinny skinny_inspect
 parameters
policy-map global_policy
 class inspection_default
  inspect ftp 
  inspect ip-options 
  inspect netbios 
  inspect rsh 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect xdmcp 
  inspect dns preset_dns_map 
  inspect skinny skinny_inspect 
 class sec_skinny
  inspect skinny skinny_inspect tls-proxy my_proxy 
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum client auto
  message-length maximum 512
!
service-policy global_policy global
prompt hostname context 
service call-home
call-home reporting anonymous
call-home
 contact-email-addr cfitzsimmons@scgconnect.com
 profile CiscoTAC-1
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
hpm topN enable
Cryptochecksum:b85da98bf45fe4104d7360a320a935e0
: end
Highlighted
VIP Advisor

Re: VPN on ASA 5506 - Client has internet access & email - cannot ping internal network or access servers such as NAS

Remove interface VLAN40 from your 3750, it thinks that /24 network is directly connected so won't route the traffic to the ASA. The 3750 will rely it's default route to communicate with the RAVPN network, which will route the traffic to the ASA.

View solution in original post

Highlighted

Re: VPN on ASA 5506 - Client has internet access & email - cannot ping internal network or access servers such as NAS

Nice - improvement. I can ping devices on the network on different VLANS however DNS does not work. Interestingly when I use an IP I know I can get to the device like a NAS but nslookup forward or reverse fails and it is because the lookup is going out to the cloud not to the internal DNS server which is 10.8.32.9.

That IP is set as DNS inside the ASA.

You have significantly helped me on this and the DNS was not part of the original problem. If you have any suggestions on that it would be appreciated.

I have had a couple of people who are really good at setting up networks and they missed that as well as I did