I've been reading everything I can find, and I think I understand what is asked of me, but I'm not sure exactly how to do it within ASDM
I have used the "wizard" to set up the anyconnect VPN and think that's all fine.
But the wizard reminded me that I needed to add a nat exempt rule ok so the wizard isn't such a wiz after all and can't set everything up.
My VPN pool is 10.10.35.1 through 50
My internal networks are 10.10.30.0/24 and 10.10.10.0/24
Do I need 2 nat exempt rules to allow windows remote desktop to the internal machines via AnyConnect?
and if so, how do I do that in ASDM (I'm totally clueless about using the CLI, and if that would work better, I would like a step by step)
Which "username" are you logging in with?
username vpntest attributes
username DNewman attributes
The other one is using the Group Policy "VPN" and the other one the "DfltGrpPolicy" which doesnt have any DNS server configured.
You can also configure your VPN to use Split Tunnel. This would essentially mean that ONLY traffic towards the LAN networks is tunneled to the VPN and all other traffic (like Internet) goes through the users local Internet connection.
If you want to configure Split Tunnel then you can use these configurations
access-list SPLIT-TUNNEL standard permit 10.10.10.0 255.255.255.0
access-list SPLIT-TUNNEL standard permit 10.10.30.0 255.255.255.0
group-policy VPN attributes
split-tunnel-network-list value SPLIT-TUNNEL
You can insert the following configuration to configure the NAT0 / NAT Exempt required
access-list INSIDE-NAT0 remark NAT0 for VPN
access-list INSIDE-NAT0 permit ip 10.10.30.0 255.255.255.0 10.10.35.0 255.255.255.0
access-list INSIDE-NAT0 permit ip 10.10.10.0 255.255.255.0 10.10.35.0 255.255.255.0
nat (inside) 0 access-list INSIDE-NAT0
You can either use the CLI directly or you can use the ASDM -> Tools -> Command Line Interface. You might need to choose the "Multiple Lines" option before inserting the commands to be sent to the ASA.
Hope this helps