no nat (inside,outside) source dynamic OBJ_GENERIC_ALL interface
This might cause a short outage for the LAN users since we add a new Dynamic PAT and remove the old one (which probably will teardown the existing translations active on the firewall. I will leave it to you to device whether to do the change now.
Yes, I had the wrong network mask in the configurations. You can modify those to the correct ones.
The ASA will handle the routing for the VPN Pool without adding any separate "route" command. Only thing you need to confirm is that the traffic from the internal network has a route for the VPN Pool. But 99% of the time this is handled by the default route on the internal router. If you had a separate firewall and separate VPN device then it would be likely you would need some additional routing configurations.
I noticed one thing now that I forgot to mention in my original reply
You have a VPN Filter ACL configured that should be removed.
group-policy ONA-RA_VPN attributes
no vpn-filter value RA_VPN
If you look at the ACL RA_VPN you will notice it only allows traffic from VPN Pool to the link network between ASA and the internal Router. It has no mention of the actual LAN networks.
So please remove it from the "group-policy" as shown above then test again.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...