Thanks for the reply Karsten.

1 - The ping test:

Sending 5 TCP SYN requests to 10.1.10.5 prot 80 from 10.1.10.1, timeout is 2 seconds:

Success rate is 100 percent (5/5)

2 - Attached

I think it really could be a NAT-problem. Please change your NAT the following way:

nat (inside,outside) source static INSIDE-HOSTS INSIDE-HOSTS destination static VPN-HOSTS VPN-HOSTS route-lookup no-proxy-arp
no nat (outside,inside) source static VPN-HOSTS VPN-HOSTS
no nat (outside,outside) source dynamic INSIDE-HOSTS interface
no nat (inside,dmz) source static OBJ-10.0.10.0-24 OBJ-10.0.10.0-24

object network obj_any
 no nat (inside,outside) dynamic interface
object network DMZ_outside
 no nat (dmz,outside) dynamic interface

nat (dmz,outside) after-auto source dynamic any interface

These changes shouldn't remove any functionality, but many of the rules are probably not needed as they don't make any sense.

Good morning Karsten,

I have cleaned up the rules as you specified with the exception of below.  Since I could not get that command to run I haven't removed the corresponding NAT (I assume your rule combines the two separate rules).

nat (inside,outside) source static INSIDE-HOSTS INSIDE-HOSTS destination static
VPN-HOSTS VPN-HOSTS route-lookup no-proxy-arp
                                                                 ^
ERROR: % Invalid input detected at '^' marker.

I'm attaching the updated running config. 

I ran the packet sniffer again and attached results.

Thanks!

Sorry, I mixed up the order of the keywords in the first line. This should work now and the other lines are also not needed:

nat (inside,outside) source static INSIDE-HOSTS INSIDE-HOSTS destination static VPN-HOSTS VPN-HOSTS no-proxy-arp route-lookup
no nat (outside,inside) source static VPN-HOSTS VPN-HOSTS
no nat (outside,outside) source dynamic INSIDE-HOSTS interface

I've applied that - thank you.  The new running config attached.  

The webserver is still not playing nice with the outside world.  Since the error message on the tracer isn't giving me specifics is it possible I've gotten interfaces mixed up somewhere?

I tried the following but it was unsuccessful:

ciscoasa(config)# no access-group dmz_acl in interface dmz
ciscoasa(config)# access-group dmz_acl in interface outside

After looking at this I think the correct form is actually:

access-group outside_acl in interface outside

The outside_acl is what contains the rules for the WEBSERVER-TCP80.  I removed the dmz_acl.  I think it may have been from a prior attempt to get this working.

My latest config is attached...I've been trying various things but have not had any luck thus far.  I'm probably going to end up with a lot of junk in there I do not need.

This is again the initial config that will cause NAT-problems.

Here is a cleaned up NAT- and (outside) ACL config which you need for the server and the VPN-communication:

nat (inside,outside) source static INSIDE-HOSTS INSIDE-HOSTS destination static VPN-HOSTS VPN-HOSTS no-proxy-arp route-lookup
!
object network WEBSERVER-TCP80
 nat (dmz,outside) static interface service tcp www www
!
nat (any,outside) after-auto source dynamic any interface
!
access-list outside_acl extended permit tcp any object WEBSERVER-TCP80 eq www
access-group outside_acl in interface outside

I removed that extraneous VPN rule as instructed and matched up my config with yours.  How else might I track down the point of failure?

Appreciate your time sir!

What is the result of the packet-tracer with that config?

The new packet sniff results are attached.  Still being dropped somewhere.  =\

So I was finally able to get it to pass traffic.  I had the NAT interfaces backwards. 

My rule should have read:

object network WEBSERVER-TCP80

host 10.1.10.5

nat (DMZ,outside) static interface service tcp www www

My new issue is figuring out why it will not accept the domain address.  It only seems to go through if I enter the IP address.

Additional bit of information.  I was watching the ASDM log as I attempted to hit the webserver.  I got the following message:

TCP access denied by ACL from xx.xx.xx.xx/60382 to outside: xx.xx.xx.xx/80

It shows the destination as the correct IP and the port as the correct port.

Where do you want to use a domain-name? In this setup with traffic coming from outside, it will probably not work. If you use an object for your server with a fqdn in the ACL, it has to resolve to the internal IP in the DMZ.