You would need to configure NAT exemption as follows:
object network obj-172.16.5.0
subnet 172.16.5.0 255.255.255.0
object network obj-172.16.0.0
subnet 172.16.0.0 255.255.255.224
object network obj-172.16.2.0
subnet 172.16.2.0 255.255.254.0
object network vpn-pool
subnet 172.16.200.0 255.255.255.0
nat (LAN-Servers,External) source static obj-172.16.5.0 obj-172.16.5.0 destination static vpn-pool vpn-pool
nat (LAN-IT,External) source static obj-172.16.0.0 obj-172.16.0.0 destination static vpn-pool vpn-pool
nat (LAN-GenPop,External) source static obj-172.16.2.0 obj-172.16.2.0 destination static vpn-pool vpn-pool
How are you trying to test? Did you use ping?
If you do, please also add the following:
And are you able to ping 172.16.0.29 after connected through AnyConnect?
I tried with ping, nothing.
I added those, still nothing.
i can't ping anything, not even 172.16.0.29.
But now, in packet tracer I have this:
You need to declarate the network routes for the inside network. Can you put the show output of the command "debug crypto ipsec sa"???
Jose Luis B.
No te olvides de calificar si te sirvio la ayuda.
Please do rate if the given information helps.
well, this is AnyConnect, so the "debug cry ipsec" is incorrect debug to use.
Can you please connect via AnyConnect, and share the output of statistics and also the route from the AnyConnect client.
Also, pls share the latest config after the changes.
On the ASA, can you please share the details of the following once you connected through the AnyConnect and ping something:
show vpn-sessiondb detail anyconnect