Solved: ASA 5506 Remote Access VPN Hairpin

bmarchik1980 · ‎03-04-2018

I am having issues getting my anyconnect clients to be able to hairpin. I had this functional on my 5505, and used the same configuration from the 5505 to establish the setup on the 5506. Clients are able to talk to resources on the LAN, but unable to get out to the internet on a hairpin.

"Asymmetric NAT rules matched for forward and reverse flows; Connection for tcp src outside: dst outside: denied due to NAT reverse path failure"

Relevant NAT Rules:

nat (inside,outside) source static any any destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
nat (outside,outside) source static VPN_Subnet VPN_Subnet destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup

object network obj_any
nat (any,outside) dynamic interface

nat (outside,outside) after-auto source dynamic VPN_Subnet interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 ************ 1

Any help would be appreciated.

Francesco Molino · ‎03-05-2018

This Nat statement nat (any,outside) dynamic interface needs to be moved at the end of the list.

Also just a quick recommendation, it's better not using any in nat statement but use the real interface name

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎03-04-2018

Hi

You shared a sample of your config and not sure what the problem is without a full view of nat and/or acls.

Can you run the following command and share the output please?

packet-tracer input outside tcp x.x.x.x 12345 8.8.8.8 80 --> x.x.x.x would be an ip within your anyconnect pool.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

bmarchik1980 · ‎03-05-2018

Packet tracer results show it is dropped by an implicit rule, indicating it is hitting the outside ACL:

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop ********** using egress ifc outside

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop ************ using egress ifc outside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

More detailed excerpt of my config:

ASA Version 9.8(2)
!
hostname **********
domain-name ********
enable password ***************
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
ip local pool VPN_DHCP *********** mask ***********

!
interface GigabitEthernet1/1
nameif outside

security-level 0
ip address *****************
!
interface GigabitEthernet1/2
duplex full
nameif inside
security-level 100
ip address ********************
!
interface GigabitEthernet1/3
nameif DMZ
security-level 90
ip address ********************
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level

no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level

no ip address
!
banner login You have logged in to a secure device. If you are not authorized to access this device, log out immediately or risk possible criminal consequences.
banner motd You have logged in to a secure device. If you are not authorized to access this device, log out immediately or risk possible criminal consequences.
banner asdm You have logged in to a secure device. If you are not authorized to access this device, log out immediately or risk possible criminal consequences.
boot system disk0:/asa982-lfbff-k8.spa
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup outside
dns server-group DefaultDNS
name-server ***********
name-server ***********
domain-name **********
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
access-list outside_access_in extended permit udp any object ********** eq 3074
access-list outside_access_in extended permit udp any object ********* eq 31300
access-list outside_access_in extended deny ip object-group ******** any
access-list outside_access_in extended permit udp any object ******** eq sip
access-list outside_access_in extended permit tcp any object ******** eq sip
access-list outside_access_in extended permit tcp any object ******** eq 1841
access-list outside_access_in extended permit tcp any object ******** eq 1842
access-list outside_access_in extended permit tcp any object ******** eq 2042
access-list outside_access_in extended permit tcp any object ******** eq 2041

access-list outside_access_in extended permit tcp any object ****** eq 5001
access-list outside_access_in extended permit tcp any object ******* eq 5222
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns
pager lines 24
logging enable
logging list ACL_Deny message 313001
logging list ACL_Deny message 710003
logging list ACL_Deny message 713120
logging list ACL_Deny message 113019
logging list ACL_Deny message 713050
logging buffered debugging

logging trap ACL_Deny
logging asdm debugging
logging host inside ******** 6/1470
logging permit-hostdown
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-782-151.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (inside,outside) source static any any destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
nat (outside,outside) source static VPN_Subnet VPN_Subnet destination static VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
!
object network obj_any
nat (any,outside) dynamic interface
object network *********
nat (inside,outside) static interface service udp 31300 31300
object network ************
nat (inside,outside) static interface service udp sip sip
object network ***********

nat (any,outside) static interface service udp 3074 3074
object network ************
nat (inside,outside) static interface service tcp sip sip
object network ***********
nat (inside,outside) static interface service tcp 2042 2042
object network *************
nat (inside,outside) static interface service tcp 2041 2041
object network ***********
nat (inside,outside) static interface service tcp 1841 1841
object network ************
nat (inside,outside) static interface service tcp 1842 1842
object network **********
nat (inside,outside) static interface service tcp 5001 5001
object network **********
nat (inside,outside) static interface service tcp 5222 5222
!
nat (outside,outside) after-auto source dynamic VPN_Subnet interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 ********* 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa local authentication attempts max-fail 5
aaa authentication login-history
http server enable
http ************ inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map DMZ_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map DMZ_map interface DMZ
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto ca trustpoint self
enrollment self
fqdn ghita.no-ip.org

subject-name CN=ghita.no-ip.org
keypair sslvpnkeypair
crl configure
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain self
certificate ******
quit
crypto ca certificate chain _SmartCallHome_ServerCA
certificate *****
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha

lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 enable inside client-services port 443
crypto ikev2 remote-access trustpoint self
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig

encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig

encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig

encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh scopy enable
no ssh stricthostkeycheck
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd address *********** DMZ
dhcpd dns *********** interface DMZ
dhcpd lease 86400 interface DMZ
dhcpd enable DMZ
!
threat-detection basic-threat
threat-detection scanning-threat shun except ip-address ***************
threat-detection scanning-threat shun except ip-address **************
threat-detection scanning-threat shun except ip-address ***************
threat-detection scanning-threat shun duration 36000

threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server ********** source outside prefer
ntp server ********** source outside prefer
ntp server ********** source outside prefer
ntp server ********** source outside prefer
ssl trust-point self outside
ssl trust-point self inside
ssl trust-point self DMZ
webvpn
enable outside
enable inside
anyconnect image disk0:/anyconnect-win-4.5.03040-webdeploy-k9.pkg 1
anyconnect profiles VPN_AC_client_profile disk0:/VPN_AC_client_profile.xml
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol l2tp-ipsec
group-policy GroupPolicy_VPN_AC internal
group-policy GroupPolicy_VPN_AC attributes
banner none

wins-server none
dns-server value ********************
vpn-tunnel-protocol ikev2 ssl-client
split-tunnel-policy tunnelall
default-domain value no-ip.org
split-tunnel-all-dns disable
address-pools value VPN_DHCP
ipv6-address-pools none
scep-forwarding-url none
webvpn
anyconnect profiles value VPN_AC_client_profile type user
dynamic-access-policy-record DfltAccessPolicy
username cmmichae password h.CZm3VeyTwgm3uN encrypted privilege 0
username bmarchik password olWeRHLXCt6WoR1U encrypted privilege 15
tunnel-group VPN_AC type remote-access
tunnel-group VPN_AC general-attributes
address-pool VPN_DHCP
default-group-policy GroupPolicy_VPN_AC
tunnel-group VPN_AC webvpn-attributes
group-alias VPN_AC enable
tunnel-group VPN_AC ipsec-attributes
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!

class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios

inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous

Francesco Molino · ‎03-05-2018

Can you issue the command: sh run all | i sysopt?

If you don't have that command sysopt connection permit-vpn, add it or adapt your acl.

Personally i prefer having sysopt connection permit-vpn and user vpn filter acl to restrict access.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

bmarchik1980 · ‎03-05-2018

no sysopt traffic detailed-statistics
no sysopt connection timewait
sysopt connection tcpmss 1380
sysopt connection tcpmss minimum 0
sysopt connection permit-vpn
sysopt connection reclassify-vpn
no sysopt connection preserve-vpn-flows
no sysopt radius ignore-secret
no sysopt noproxyarp outside
no sysopt noproxyarp inside
no sysopt noproxyarp DMZ

Francesco Molino · ‎03-05-2018

Just to be sure, can you run again the packet-trace command sent previously and adding the keyword detail at the end?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

bmarchik1980 · ‎03-05-2018

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop ************ using egress ifc outside

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop ********** using egress ifc outside

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f71bec88830, priority=11, domain=permit, deny=true
        hits=31590, user_data=0x6, cs_id=0x0, use_real_addr, flags=0x0, protocol                                                                                                             =0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Francesco Molino · ‎03-05-2018

Which version are you running?

In the mean time, can you add an ace (new line) in your outside acl allow your vpn subnet to any?

After that so again a packet-tracer with detail.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

bmarchik1980 · ‎03-05-2018

Version 9.8(2)

Tracer output after ACL addition:

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop ******** using egress ifc outside

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop ********** using egress ifc outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit ip object VPN_Subnet any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f71bac700c0, priority=13, domain=permit, deny=false
        hits=0, user_data=0x7f71be3ec300, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=192.168.50.0, mask=255.255.255.128, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
object network obj_any
nat (any,outside) dynamic interface
Additional Information:
Dynamic translate *********** to *************
Forward Flow based lookup yields rule:
in id=0x7f71bca76e30, priority=6, domain=nat, deny=false
        hits=227223, user_data=0x7f71ba877b80, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=outside

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f71bb921cd0, priority=1, domain=nat-per-session, deny=true
        hits=161878, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f71bb86a4f0, priority=0, domain=inspect-ip-options, deny=true
        hits=204234, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7f71bf823a40, priority=13, domain=ipsec-tunnel-flow, deny=true
        hits=172, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=outside, output_ifc=any

Phase: 8
Type: NAT
Subtype: rpf-check
Result: DROP
Config:
object network obj_any
nat (any,outside) dynamic interface
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7f71bca772d0, priority=6, domain=nat-reverse, deny=false
        hits=1, user_data=0x7f71ba877b80, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
        input_ifc=outside, output_ifc=any

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

Francesco Molino · ‎03-05-2018

This Nat statement nat (any,outside) dynamic interface needs to be moved at the end of the list.

Also just a quick recommendation, it's better not using any in nat statement but use the real interface name

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

bmarchik1980 · ‎03-05-2018

In show run, the NAT statement appears higher than it actually processes in NAT:

Manual NAT Policies (Section 1)
1 (inside) to (outside) source static any any destination static VPN_Subnet VPN                                                                                                             _Subnet no-proxy-arp route-lookup
    translate_hits = 1, untranslate_hits = 1
2 (outside) to (outside) source static VPN_Subnet VPN_Subnet destination static                                                                                                              VPN_Subnet VPN_Subnet no-proxy-arp route-lookup
    translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)
1 (inside) to (outside) source static ********** interface service udp                                                                                                              31300 31300
    translate_hits = 0, untranslate_hits = 0
2 (inside) to (outside) source static ********** interface service tcp sip                                                                                                              sip
    translate_hits = 0, untranslate_hits = 4
3 (inside) to (outside) source static *********** interface service udp sip                                                                                                              sip
    translate_hits = 0, untranslate_hits = 217
4 (inside) to (outside) source static ************* interface service tcp 184                                                                                                             1 1841
    translate_hits = 0, untranslate_hits = 2
5 (inside) to (outside) source static ************ interface service tcp 204                                                                                                             1 2041
    translate_hits = 0, untranslate_hits = 1
6 (inside) to (outside) source static ************ interface service tcp 184                                                                                                             2 1842
    translate_hits = 0, untranslate_hits = 3
7 (inside) to (outside) source static ********** interface service tcp 204                                                                                                             2 2042
    translate_hits = 0, untranslate_hits = 1
8 (inside) to (outside) source static *********** interface service tcp 522                                                                                                             2 5222
    translate_hits = 0, untranslate_hits = 2
9 (inside) to (outside) source static ********** interface service udp                                                                                                              3074 3074
    translate_hits = 0, untranslate_hits = 0
10 (inside) to (outside) source static *********** interface service tcp 5001 5001
    translate_hits = 0, untranslate_hits = 11
11 (any) to (outside) source dynamic obj_any interface
    translate_hits = 208236, untranslate_hits = 33835

Manual NAT Policies (Section 3)
1 (outside) to (outside) source dynamic VPN_Subnet interface
translate_hits = 0, untranslate_hits = 0

Francesco Molino · ‎03-05-2018

Yeah but look at your packet-tracer output, it's being dropped by nat rpf-check.

Can you move your nat (outside,outside) before the dynamic Nat?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

bmarchik1980 · ‎03-14-2018

Sorry for the late reply, I have been out of town and didn't have a chance to try the suggested change. I tried the change this morning and it appears to have fixed the issue. I am able to access internal network resources and the internet via the VPN client and was able to verify the path used for internet is on the ASA.

Thank you for the help.