Cisco ASA & Client VPN - Inside Access Problem

I have a Cisco ASA 5505 and Cisco client 5.0.03 - I am unable to see the inside network although I can connect to and send/recv traffic.  I have tried enabling for Nat Traversal but that didn't resolve my problem.  Thank you for looking at my code and the snapshot of my statistics screen.

-Dave
ASA Version 7.2(4) 
!
hostname ciscoasa
domain-name default.domain.invalid
enable password lpW.MGeEHg0ISQZq encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
 
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.10.250 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address XX.XX.XX.XX 255.255.255.0 
!
interface Vlan3
 nameif backup
 security-level 0
 ip address XX.XX.XX.XX 255.255.255.248 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
 switchport access vlan 3
!
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
same-security-traffic permit intra-interface
object-group service RDP tcp
 port-object eq 3389
object-group service SBS tcp
 port-object eq 4125
object-group service TimeClock tcp
 port-object eq 2500
object-group service rww tcp
 port-object eq 444
access-list outside extended permit icmp any any 
access-list outside extended permit tcp any host hbsrvr1 eq www 
access-list outside extended permit tcp any host hbsrvr1 eq smtp 
access-list outside extended permit tcp any host hbsrvr1 object-group rww 
access-list outside extended permit tcp any host hbsrvr1 object-group SBS 
access-list outside extended permit tcp any host hbsrvr1 object-group RDP 
access-list outside extended permit tcp any host hbsrvr1 object-group TimeClock 
access-list outside extended permit tcp any host hbsrvr1 eq https 
access-list split standard permit 192.168.10.0 255.255.255.0 
pager lines 24
mtu inside 1500
mtu outside 1500
mtu backup 1500
ip local pool vpnpool 192.168.10.215-192.168.10.240 mask 255.255.255.0
no failover
monitor-interface inside
monitor-interface outside
monitor-interface backup
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 XX.XX.XX.XX 1 track 1
route backup 0.0.0.0 0.0.0.0 XX.XX.XX.XX 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL 
http server enable
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 123
 type echo protocol ipIcmpEcho 204.16.20.1 interface outside
 num-packets 3
 frequency 10
sla monitor schedule 123 life forever start-time now
crypto ipsec transform-set hunter-trans esp-3des esp-sha-hmac 
crypto dynamic-map outside_dyn_map 20 set transform-set hunter-trans
crypto dynamic-map dyn_map 20 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp enable backup
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000 
crypto isakmp reload-wait
!
track 1 rtr 123 reachability
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
 
group-policy huntervpn internal
group-policy huntervpn attributes
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split
 address-pools value vpnpool
username admin password s8Vngsgpp8NmOJP7 encrypted
username bdiop password seRFYPliWAnlt8ip encrypted
tunnel-group huntervpn type ipsec-ra
tunnel-group huntervpn general-attributes
 address-pool vpnpool
 default-group-policy huntervpn
tunnel-group huntervpn ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny 
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip 
  inspect xdmcp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:5ed3af0ffbbb957eb8847867a906f48e

Open in new window

asa-vpn---no-inside.jpg
snchelpdeskAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

batry_boyCommented:
Try adding these statements:

access-list nonat permit ip any 192.168.10.192 255.255.255.192
nat (inside) 0 access-list nonat

I would go ahead and put back in the nat-traversal command...you will probably need it in the future.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lrmooreCommented:
Try setting up the clients on a different IP subnet instead of a sub-set of the inside network.
Are you providing the clients a DNS/WINS server IP and domain? I don't see them in the group policy.
0
snchelpdeskAuthor Commented:
The following works:

access-list nonat permit ip any 192.168.10.192 255.255.255.192
nat (inside) 0 access-list nonat

I am curious what these statement do?

Thank you again for your time and sharing of your expertise!

Dave
0
lrmooreCommented:
Basically, it exempts traffic from inside hosts to the vpn hosts from NAT. The architecture of the PIX/ASA generally requires nat between interfaces (inside to VPN client attached to outside interface). The nat "zero" is a special type of nat that bypasses nat for anything matching the stated acl.
0
snchelpdeskAuthor Commented:
Thank you all for your time and expertise!!  
Dave
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.