cisco ASA 5520 ver 7.2

What is your default gateway on 10.40.226.0 network?

Is there a route to 192.168.18.0 subnet?

Like fgasimzade said: the machines on the 10.40.226.0 network need a route to the 192.168.18.0 network.

Second: I see you're not exempting the VPN traffic from NAT
access-list nonat extended permit ip 10.40.226.0 255.255.255.0 192.168.18.0 255.255.255.0
nat (inside) 0 access-list nonat

Third: have a look at the (ASDM) logs. They might give you a clue what's going wrong.

10.40.226.1 is  the deault gateway to 10.40.226.0
so do I need to add a static route  to 192.168.18.0  ?

Yes, you would need to add a route on 10.40.226.1

what would the  syntax look like on a cisco switch
 ip route  192.168.18.0  255.255.255.0  10.40.226.1 ?

Almost, should be:
ip route  192.168.18.0  255.255.255.0 172.16.1.1

FW needs to be the gateway.

Also, like I said, check the NAT exempt. Is there a reason you're not using that?

Just added  NONAT    config and I cant ping  10.40.226.1
would that be an ICMP issue ?  in fact I cant out to the to the internet  any ideas ?

You also added the route on the intermediate switch?

And did you check the (ASDM) logs, anything showing there?

Pls confirm you have added the static route

Also, pls remove this access list and check again

access-group inside_access_in in interface inside

and make sure you have

sysopt connection permit-ipsec

configured on ASA

This my current config o thefirewall still cant  ping inside from the VPN


: Saved
:
ASA Version 7.2(2)
!
hostname xxxx-FW
domain-name default.domain.invalid
enable password HB13YlevMtUcL7F2 encrypted
names
name 10.40.226.60 OWA_Server description Exchange 2010
name 195.40.10.101 MX-External description SMTP-Iternal IP
name 10.40.226.200 MX-Server description SMTP Server
name 195.XXX external-OWA description Web-Server
!
interface GigabitEthernet0/0
 description LAN Interface
 nameif inside
 security-level 100
 ip address 172.16.1.1 255.255.255.0
!
interface GigabitEthernet0/1
 description ISP Interface
 nameif Outside
 security-level 0
 ip address 195.XXXX 255.255.255.248
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/0
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/3
 shutdown
 no nameif
 no security-level
 no ip address
!
passwd HB13YlevMtUcL7F2 encrypted
boot system disk0:/asa722-k8.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group network Northeast
 description NE
 network-object 172.16.1.0 255.255.255.0
 network-object 172.16.3.0 255.255.255.0
object-group network VPNRange
 network-object 192.168.18.0 255.255.255.0
access-list ICMP extended permit icmp any any
access-list XXXX_VPN_splitTunnelAcl standard permit 10.40.226.0 255.255.255.0
access-list RemoteVPNUsers extended permit ip any any
access-list RemoteVPNUsers extended permit tcp any any
access-list XXXX_VPN_splitTunnelAcl_1 standard permit 10.40.226.0 255.255.255.0
access-list outside extended permit tcp any host MX-External eq smtp
access-list outside extended permit tcp any host external-OWA eq https
access-list outside extended permit tcp any host external-OWA eq 3389
access-list nonat extended permit ip 10.40.226.0 255.255.255.0 192.168.18.0 255.255.255.0
access-list inside_access_in remark Internal UDP
access-list inside_access_in extended permit udp any any
access-list inside_access_in extended permit tcp any any
access-list Outside_access_in extended permit ip any any inactive
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu Outside 1500
ip local pool remotepool 192.168.18.10-192.168.18.100
no failover
monitor-interface inside
monitor-interface Outside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-522.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 195x.x.x netmask 255.255.255.248
global (Outside) 2 195.XXX netmask 255.255.255.0
nat (inside) 0 access-list nonat
nat (inside) 2 10.40.226.0 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
access-group Outside_access_in in interface Outside
route inside 10.40.226.0 255.255.255.0 172.16.1.254 1
route inside 172.16.3.0 255.255.255.0 172.16.1.254 1
route inside 172.16.4.0 255.255.255.0 172.16.1.254 1
route Outside 0.0.0.0 0.0.0.0 195.40.10.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy XXXX_VPN internal
group-policy XXXX_VPN attributes
 dns-server value 10.40.226.56 10.40.226.58
 vpn-filter none
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value XXXX_VPN_splitTunnelAcl_1
 default-domain value services.XXXXconsulting.co.uk
username jthombs password 0iTejLO.n6ldwbbu encrypted
http server enable
http 172.16.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map Outside_dyn_map 20 set pfs
crypto dynamic-map Outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map Outside_map 65535 ipsec-isakmp dynamic Outside_dyn_map
crypto map Outside_map interface Outside
crypto isakmp enable inside
crypto isakmp enable Outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
tunnel-group XXXX_VPN type ipsec-ra
tunnel-group XXXX_VPN general-attributes
 address-pool (Outside) remotepool
 address-pool remotepool
 default-group-policy XXXX_VPN
tunnel-group XXXX_VPN ipsec-attributes
 pre-shared-key *
telnet 172.16.3.0 255.255.255.0 inside
telnet timeout 5
ssh timeout 5
console timeout 0
!
class-map ICMP-CMAP
 match access-list ICMP
!
!
policy-map global_policy
 class ICMP-CMAP
  inspect icmp
!
prompt hostname context
Cryptochecksum:b957f31b8c5aa62e9375a7293b3b3df9
: end

Have a look at these:
access-list Outside_access_in extended permit ip any any inactive
access-group Outside_access_in in interface Outside

Effectively this means that nothing is allowed from the out- to the inside.
(implicit 'deny all' at the end of every ACL)

What need to 192.168.18.0/24  allowed in
as well as  ports 443 25 and 80

stange still cant ping

Anything showing in the logs?

I can hit the server still no icmp though

You can hit (connect to) the server but not ping?
Try:
access-list Outside_access_in extended permit icmp 192.168.18.0 255.255.255.0 10.40.226.0 255.255.255.0

actually i cant hit the server

Let's check the log then.

looks like its getting stopped on at NAT
nat.PNG

see attached  should this rule be the other way round

nat2.PNG

I Have attached my rulebase
rulebase.PNG

That nat exempt could be the one.....

192.168.18.0 is on the outside of the firewall, not the inside.

But then, in your config it's:
access-list nonat extended permit ip 10.40.226.0 255.255.255.0 192.168.18.0 255.255.255.0
Which is ok. Or did you make some more changes after posting that?

Thanks for your patience  its all working now.

Good to hear :)
And thx 4 the points.

So how did you resolve it?

flipping  the NAT rule around.