No access to internal resources for remote AnyConnect VPN clients on ASA 5506-X

We have a Cisco ASA 5506-X (with FirePower services and a TAMC licence, but that is probably irrelevant).  We have set up an AnyConnect VPN using the wizard and can download the software remotely and connect successfully.  However, when connected we are unable to access anything on the inside of the ASA.  The requirement is to have remote access to the network labelled "Main" in the configuration below.

How can we permit this traffic so remote clients can access the Main network (  Here's the redacted config:

 Serial Number: XXXXXXXXX
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
ASA Version 9.9(2) 
hostname fwXXXX
enable password XXXXX
passwd XXXXX encrypted
ip local pool Main_VPN mask

interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address x.x.x.x 
interface GigabitEthernet1/2
 bridge-group 1
 nameif inside_1/2
 security-level 100
interface GigabitEthernet1/3
 bridge-group 1
 nameif inside_1/3
 security-level 100
interface GigabitEthernet1/4
 nameif inside_1/4
 security-level 0
 no ip address
interface GigabitEthernet1/4.21
 vlan 21
 nameif MAN
 security-level 100
 ip address 
interface GigabitEthernet1/5
 nameif inside_1/5
 security-level 0
 no ip address
interface GigabitEthernet1/5.11
 vlan 11
 nameif Main
 security-level 90
 ip address 
interface GigabitEthernet1/6
 nameif inside_1/6
 security-level 0
 no ip address
interface GigabitEthernet1/6.30
 description Guest
 vlan 30
 nameif Guest
 security-level 80
 ip address 
interface GigabitEthernet1/7
 bridge-group 1
 nameif inside_1/7
 security-level 100
interface GigabitEthernet1/8
 bridge-group 1
 nameif inside_1/8
 security-level 100
interface Management1/1
 no nameif
 no security-level
 no ip address
interface BVI1
 nameif inside
 security-level 100
 ip address 
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns server-group DefaultDNS
 name-server outside
 name-server outside
 domain-name xxxxx.xxxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any1
object network obj_any2
object network obj_any3
object network obj_any4
object network obj_any5
object network obj_any6
object network obj_any7
object network MAN-PAT
object network Main-PAT
object network Guest-PAT
object network NETWORK_OBJ_192.168.99.0_25
object network NETWORK_OBJ_192.168.10.0_23
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4 
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd 
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631 
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100 
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host eq 5353 
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host eq 5355 
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137 
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside_1/2 1500
mtu inside_1/3 1500
mtu inside_1/4 1500
mtu MAN 1500
mtu inside_1/5 1500
mtu Main 1500
mtu inside_1/6 1500
mtu Guest 1500
mtu inside_1/7 1500
mtu inside_1/8 1500
no failover
no monitor-interface MAN
no monitor-interface Main
no monitor-interface Guest
no monitor-interface inside
no monitor-interface service-module 
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (Main,outside) source static NETWORK_OBJ_192.168.10.0_23 NETWORK_OBJ_192.168.10.0_23 destination static NETWORK_OBJ_192.168.99.0_25 NETWORK_OBJ_192.168.99.0_25 no-proxy-arp route-lookup
object network obj_any1
 nat (inside_1/2,outside) dynamic interface
object network obj_any2
 nat (inside_1/3,outside) dynamic interface
object network obj_any6
 nat (inside_1/7,outside) dynamic interface
object network obj_any7
 nat (inside_1/8,outside) dynamic interface
object network MAN-PAT
 nat (MAN,outside) dynamic interface
object network Main-PAT
 nat (Main,outside) dynamic interface
object network Guest-PAT
 nat (Guest,outside) dynamic interface
route outside 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server EF protocol ldap
aaa-server EF (Main) host
 server-type microsoft
aaa-server EF (Main) host
 server-type microsoft
aaa-server EF (MAN) host
 server-type microsoft
user-identity domain DCxx aaa-server EF
user-identity default-domain LOCAL
user-identity user-not-found enable
aaa authentication ssh console LOCAL 
aaa authentication login-history
http server enable
http inside_1/2
http inside_1/3
http inside_1/7
http inside_1/8
http MAN
http redirect outside 80
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpoint ASDM_TrustPoint0
 enrollment terminal
 crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
 enrollment self
 fqdn none
 subject-name CN=,CN=fw-hw-50
 crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
telnet timeout 5
ssh stricthostkeycheck
ssh MAN
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha1
console timeout 0

dhcpd auto_config outside
dhcpd address Guest
dhcpd dns interface Guest
dhcpd enable Guest
dhcpd address inside
dhcpd dns interface inside
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server source outside prefer
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 outside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside_1/2
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside_1/3
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside_1/4
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 MAN
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside_1/5
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 Main
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside_1/6
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 Guest
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside_1/7
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside_1/8
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 MAN vpnlb-ip
 enable outside
 enable Main
 anyconnect image disk0:/anyconnect-win-4.6.01103-webdeploy-k9.pkg 1 regex "Windows NT"
 anyconnect image disk0:/anyconnect-macos-4.6.01103-webdeploy-k9.pkg 2 regex "Intel Mac OS X"
 anyconnect enable
 tunnel-group-list enable
 error-recovery disable
group-policy GroupPolicy_Test internal
group-policy GroupPolicy_Test attributes
 wins-server none
 dns-server value
 vpn-tunnel-protocol ssl-client 
 default-domain value
dynamic-access-policy-record DfltAccessPolicy
username testvpn password xxxxx
username xxxxx xxxxx
tunnel-group Test type remote-access
tunnel-group Test general-attributes
 address-pool Main_VPN
 default-group-policy GroupPolicy_Test
tunnel-group Test webvpn-attributes
 group-alias Test enable
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
service-policy global_policy global
prompt hostname context 
call-home reporting anonymous
hpm topN enable
: end
no asdm history enable

Open in new window

David HaycoxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.