No access to internal resources for remote AnyConnect VPN clients on ASA 5506-X

We have a Cisco ASA 5506-X (with FirePower services and a TAMC licence, but that is probably irrelevant).  We have set up an AnyConnect VPN using the wizard and can download the software remotely and connect successfully.  However, when connected we are unable to access anything on the inside of the ASA.  The requirement is to have remote access to the network labelled "Main" in the configuration below.

How can we permit this traffic so remote clients can access the Main network (192.168.10.0/23)?  Here's the redacted config:

 Serial Number: XXXXXXXXX
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.9(2) 
!
hostname fwXXXX
domain-name XXXXX.co.uk
enable password XXXXX
passwd XXXXX encrypted
names
ip local pool Main_VPN 192.168.99.1-192.168.99.100 mask 255.255.255.0

!
interface GigabitEthernet1/1
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.252 
!
interface GigabitEthernet1/2
 bridge-group 1
 nameif inside_1/2
 security-level 100
!
interface GigabitEthernet1/3
 bridge-group 1
 nameif inside_1/3
 security-level 100
!
interface GigabitEthernet1/4
 nameif inside_1/4
 security-level 0
 no ip address
!
interface GigabitEthernet1/4.21
 vlan 21
 nameif MAN
 security-level 100
 ip address 192.168.20.254 255.255.254.0 
!
interface GigabitEthernet1/5
 nameif inside_1/5
 security-level 0
 no ip address
!
interface GigabitEthernet1/5.11
 vlan 11
 nameif Main
 security-level 90
 ip address 192.168.10.254 255.255.254.0 
!
interface GigabitEthernet1/6
 nameif inside_1/6
 security-level 0
 no ip address
!
interface GigabitEthernet1/6.30
 description Guest
 vlan 30
 nameif Guest
 security-level 80
 ip address 10.10.30.254 255.255.254.0 
!
interface GigabitEthernet1/7
 shutdown
 bridge-group 1
 nameif inside_1/7
 security-level 100
!
interface GigabitEthernet1/8
 shutdown
 bridge-group 1
 nameif inside_1/8
 security-level 100
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
interface BVI1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns domain-lookup outside
dns server-group DefaultDNS
 name-server 8.8.8.8 outside
 name-server 8.8.4.4 outside
 domain-name xxxxx.xxxx
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any1
 subnet 0.0.0.0 0.0.0.0
object network obj_any2
 subnet 0.0.0.0 0.0.0.0
object network obj_any3
 subnet 0.0.0.0 0.0.0.0
object network obj_any4
 subnet 0.0.0.0 0.0.0.0
object network obj_any5
 subnet 0.0.0.0 0.0.0.0
object network obj_any6
 subnet 0.0.0.0 0.0.0.0
object network obj_any7
 subnet 0.0.0.0 0.0.0.0
object network MAN-PAT
 subnet 192.168.20.0 255.255.254.0
object network Main-PAT
 subnet 192.168.10.0 255.255.254.0
object network Guest-PAT
 subnet 10.10.30.0 255.255.254.0
object network NETWORK_OBJ_192.168.99.0_25
 subnet 192.168.99.0 255.255.255.128
object network NETWORK_OBJ_192.168.10.0_23
 subnet 192.168.10.0 255.255.254.0
access-list AnyConnect_Client_Local_Print extended deny ip any4 any4 
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq lpd 
access-list AnyConnect_Client_Local_Print remark IPP: Internet Printing Protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 631 
access-list AnyConnect_Client_Local_Print remark Windows' printing port
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 9100 
access-list AnyConnect_Client_Local_Print remark mDNS: multicast DNS protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.251 eq 5353 
access-list AnyConnect_Client_Local_Print remark LLMNR: Link Local Multicast Name Resolution protocol
access-list AnyConnect_Client_Local_Print extended permit udp any4 host 224.0.0.252 eq 5355 
access-list AnyConnect_Client_Local_Print remark TCP/NetBIOS protocol
access-list AnyConnect_Client_Local_Print extended permit tcp any4 any4 eq 137 
access-list AnyConnect_Client_Local_Print extended permit udp any4 any4 eq netbios-ns 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside_1/2 1500
mtu inside_1/3 1500
mtu inside_1/4 1500
mtu MAN 1500
mtu inside_1/5 1500
mtu Main 1500
mtu inside_1/6 1500
mtu Guest 1500
mtu inside_1/7 1500
mtu inside_1/8 1500
no failover
no monitor-interface MAN
no monitor-interface Main
no monitor-interface Guest
no monitor-interface inside
no monitor-interface service-module 
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
nat (Main,outside) source static NETWORK_OBJ_192.168.10.0_23 NETWORK_OBJ_192.168.10.0_23 destination static NETWORK_OBJ_192.168.99.0_25 NETWORK_OBJ_192.168.99.0_25 no-proxy-arp route-lookup
!
object network obj_any1
 nat (inside_1/2,outside) dynamic interface
object network obj_any2
 nat (inside_1/3,outside) dynamic interface
object network obj_any6
 nat (inside_1/7,outside) dynamic interface
object network obj_any7
 nat (inside_1/8,outside) dynamic interface
object network MAN-PAT
 nat (MAN,outside) dynamic interface
object network Main-PAT
 nat (Main,outside) dynamic interface
object network Guest-PAT
 nat (Guest,outside) dynamic interface
route outside 0.0.0.0 0.0.0.0 213.177.249.21 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
aaa-server EF protocol ldap
aaa-server EF (Main) host 192.168.10.10
 server-type microsoft
aaa-server EF (Main) host 192.168.11.11
 server-type microsoft
aaa-server EF (MAN) host 192.168.20.10
 server-type microsoft
user-identity domain DCxx aaa-server EF
user-identity default-domain LOCAL
user-identity user-not-found enable
aaa authentication ssh console LOCAL 
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside_1/2
http 192.168.1.0 255.255.255.0 inside_1/3
http 192.168.1.0 255.255.255.0 inside_1/7
http 192.168.1.0 255.255.255.0 inside_1/8
http 192.168.20.0 255.255.254.0 MAN
http redirect outside 80
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
 no validation-usage
 crl configure
crypto ca trustpoint ASDM_TrustPoint0
 enrollment terminal
 fqdn fwxxxxx.co.uk
 subject-name CN=fwxxxxx.xxxxx.co.uk,O=xxxxx,C=UK,EA=
 crl configure
crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
 enrollment self
 fqdn none
 subject-name CN=192.168.20.254,CN=fw-hw-50
 keypair ASDM_LAUNCHER
 crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
x
crypto ca certificate chain ASDM_Launcher_Access_TrustPoint_0
x
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.20.0 255.255.254.0 MAN
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 10.10.30.50-10.10.30.99 Guest
dhcpd dns 8.8.8.8 8.8.4.4 interface Guest
dhcpd enable Guest
!
dhcpd address 192.168.1.5-192.168.1.254 inside
dhcpd dns 8.8.8.8 8.8.4.4 interface inside
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 134.0.16.1 source outside prefer
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 outside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside_1/2
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside_1/3
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside_1/4
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 MAN
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside_1/5
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 Main
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside_1/6
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 Guest
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside_1/7
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside_1/8
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 inside
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 MAN vpnlb-ip
webvpn
 enable outside
 enable Main
 anyconnect image disk0:/anyconnect-win-4.6.01103-webdeploy-k9.pkg 1 regex "Windows NT"
 anyconnect image disk0:/anyconnect-macos-4.6.01103-webdeploy-k9.pkg 2 regex "Intel Mac OS X"
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
group-policy GroupPolicy_Test internal
group-policy GroupPolicy_Test attributes
 wins-server none
 dns-server value 192.168.11.10 192.168.11.11
 vpn-tunnel-protocol ssl-client 
 default-domain value xxxx.xxx
dynamic-access-policy-record DfltAccessPolicy
username testvpn password xxxxx
username xxxxx xxxxx
tunnel-group Test type remote-access
tunnel-group Test general-attributes
 address-pool Main_VPN
 default-group-policy GroupPolicy_Test
tunnel-group Test webvpn-attributes
 group-alias Test enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
  no tcp-inspection
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
!
service-policy global_policy global
prompt hostname context 
call-home reporting anonymous
hpm topN enable
Cryptochecksum:xxxxx
: end
no asdm history enable

Open in new window

LVL 2
David HaycoxAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASA5505

From novice to tech pro — start learning today.