Cisco VPN and multiple subnets
I have a network that has two subnets, 192.168.1.0 and 192.168.2.0. I have a Cisco ASA 5510 firewall in place on my network. The ASA is on the 192.168.1.0 network. I can access the 192.168.2.0 network when I am on the 192.168.1.0 network, but my VPN clients can only access the 192.168.1.0 network. I have created access-lists and change my tunnelspecified list to try to fix this, but my VPN clients still cannot ping the 192.168.2.0 network. What dod i need to do to get my VPN clients to access the 192.168.2.0 network? Here is a copy of my ASA config:
ASA Version 8.0(4)
!
hostname CAB-ASA
domain-name cab.local
enable password KWs0rgrxU3SGJ30. encrypted
passwd KWs0rgrxU3SGJ30. encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.3 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address
management-only
!
boot system disk0:/asa804-k8.bin
boot system disk0:/asa722-k8.bin
ftp mode passive
clock timezone FNT -2
dns server-group DefaultDNS
domain-name cab.local
access-list CAB_TO_DAKCS_ACL extended permit ip host 10.10.8.1 host 207.109.153.98
access-list nat extended permit ip host 192.168.1.1 host 207.109.153.98
access-list nat extended permit ip host 192.168.1.1 66.133.100.72 255.255.255.248
access-list nat extended permit ip host 192.168.1.1 10.10.98.0 255.255.255.248
access-list nat extended permit ip 66.133.100.72 255.255.255.248 host 192.168.1.1
access-list nat extended permit ip 10.10.98.0 255.255.255.248 host 192.168.1.1
access-list nat extended permit ip 192.168.1.0 255.255.255.0 10.10.98.0 255.255.255.248
access-list nat extended permit ip 10.10.98.0 255.255.255.248 10.10.8.0 255.255.255.0
access-list nat extended permit ip 10.10.98.0 255.255.255.248 192.168.1.0 255.255.255.0
access-list CAB_TO_DAKCS_ACL1 extended permit ip host 10.10.8.1 66.133.100.72 255.255.255.248
access-list CAB_TO_DAKCS_ACL1 extended permit ip host 10.10.8.1 10.10.98.0 255.255.255.248
access-list CAB_TO_DAKCS_ACL1 extended permit ip 10.10.98.0 255.255.255.0 10.10.8.0 255.255.255.0
access-list CAB_TO_DAKCS_ACL1 extended permit ip 10.10.98.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list acl_out extended permit icmp any any echo-reply
access-list inet_nat extended permit ip 192.168.1.0 255.255.255.0 any
access-list inet_nat extended permit ip 192.168.2.0 255.255.255.0 any
access-list inet_nat extended permit ip 192.168.22.0 255.255.255.0 any
access-list inet_nat extended permit ip any 192.168.22.0 255.255.255.192
access-list inet_nat extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list inet_nat extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list CAB_new_tunnel extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.31.1.16 255.255.255.252
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.31.1.12 255.255.255.252
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.31.1.8 255.255.255.252
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.31.1.4 255.255.255.252
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 10.31.2.11
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 10.31.2.10
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 10.31.1.8
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 10.31.1.3
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 10.31.1.2
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 10.31.1.1
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 10.31.4.1
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 10.31.2.3
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 10.15.0.0 255.255.0.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 172.20.0.0 255.255.0.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 172.18.0.0 255.255.0.0
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 172.21.4.5
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 10.31.1.20
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 10.31.2.30
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 host 10.31.9.100
access-list nonat extended permit ip 192.168.1.0 255.255.255.0 192.168.22.0 255.255.255.0
access-list nonat extended permit ip any 192.168.22.192 255.255.255.224
access-list Roper extended permit ip 192.168.1.0 255.255.255.0 10.15.0.0 255.255.0.0
access-list Roper extended permit ip 192.168.1.0 255.255.255.0 172.20.0.0 255.255.0.0
access-list Roper extended permit ip 192.168.1.0 255.255.255.0 172.18.0.0 255.255.0.0
access-list Roper extended permit ip 192.168.1.0 255.255.255.0 host 172.21.4.5
access-list Roper extended permit ip 192.168.1.0 255.255.255.0 172.21.4.0 255.255.255.0
access-list NCH_remote extended permit ip 192.168.1.0 255.255.255.0 host 10.31.2.3
access-list NCH_remote extended permit ip 192.168.1.0 255.255.255.0 host 10.31.4.1
access-list NCH_remote extended permit ip 192.168.1.0 255.255.255.0 host 10.31.1.1
access-list NCH_remote extended permit ip 192.168.1.0 255.255.255.0 host 10.31.1.2
access-list NCH_remote extended permit ip 192.168.1.0 255.255.255.0 host 10.31.1.3
access-list NCH_remote extended permit ip 192.168.1.0 255.255.255.0 host 10.31.2.10
access-list NCH_remote extended permit ip 192.168.1.0 255.255.255.0 host 10.31.2.11
access-list NCH_remote extended permit ip 192.168.1.0 255.255.255.0 10.31.1.4 255.255.255.252
access-list NCH_remote extended permit ip 192.168.1.0 255.255.255.0 10.31.1.8 255.255.255.252
access-list NCH_remote extended permit ip 192.168.1.0 255.255.255.0 10.31.1.12 255.255.255.252
access-list NCH_remote extended permit ip 192.168.1.0 255.255.255.0 10.31.1.16 255.255.255.252
access-list NCH_remote extended permit ip 192.168.1.0 255.255.255.0 host 10.31.2.30
access-list NCH_remote extended permit ip 192.168.1.0 255.255.255.0 host 10.31.1.20
access-list NCH_remote extended permit ip 192.168.1.0 255.255.255.0 host 10.31.9.100
access-list CHS_NAT_ACL extended permit ip host 192.168.169.64 10.0.0.0 255.0.0.0
access-list CHS_VPN extended permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0
access-list CAB_TO_DAKCS_ACL2 extended permit ip 192.168.1.0 255.255.255.0 10.10.98.0 255.255.255.0
access-list CAB_TO_DAKCS_ACL2 extended permit ip 10.10.98.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list CAB_TO_DAKCS_ACL2 extended permit ip 10.10.98.0 255.255.255.0 10.10.8.0 255.255.255.0
access-list policy-nat extended permit ip host 192.168.1.1 66.133.100.72 255.255.255.248
access-list policy-nat extended permit ip host 192.168.1.1 10.10.98.0 255.255.255.248
access-list vpnnat extended permit ip 192.168.1.0 255.255.255.0 host 10.10.12.10
access-list oconee extended permit ip 192.168.8.0 255.255.255.0 host 10.10.12.10
access-list oconee extended permit ip 192.168.8.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list InternetVPN standard permit 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging list VPN level informational
logging buffered debugging
logging asdm informational
logging from-address
logging recipient-address level errors
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool vpnpool-pptp 192.168.22.200-192.168.22.220
ip local pool SSLCABPool 192.168.22.221-192.168.22.241
ip local pool PhoneVPN 192.168.2.245-192.168.2.254
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-615.bin
asdm history enable
arp timeout 14400
global (outside) 3 interface
global (outside) 2 192.168.169.64
nat (inside) 0 access-list nonat
nat (inside) 2 access-list CHS_VPN
nat (inside) 3 access-list inet_nat
nat (inside) 3 0.0.0.0 0.0.0.0
static (inside,outside) 10.10.8.1 access-list policy-nat
static (inside,outside) 192.168.8.0 access-list vpnnat
access-group acl_out in interface outside
route outside
route inside 192.168.2.1 255.255.255.255 192.168.1.244 1
route inside 192.168.2.2 255.255.255.255 192.168.1.244 1
route inside 192.168.2.3 255.255.255.255 192.168.1.244 1
route inside 192.168.2.4 255.255.255.255 192.168.1.244 1
route inside 192.168.2.5 255.255.255.255 192.168.1.244 1
route inside 192.168.169.64 255.255.255.255 192.168.1.244 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa local authentication attempts max-fail 16
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
snmp-server enable traps snmp authentication linkup linkdown coldstart
sysopt connection tcpmss 1300
crypto ipsec transform-set CAB_TO_DAKCS_SET esp-3des esp-sha-hmac
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set myset
crypto dynamic-map outside_dyn_map 20 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 20 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map CAB_TO_DAKCS_MAP 7 match address NCH_remote
crypto map CAB_TO_DAKCS_MAP 7 set peer 208.60.110.247
crypto map CAB_TO_DAKCS_MAP 7 set transform-set ESP-3DES-MD5
crypto map CAB_TO_DAKCS_MAP 7 set security-association lifetime seconds 28800
crypto map CAB_TO_DAKCS_MAP 7 set security-association lifetime kilobytes 4608000
crypto map CAB_TO_DAKCS_MAP 10 match address Roper
crypto map CAB_TO_DAKCS_MAP 10 set peer 208.60.95.35
crypto map CAB_TO_DAKCS_MAP 10 set transform-set ESP-3DES-MD5
crypto map CAB_TO_DAKCS_MAP 10 set security-association lifetime seconds 28800
crypto map CAB_TO_DAKCS_MAP 10 set security-association lifetime kilobytes 4608000
crypto map CAB_TO_DAKCS_MAP 20 match address CAB_TO_DAKCS_ACL
crypto map CAB_TO_DAKCS_MAP 20 set peer 207.109.153.102
crypto map CAB_TO_DAKCS_MAP 20 set transform-set CAB_TO_DAKCS_SET
crypto map CAB_TO_DAKCS_MAP 20 set security-association lifetime seconds 28800
crypto map CAB_TO_DAKCS_MAP 20 set security-association lifetime kilobytes 4608000
crypto map CAB_TO_DAKCS_MAP 25 match address CAB_TO_DAKCS_ACL1
crypto map CAB_TO_DAKCS_MAP 25 set peer 66.133.100.71
crypto map CAB_TO_DAKCS_MAP 25 set transform-set CAB_TO_DAKCS_SET
crypto map CAB_TO_DAKCS_MAP 25 set security-association lifetime seconds 28800
crypto map CAB_TO_DAKCS_MAP 25 set security-association lifetime kilobytes 4608000
crypto map CAB_TO_DAKCS_MAP 30 match address CAB_new_tunnel
crypto map CAB_TO_DAKCS_MAP 30 set peer 63.243.49.34
crypto map CAB_TO_DAKCS_MAP 30 set transform-set CAB_TO_DAKCS_SET
crypto map CAB_TO_DAKCS_MAP 30 set security-association lifetime seconds 28800
crypto map CAB_TO_DAKCS_MAP 30 set security-association lifetime kilobytes 4608000
crypto map CAB_TO_DAKCS_MAP 40 match address CHS_NAT_ACL
crypto map CAB_TO_DAKCS_MAP 40 set peer 208.61.250.87
crypto map CAB_TO_DAKCS_MAP 40 set transform-set CAB_TO_DAKCS_SET
crypto map CAB_TO_DAKCS_MAP 40 set security-association lifetime seconds 28800
crypto map CAB_TO_DAKCS_MAP 40 set security-association lifetime kilobytes 4608000
crypto map CAB_TO_DAKCS_MAP 45 match address oconee
crypto map CAB_TO_DAKCS_MAP 45 set peer 208.68.223.3
crypto map CAB_TO_DAKCS_MAP 45 set transform-set ESP-3DES-MD5
crypto map CAB_TO_DAKCS_MAP 45 set security-association lifetime seconds 28800
crypto map CAB_TO_DAKCS_MAP 45 set security-association lifetime kilobytes 4608000
crypto map CAB_TO_DAKCS_MAP 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map CAB_TO_DAKCS_MAP interface outside
crypto ca trustpoint CABVPN
enrollment terminal
fqdn ASA.CAB.local
subject-name CN=ASA.CAB.local,OU=CAB,O=CAB,C=US,St=SC,L=Charleston
keypair CAB
crl configure
crypto ca trustpoint localtrust
enrollment self
fqdn sslvpn.cab.local
subject-name cn=sslvpn.cab.local
keypair sslvpnkeypair
crl configure
crypto ca certificate chain localtrust
certificate 31
308201ec 30820155 a0030201 02020131 300d0609 2a864886 f70d0101 04050030
3c311930 17060355 04031310 73736c76 706e2e63 61622e6c 6f63616c 311f301d
06092a86 4886f70d 01090216 1073736c 76706e2e 6361622e 6c6f6361 6c301e17
0d303831 30323831 30333632 335a170d 31383130 32363130 33363233 5a303c31
19301706 03550403 13107373 6c76706e 2e636162 2e6c6f63 616c311f 301d0609
2a864886 f70d0109 02161073 736c7670 6e2e6361 622e6c6f 63616c30 819f300d
06092a86 4886f70d 01010105 0003818d 00308189 02818100 a96f73ce 97e149d7
8dce256e 17078c59 a9dc8b01 6de3f9b4 76b8e669 e3522d73 618b3252 2f1ee721
cd981f97 c10204e6 ab7be447 87f9c252 a3fb8643 5b48901b a49f2f9d d2eccb68
b2ef5bcd 7828a075 ddd2bcdb eba349c3 025f81bb 4b9e607e 1bc725d0 4028ab9f
2d1b80f4 b2f331f4 8d4e5fe6 2c28dd83 8c25e0b7 27fe73b1 02030100 01300d06
092a8648 86f70d01 01040500 03818100 389029bd 4a0e984f 59feac07 c01dd10f
f80b2faa d3b6c42d bc36f218 d2607ab6 993e6e38 1ae99f88 761e91fe a9d94d2c
7eb8a0d6 b78237f3 9bbd76d7 a7eb6285 8dfff14a 20e21b7b 05537b7a 0476d7f2
d5415627 4e28387e eb60e898 50d09b20 a6eb3646 7a8f6ffe 14a5c2b3 7eb5308c
fa983c9a ce24cb77 8aecc301 5740a3b6
quit
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 10
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server inside 192.168.1.210 config_backup
ssl trust-point localtrust outside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.2.0140-k9.pkg 1
svc enable
tunnel-group-list enable
group-policy CABVPNusers internal
group-policy CABVPNusers attributes
vpn-idle-timeout 60
split-tunnel-policy tunnelspecified
split-tunnel-network-list value InternetVPN
default-domain value cab.local
group-policy CABPhoneVPNpolicy internal
group-policy CABPhoneVPNpolicy attributes
dhcp-network-scope 192.168.2.0
split-tunnel-policy tunnelspecified
default-domain value cab.local
group-policy DAKCSVPN internal
group-policy DAKCSVPN attributes
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value InternetVPN
default-domain value cab.local
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc
split-tunnel-policy tunnelspecified
split-tunnel-network-list value InternetVPN
webvpn
svc keep-installer installed
svc rekey time 30
svc rekey method ssl
svc ask none default svc
group-policy KMKAdmin internal
group-policy KMKAdmin attributes
vpn-idle-timeout 15
split-tunnel-policy tunnelspecified
split-tunnel-network-list value InternetVPN
default-domain value cab.local
group-policy vpnpool-pptp internal
group-policy vpnpool-pptp attributes
dns-server value 192.168.1.10
vpn-idle-timeout 60
split-tunnel-policy tunnelspecified
split-tunnel-network-list value InternetVPN
default-domain value cab.local
username SSLUSER password XAo6YcFsquXy9Zv6 encrypted
username CABCAB password nKVTkqeFQ/8xH1kb encrypted
username DAKCSuser password dHtpeFCEpUjJ2Paw encrypted
username KMKAdmin password vmhL1.s/9CNT85XW encrypted
tunnel-group CABVPNusers type remote-access
tunnel-group CABVPNusers general-attributes
address-pool vpnpool-pptp
default-group-policy vpnpool-pptp
tunnel-group CABVPNusers ipsec-attributes
pre-shared-key *
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
pre-shared-key *
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
pre-shared-key *
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
pre-shared-key *
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
pre-shared-key *
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
pre-shared-key *
tunnel-group KMKAdmin type remote-access
tunnel-group KMKAdmin general-attributes
address-pool vpnpool-pptp
default-group-policy vpnpool-pptp
tunnel-group KMKAdmin ipsec-attributes
pre-shared-key *
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
default-group-policy vpnpool-pptp
tunnel-group sslgroup type remote-access
tunnel-group sslgroup general-attributes
address-pool SSLCABPool
default-group-policy GroupPolicy1
tunnel-group sslgroup webvpn-attributes
group-alias sslgroup_users enable
tunnel-group DAKCSVPN type remote-access
tunnel-group DAKCSVPN general-attributes
address-pool vpnpool-pptp
default-group-policy vpnpool-pptp
tunnel-group DAKCSVPN ipsec-attributes
pre-shared-key *
tunnel-group CABPhoneVPN type remote-access
tunnel-group CABPhoneVPN general-attributes
address-pool PhoneVPN
default-group-policy CABPhoneVPNpolicy
tunnel-group CABPhoneVPN ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
smtp-server
prompt hostname context
ASKER
The 192.168.2.x network is for the IP phones. 192.168.2.1 is an Extreme Network switch and the gateway, 192.168.2.2 is the voicemail server, 192.168.2.3 is the file server and DHCP server, and 192.168.2.5 is the Call server. My client wants to be able to take an IP phone home and use Cisco VPN to connect the phone back to the office network. I figure that the Cisco VPN clientneeds tp ping the 192.168.2.x network in order to communicate with the above IP addresses that I listed. Thanks for your help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
route inside 192.168.2.1 255.255.255.255 192.168.1.244 1
route inside 192.168.2.2 255.255.255.255 192.168.1.244 1
route inside 192.168.2.3 255.255.255.255 192.168.1.244 1
route inside 192.168.2.4 255.255.255.255 192.168.1.244 1
route inside 192.168.2.5 255.255.255.255 192.168.1.244 1
I would assume that you are trying to reach one of these boxes?
You have address space from the 192.168.2.x on BOTH sides of the ASA...
This could be causing a routing problem. What happens when you traceroute from a VPN client to a 192.168.2.x address?
What is connecting both the 192.168.1.x and the 192.168.128.2x?
Layer3 Switch? Router?
Does that device know about the VPN client Address Pools?
Is the default gateway of this box the ASA?
If you have a /24 configured for that network 192.168.2.0 255.255.255.0 then you need to change the PhoneVPN pool that is configured on the ASA as the address spaces will conflict.
More information would greatly assist.
Tom