Help with Inter-VLAN routing on ASA 5510 | Cannot access from Specific VLAN to Another

These network devices are currently in the lab.

Using a Catalyst 2960 that is trunked to an ASA 5510 with sub-interfaces for each VLAN.

I am trying to access a VNC server listening on port 16010 on host 10.1.116.2 from a host at 10.1.101.150.

I receive in the logs:

Inbound TCP connection denied from 10.1.101.150/1990 to 10.1.116.2/16010 flags SYN  on interface CORP
: Saved
: Written by enable_15 at 02:21:29.889 UTC Sun May 24 2009
!
ASA Version 8.0(4) 
!
hostname cisco-asa
domain-name domain.local
enable password XXXXX encrypted
passwd XXXXX encrypted
names
name 10.1.101.2 server-dc description Domain Controller
name 10.1.101.3 server-ex description Exchange Server
name 10.1.101.4 server-fs description File Server
name X.X.X.X ISP_SMTP
dns-guard
!
interface Ethernet0/0
 speed 1000
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/0.100
 description MANAGEMENT
 vlan 400
 nameif MGT
 security-level 100
 ip address 10.1.100.1 255.255.255.0 
!
interface Ethernet0/0.101
 description CORPORATE
 vlan 401
 nameif CORP
 security-level 100
 ip address 10.1.101.1 255.255.255.0 
!
interface Ethernet0/0.102
 description OFFICE
 vlan 402
 nameif SCEO
 security-level 100
 ip address 10.1.102.1 255.255.255.0 
!
interface Ethernet0/0.103
 description P4OFFICE
 vlan 403
 nameif SCP4O
 security-level 100
 ip address 10.1.103.1 255.255.255.0 
!
interface Ethernet0/0.104
 description P3OFFICE
 vlan 404
 nameif SCP3O
 security-level 100
 ip address 10.1.104.1 255.255.255.0 
!
interface Ethernet0/0.105
 description P2OFFICE
 vlan 405
 nameif SCP2O
 security-level 100
 ip address 10.1.105.1 255.255.255.0 
!
interface Ethernet0/0.106
 description P1OFFICE
 vlan 406
 nameif SCP1O
 security-level 100
 ip address 10.1.106.1 255.255.255.0 
!
interface Ethernet0/0.107
 description SOFFICE
 vlan 407
 nameif S5O
 security-level 100
 ip address 10.1.107.1 255.255.255.0 
!
interface Ethernet0/0.108
 description L1OFFICE
 vlan 408
 nameif L1O
 security-level 100
 ip address 10.1.108.1 255.255.255.0 
!
interface Ethernet0/0.109
 description L2OFFICE
 vlan 409
 nameif L2O
 security-level 100
 ip address 10.1.109.1 255.255.255.0 
!
interface Ethernet0/0.110
 description S8OFFICE
 vlan 410
 nameif S8O
 security-level 100
 ip address 10.1.110.1 255.255.255.0 
!
interface Ethernet0/0.111
 description BARN
 vlan 501
 nameif BARN
 security-level 100
 ip address 10.1.111.1 255.255.255.0 
!
interface Ethernet0/0.112
 description BARN2
 vlan 502
 nameif SCEB
 security-level 100
 ip address 10.1.112.1 255.255.255.0 
!
interface Ethernet0/0.113
 description P4BARN
 vlan 503
 nameif SCP4B
 security-level 100
 ip address 10.1.113.1 255.255.255.0 
!
interface Ethernet0/0.114
 description P3BARN
 vlan 504
 nameif SCP3B
 security-level 100
 ip address 10.1.114.1 255.255.255.0 
!
interface Ethernet0/0.115
 description P2BARN
 vlan 505
 nameif SCP2B
 security-level 100
 ip address 10.1.115.1 255.255.255.0 
!
interface Ethernet0/0.116
 description P1BARN
 vlan 506
 nameif SCP1B
 security-level 100
 ip address 10.1.116.1 255.255.255.0 
!
interface Ethernet0/0.117
 description S5BARN
 vlan 507
 nameif S5B
 security-level 100
 ip address 10.1.117.1 255.255.255.0 
!
interface Ethernet0/0.118
 description L1BARN
 vlan 508
 nameif LB
 security-level 100
 ip address 10.1.118.1 255.255.255.0 
!
interface Ethernet0/0.119
 description L2BARN
 vlan 509
 nameif L2B
 security-level 100
 ip address 10.1.119.1 255.255.255.0 
!
interface Ethernet0/0.120
 description S8BARN
 vlan 510
 nameif S8B
 security-level 100
 ip address 10.1.120.1 255.255.255.0 
!
interface Ethernet0/1
 speed 1000
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 nameif outside
 security-level 0
 ip address WAN_IP 255.255.255.248 
!
interface Management0/0
 nameif MGMT
 security-level 100
 ip address 192.168.1.9 255.255.255.0 
 management-only
!
ftp mode passive
dns server-group DefaultDNS
 domain-name domain.local
object-group network OFFICE_NETWORK
 network-object 10.1.101.0 255.255.255.0
 network-object 10.1.102.0 255.255.255.0
 network-object 10.1.103.0 255.255.255.0
 network-object 10.1.104.0 255.255.255.0
 network-object 10.1.105.0 255.255.255.0
 network-object 10.1.106.0 255.255.255.0
 network-object 10.1.107.0 255.255.255.0
 network-object 10.1.108.0 255.255.255.0
 network-object 10.1.109.0 255.255.255.0
 network-object 10.1.110.0 255.255.255.0
object-group network BARN_NETWORK
 network-object 10.1.111.0 255.255.255.0
 network-object 10.1.112.0 255.255.255.0
 network-object 10.1.113.0 255.255.255.0
 network-object 10.1.114.0 255.255.255.0
 network-object 10.1.115.0 255.255.255.0
 network-object 10.1.116.0 255.255.255.0
 network-object 10.1.117.0 255.255.255.0
 network-object 10.1.118.0 255.255.255.0
 network-object 10.1.119.0 255.255.255.0
 network-object 10.1.120.0 255.255.255.0
object-group network BARN_HOSTS_2thru9
 network-object 10.1.111.2 255.255.255.255
 network-object 10.1.111.3 255.255.255.255
 network-object 10.1.111.4 255.255.255.255
 network-object 10.1.111.5 255.255.255.255
 network-object 10.1.111.6 255.255.255.255
 network-object 10.1.111.7 255.255.255.255
 network-object 10.1.111.8 255.255.255.255
 network-object 10.1.111.9 255.255.255.255
 network-object 10.1.112.2 255.255.255.255
 network-object 10.1.112.3 255.255.255.255
 network-object 10.1.112.4 255.255.255.255
 network-object 10.1.112.5 255.255.255.255
 network-object 10.1.112.6 255.255.255.255
 network-object 10.1.112.7 255.255.255.255
 network-object 10.1.112.8 255.255.255.255
 network-object 10.1.112.9 255.255.255.255
 network-object 10.1.113.2 255.255.255.255
 network-object 10.1.113.3 255.255.255.255
 network-object 10.1.113.4 255.255.255.255
 network-object 10.1.113.5 255.255.255.255
 network-object 10.1.113.6 255.255.255.255
 network-object 10.1.113.7 255.255.255.255
 network-object 10.1.113.8 255.255.255.255
 network-object 10.1.113.9 255.255.255.255
 network-object 10.1.114.2 255.255.255.255
 network-object 10.1.114.3 255.255.255.255
 network-object 10.1.114.4 255.255.255.255
 network-object 10.1.114.5 255.255.255.255
 network-object 10.1.114.6 255.255.255.255
 network-object 10.1.114.7 255.255.255.255
 network-object 10.1.114.8 255.255.255.255
 network-object 10.1.114.9 255.255.255.255
 network-object 10.1.115.2 255.255.255.255
 network-object 10.1.115.3 255.255.255.255
 network-object 10.1.115.4 255.255.255.255
 network-object 10.1.115.5 255.255.255.255
 network-object 10.1.115.6 255.255.255.255
 network-object 10.1.115.7 255.255.255.255
 network-object 10.1.115.8 255.255.255.255
 network-object 10.1.115.9 255.255.255.255
 network-object 10.1.116.2 255.255.255.255
 network-object 10.1.116.3 255.255.255.255
 network-object 10.1.116.4 255.255.255.255
 network-object 10.1.116.5 255.255.255.255
 network-object 10.1.116.6 255.255.255.255
 network-object 10.1.116.7 255.255.255.255
 network-object 10.1.116.8 255.255.255.255
 network-object 10.1.116.9 255.255.255.255
 network-object 10.1.117.2 255.255.255.255
 network-object 10.1.117.3 255.255.255.255
 network-object 10.1.117.4 255.255.255.255
 network-object 10.1.117.5 255.255.255.255
 network-object 10.1.117.6 255.255.255.255
 network-object 10.1.117.7 255.255.255.255
 network-object 10.1.117.8 255.255.255.255
 network-object 10.1.117.9 255.255.255.255
 network-object 10.1.118.2 255.255.255.255
 network-object 10.1.118.3 255.255.255.255
 network-object 10.1.118.4 255.255.255.255
 network-object 10.1.118.5 255.255.255.255
 network-object 10.1.118.6 255.255.255.255
 network-object 10.1.118.7 255.255.255.255
 network-object 10.1.118.8 255.255.255.255
 network-object 10.1.118.9 255.255.255.255
 network-object 10.1.119.2 255.255.255.255
 network-object 10.1.119.3 255.255.255.255
 network-object 10.1.119.4 255.255.255.255
 network-object 10.1.119.5 255.255.255.255
 network-object 10.1.119.6 255.255.255.255
 network-object 10.1.119.7 255.255.255.255
 network-object 10.1.119.8 255.255.255.255
 network-object 10.1.120.9 255.255.255.255
 network-object 10.1.120.2 255.255.255.255
 network-object 10.1.120.3 255.255.255.255
 network-object 10.1.120.4 255.255.255.255
 network-object 10.1.120.5 255.255.255.255
 network-object 10.1.120.6 255.255.255.255
 network-object 10.1.120.7 255.255.255.255
 network-object 10.1.120.8 255.255.255.255
object-group service VNC_10.1.111.2
 service-object tcp-udp range 16120 16129 
object-group service VNC_10.1.111.3
 service-object tcp-udp range 16130 16139 
object-group service VNC_10.1.112.2
 service-object tcp-udp range 16220 16229 
object-group service VNC_10.1.112.3
 service-object tcp-udp range 16230 16239 
object-group service VNC_10.1.116.2
 service-object tcp-udp range 16010 16019 
access-list outside_access_in extended permit tcp any host centerfresh-ex eq pop3 
access-list outside_access_in extended permit tcp ISP_SMTP 255.255.255.0 host server-ex eq smtp 
access-list outside_access_in extended permit object-group VNC_10.1.111.2 any host 10.1.111.2 
access-list outside_access_in extended permit object-group VNC_10.1.111.3 any host 10.1.111.3 
access-list outside_access_in extended permit object-group VNC_10.1.112.2 any host 10.1.112.2 
access-list outside_access_in extended permit object-group VNC_10.1.112.3 any host 10.1.112.3 
access-list VPN_splitTunnelAcl standard permit 10.1.101.0 255.255.255.0 
access-list CORP_nat0_outbound extended permit ip 10.1.101.0 255.255.255.0 10.1.201.128 255.255.255.128 
access-list CORP_nat0_outbound extended permit ip 10.1.101.0 255.255.255.0 10.1.102.0 255.255.255.0 
access-list CORP_nat0_outbound extended permit ip 10.1.101.0 255.255.255.0 10.1.116.0 255.255.255.0 
access-list SCEO_access_in extended deny ip object-group OFFICE_NETWORK object-group BARN_NETWORK 
access-list SCEO_access_in extended deny ip object-group BARN_NETWORK 10.1.100.0 255.255.255.0 
access-list SCEO_access_in extended permit ip any any 
access-list SCEO_access_in extended permit object-group VNC_10.1.111.2 any host 10.1.111.2 
access-list SCEO_access_in extended permit object-group VNC_10.1.111.3 any host 10.1.111.3 
access-list SCEO_access_in extended permit object-group VNC_10.1.112.2 any host 10.1.112.2 
access-list SCEO_access_in extended permit object-group VNC_10.1.112.3 any host 10.1.112.3 
access-list SCEB_access_in extended deny ip object-group BARN_NETWORK object-group OFFICE_NETWORK 
access-list SCEB_access_in extended deny ip object-group BARN_NETWORK WAN IP 255.255.255.248 
access-list SCEB_access_in extended deny ip object-group BARN_NETWORK 10.1.100.0 255.255.255.0 
access-list BARN_HOSTS_2thru9_access_in extended permit ip object-group BARN_HOSTS_2thru9 WAN IP 255.255.255.248 
access-list BARN_access_in extended deny ip object-group BARN_NETWORK object-group OFFICE_NETWORK 
access-list BARN_access_in extended deny ip object-group BARN_NETWORK 10.1.100.0 255.255.255.0 
access-list L1B_access_in extended deny ip object-group BARN_NETWORK object-group OFFICE_NETWORK 
access-list L1B_access_in extended deny ip object-group BARN_NETWORK WAN IP 255.255.255.248 
access-list L1B_access_in extended deny ip object-group BARN_NETWORK 10.1.100.0 255.255.255.0 
access-list L2B_access_in extended deny ip object-group BARN_NETWORK object-group OFFICE_NETWORK 
access-list L2B_access_in extended deny ip object-group BARN_NETWORK WAN IP 255.255.255.248 
access-list L2B_access_in extended deny ip object-group BARN_NETWORK 10.1.100.0 255.255.255.0 
access-list SCP1B_access_in extended deny ip object-group BARN_NETWORK object-group OFFICE_NETWORK 
access-list SCP1B_access_in extended deny ip object-group BARN_NETWORK WAN IP 255.255.255.248 
access-list SCP1B_access_in extended deny ip object-group BARN_NETWORK 10.1.100.0 255.255.255.0 
access-list SCP2B_access_in extended deny ip object-group BARN_NETWORK object-group OFFICE_NETWORK 
access-list SCP2B_access_in extended deny ip object-group BARN_NETWORK WAN IP 255.255.255.248 
access-list SCP2B_access_in extended deny ip object-group BARN_NETWORK 10.1.100.0 255.255.255.0 
access-list SCP3B_access_in extended deny ip object-group BARN_NETWORK object-group OFFICE_NETWORK 
access-list SCP3B_access_in extended deny ip object-group BARN_NETWORK WAN IP 255.255.255.248 
access-list SCP3B_access_in extended deny ip object-group BARN_NETWORK 10.1.100.0 255.255.255.0 
access-list SCP4B_access_in extended deny ip object-group BARN_NETWORK object-group OFFICE_NETWORK 
access-list SCP4B_access_in extended deny ip object-group BARN_NETWORK WAN IP 255.255.255.248 
access-list SCP4B_access_in extended deny ip object-group BARN_NETWORK 10.1.100.0 255.255.255.0 
access-list S5B_access_in extended deny ip object-group BARN_NETWORK object-group OFFICE_NETWORK 
access-list S5B_access_in extended deny ip object-group BARN_NETWORK WAN IP 255.255.255.248 
access-list S5B_access_in extended deny ip object-group BARN_NETWORK 10.1.100.0 255.255.255.0 
access-list S8B_access_in extended deny ip object-group BARN_NETWORK object-group OFFICE_NETWORK 
access-list S8B_access_in extended deny ip object-group BARN_NETWORK WAN IP 255.255.255.248 
access-list S8B_access_in extended deny ip object-group BARN_NETWORK 10.1.100.0 255.255.255.0 
access-list CORP_access_in extended deny ip object-group OFFICE_NETWORK WAN IP 255.255.255.248 
access-list CORP_access_in extended deny ip object-group OFFICE_NETWORK 10.1.100.0 255.255.255.0 
access-list CORP_access_in extended permit ip any any 
access-list CORP_access_in extended permit object-group VNC_10.1.111.2 any host 10.1.111.2 
access-list CORP_access_in extended permit object-group VNC_10.1.111.3 any host 10.1.111.3 
access-list CORP_access_in extended permit object-group VNC_10.1.112.2 any host 10.1.112.2 
access-list CORP_access_in extended permit object-group VNC_10.1.112.3 any host 10.1.112.3 
access-list CORP_access_in extended permit object-group VNC_10.1.116.2 any host 10.1.116.2 
access-list CORP_access_in extended deny ip object-group OFFICE_NETWORK object-group BARN_NETWORK 
access-list L1O_access_in extended deny ip object-group OFFICE_NETWORK object-group BARN_NETWORK 
access-list L1O_access_in extended deny ip object-group OFFICE_NETWORK 10.1.100.0 255.255.255.0 
access-list L1O_access_in extended permit object-group VNC_10.1.111.2 any host 10.1.111.2 
access-list L1O_access_in extended permit object-group VNC_10.1.111.3 any host 10.1.111.3 
access-list L1O_access_in extended permit object-group VNC_10.1.112.2 any host 10.1.112.2 
access-list L1O_access_in extended permit object-group VNC_10.1.112.3 any host 10.1.112.3 
access-list L2O_access_in extended deny ip object-group OFFICE_NETWORK object-group BARN_NETWORK 
access-list L2O_access_in extended deny ip object-group OFFICE_NETWORK 10.1.100.0 255.255.255.0 
access-list L2O_access_in extended permit object-group VNC_10.1.111.2 any host 10.1.111.2 
access-list L2O_access_in extended permit object-group VNC_10.1.111.3 any host 10.1.111.3 
access-list L2O_access_in extended permit object-group VNC_10.1.112.2 any host 10.1.112.2 
access-list L2O_access_in extended permit object-group VNC_10.1.112.3 any host 10.1.112.3 
access-list SCP1O_access_in extended deny ip object-group OFFICE_NETWORK object-group BARN_NETWORK 
access-list SCP1O_access_in extended deny ip object-group OFFICE_NETWORK 10.1.100.0 255.255.255.0 
access-list SCP1O_access_in extended permit object-group VNC_10.1.111.2 any host 10.1.111.2 
access-list SCP1O_access_in extended permit object-group VNC_10.1.111.3 any host 10.1.111.3 
access-list SCP1O_access_in extended permit object-group VNC_10.1.112.2 any host 10.1.112.2 
access-list SCP1O_access_in extended permit object-group VNC_10.1.112.3 any host 10.1.112.3 
access-list SCP2O_access_in extended deny ip object-group OFFICE_NETWORK object-group BARN_NETWORK 
access-list SCP2O_access_in extended deny ip object-group OFFICE_NETWORK 10.1.100.0 255.255.255.0 
access-list SCP2O_access_in extended permit object-group VNC_10.1.111.2 any host 10.1.111.2 
access-list SCP2O_access_in extended permit object-group VNC_10.1.111.3 any host 10.1.111.3 
access-list SCP2O_access_in extended permit object-group VNC_10.1.112.2 any host 10.1.112.2 
access-list SCP2O_access_in extended permit object-group VNC_10.1.112.3 any host 10.1.112.3 
access-list SCP3O_access_in extended deny ip object-group OFFICE_NETWORK object-group BARN_NETWORK 
access-list SCP3O_access_in extended deny ip object-group OFFICE_NETWORK 10.1.100.0 255.255.255.0 
access-list SCP3O_access_in extended permit object-group VNC_10.1.111.2 any host 10.1.111.2 
access-list SCP3O_access_in extended permit object-group VNC_10.1.111.3 any host 10.1.111.3 
access-list SCP3O_access_in extended permit object-group VNC_10.1.112.2 any host 10.1.112.2 
access-list SCP3O_access_in extended permit object-group VNC_10.1.112.3 any host 10.1.112.3 
access-list SCP4O_access_in extended deny ip object-group OFFICE_NETWORK object-group BARN_NETWORK 
access-list SCP4O_access_in extended deny ip object-group OFFICE_NETWORK 10.1.100.0 255.255.255.0 
access-list SCP4O_access_in extended permit object-group VNC_10.1.111.2 any host 10.1.111.2 
access-list SCP4O_access_in extended permit object-group VNC_10.1.111.3 any host 10.1.111.3 
access-list SCP4O_access_in extended permit object-group VNC_10.1.112.2 any host 10.1.112.2 
access-list SCP4O_access_in extended permit object-group VNC_10.1.112.3 any host 10.1.112.3 
access-list S5O_access_in extended deny ip object-group OFFICE_NETWORK object-group BARN_NETWORK 
access-list S5O_access_in extended deny ip object-group OFFICE_NETWORK 10.1.100.0 255.255.255.0 
access-list S5O_access_in extended permit object-group VNC_10.1.111.2 any host 10.1.111.2 
access-list S5O_access_in extended permit object-group VNC_10.1.111.3 any host 10.1.111.3 
access-list S5O_access_in extended permit object-group VNC_10.1.112.2 any host 10.1.112.2 
access-list S5O_access_in extended permit object-group VNC_10.1.112.3 any host 10.1.112.3 
access-list S80_access_in extended deny ip object-group OFFICE_NETWORK object-group BARN_NETWORK 
access-list S80_access_in extended deny ip object-group OFFICE_NETWORK 10.1.100.0 255.255.255.0 
access-list SCEO_nat0_outbound extended permit ip 10.1.102.0 255.255.255.0 10.1.101.0 255.255.255.0 
access-list SCP4O_nat0_outbound extended permit ip 10.1.103.0 255.255.255.0 10.1.101.0 255.255.255.0 
access-list SCP3O_nat0_outbound extended permit ip 10.1.104.0 255.255.255.0 10.1.101.0 255.255.255.0 
access-list SCP2O_nat0_outbound extended permit ip 10.1.105.0 255.255.255.0 10.1.101.0 255.255.255.0 
access-list SCP1O_nat0_outbound extended permit ip 10.1.106.0 255.255.255.0 10.1.101.0 255.255.255.0 
access-list S5O_nat0_outbound extended permit ip 10.1.107.0 255.255.255.0 10.1.101.0 255.255.255.0 
access-list L1O_nat0_outbound extended permit ip 10.1.108.0 255.255.255.0 10.1.101.0 255.255.255.0 
access-list L2O_nat0_outbound extended permit ip 10.1.109.0 255.255.255.0 10.1.101.0 255.255.255.0 
access-list S8O_access_in extended permit object-group VNC_10.1.111.2 any host 10.1.111.2 
access-list S8O_access_in extended permit object-group VNC_10.1.111.3 any host 10.1.111.3 
access-list S8O_access_in extended permit object-group VNC_10.1.112.2 any host 10.1.112.2 
access-list S8O_access_in extended permit object-group VNC_10.1.112.3 any host 10.1.112.3 
pager lines 24
logging enable
logging asdm informational
mtu MGT 1500
mtu CORP 1500
mtu SCEO 1500
mtu SCP4O 1500
mtu SCP3O 1500
mtu SCP2O 1500
mtu SCP1O 1500
mtu S5O 1500
mtu L1O 1500
mtu L2O 1500
mtu S8O 1500
mtu BARN 1500
mtu SCEB 1500
mtu SCP4B 1500
mtu SCP3B 1500
mtu SCP2B 1500
mtu SCP1B 1500
mtu S5B 1500
mtu L1B 1500
mtu L2B 1500
mtu S8B 1500
mtu outside 1500
mtu MGMT 1500
ip local pool VPN_POOL 10.1.201.150-10.1.201.249 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo CORP
icmp permit any echo-reply CORP
icmp permit any echo-reply SCEO
icmp permit any echo SCEO
asdm image disk0:/asdm-615.bin
asdm location 192.168.1.145 255.255.255.255 MGMT
asdm location server-dc 255.255.255.255 BARN
asdm location server-ex 255.255.255.255 BARN
asdm location server-fs 255.255.255.255 BARN
asdm location ISP_SMTP 255.255.255.0 BARN
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (CORP) 0 access-list CORP_nat0_outbound
nat (CORP) 1 0.0.0.0 0.0.0.0
nat (SCEO) 0 access-list SCEO_nat0_outbound
nat (SCP4O) 0 access-list SCP1O_nat0_outbound
nat (SCP3O) 0 access-list SCP2O_nat0_outbound
nat (SCP2O) 0 access-list SCP3O_nat0_outbound
nat (SCP1O) 0 access-list SCP4O_nat0_outbound
nat (S5O) 0 access-list S5O_nat0_outbound
nat (L1O) 0 access-list L1O_nat0_outbound
nat (L2O) 0 access-list L2O_nat0_outbound
static (BARN,outside) tcp interface 16120 10.1.111.2 16120 netmask 255.255.255.255 
static (BARN,outside) tcp interface 16121 10.1.111.2 16121 netmask 255.255.255.255 
static (BARN,outside) tcp interface 16122 10.1.111.2 16122 netmask 255.255.255.255 
static (BARN,outside) tcp interface 16123 10.1.111.2 16123 netmask 255.255.255.255 
static (BARN,outside) tcp interface 16124 10.1.111.2 16124 netmask 255.255.255.255 
static (BARN,outside) tcp interface 16125 10.1.111.2 16125 netmask 255.255.255.255 
static (BARN,outside) tcp interface 16126 10.1.111.2 16126 netmask 255.255.255.255 
static (BARN,outside) tcp interface 16127 10.1.111.2 16127 netmask 255.255.255.255 
static (BARN,outside) tcp interface 16128 10.1.111.2 16128 netmask 255.255.255.255 
static (BARN,outside) tcp interface 16129 10.1.111.2 16129 netmask 255.255.255.255 
static (BARN,outside) tcp interface 16130 10.1.111.3 16130 netmask 255.255.255.255 
static (BARN,outside) tcp interface 16131 10.1.111.3 16131 netmask 255.255.255.255 
static (BARN,outside) tcp interface 16132 10.1.111.3 16132 netmask 255.255.255.255 
static (BARN,outside) tcp interface 16133 10.1.111.3 16133 netmask 255.255.255.255 
static (BARN,outside) tcp interface 16134 10.1.111.3 16134 netmask 255.255.255.255 
static (BARN,outside) tcp interface 16135 10.1.111.3 16135 netmask 255.255.255.255 
static (BARN,outside) tcp interface 16136 10.1.111.3 16136 netmask 255.255.255.255 
static (BARN,outside) tcp interface 16137 10.1.111.3 16137 netmask 255.255.255.255 
static (BARN,outside) tcp interface 16138 10.1.111.3 16138 netmask 255.255.255.255 
static (BARN,outside) tcp interface 16139 10.1.111.3 16139 netmask 255.255.255.255 
static (SCEB,outside) tcp interface 16220 10.1.112.2 16220 netmask 255.255.255.255 
static (SCEB,outside) tcp interface 16221 10.1.112.2 16221 netmask 255.255.255.255 
static (SCEB,outside) tcp interface 16222 10.1.112.2 16222 netmask 255.255.255.255 
static (SCEB,outside) tcp interface 16223 10.1.112.2 16223 netmask 255.255.255.255 
static (SCEB,outside) tcp interface 16224 10.1.112.2 16224 netmask 255.255.255.255 
static (SCEB,outside) tcp interface 16225 10.1.112.2 16225 netmask 255.255.255.255 
static (SCEB,outside) tcp interface 16226 10.1.112.2 16226 netmask 255.255.255.255 
static (SCEB,outside) tcp interface 16227 10.1.112.2 16227 netmask 255.255.255.255 
static (SCEB,outside) tcp interface 16228 10.1.112.2 16228 netmask 255.255.255.255 
static (SCEB,outside) tcp interface 16229 10.1.112.2 16229 netmask 255.255.255.255 
static (SCEB,outside) tcp interface 16230 10.1.112.3 16230 netmask 255.255.255.255 
static (SCEB,outside) tcp interface 16231 10.1.112.3 16231 netmask 255.255.255.255 
static (SCEB,outside) tcp interface 16232 10.1.112.3 16232 netmask 255.255.255.255 
static (SCEB,outside) tcp interface 16233 10.1.112.3 16233 netmask 255.255.255.255 
static (SCEB,outside) tcp interface 16234 10.1.112.3 16234 netmask 255.255.255.255 
static (SCEB,outside) tcp interface 16235 10.1.112.3 16235 netmask 255.255.255.255 
static (SCEB,outside) tcp interface 16236 10.1.112.3 16236 netmask 255.255.255.255 
static (SCEB,outside) tcp interface 16237 10.1.112.3 16237 netmask 255.255.255.255 
static (SCEB,outside) tcp interface 16238 10.1.112.3 16238 netmask 255.255.255.255 
static (SCEB,outside) tcp interface 16239 10.1.112.3 16239 netmask 255.255.255.255 
static (SCP1B,outside) tcp interface 16010 10.1.116.2 16010 netmask 255.255.255.255 
static (SCP1B,outside) tcp interface 16011 10.1.116.2 16011 netmask 255.255.255.255 
static (SCP1B,outside) tcp interface 16012 10.1.116.2 16012 netmask 255.255.255.255 
static (SCP1B,outside) tcp interface 16013 10.1.116.2 16013 netmask 255.255.255.255 
static (SCP1B,outside) tcp interface 16014 10.1.116.2 16014 netmask 255.255.255.255 
static (SCP1B,outside) tcp interface 16015 10.1.116.2 16015 netmask 255.255.255.255 
static (SCP1B,outside) tcp interface 16016 10.1.116.2 16016 netmask 255.255.255.255 
static (SCP1B,outside) tcp interface 16017 10.1.116.2 16017 netmask 255.255.255.255 
static (SCP1B,outside) tcp interface 16018 10.1.116.2 16018 netmask 255.255.255.255 
static (SCP1B,outside) tcp interface 16019 10.1.116.2 16019 netmask 255.255.255.255 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 96.31.31.134 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server VPN_AAA protocol radius
aaa-server VPN_AAA (CORP) host server-dc
 timeout 5
 key XXXXX
aaa authentication ssh console LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 MGMT
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 MGMT
ssh timeout 5
console timeout 0
dhcpd address 10.1.100.150-10.1.100.249 MGT
dhcpd dns server-dc 96.31.0.32 interface MGT
dhcpd wins server-dc interface MGT
dhcpd lease 604800 interface MGT
dhcpd domain domain.local interface MGT
dhcpd enable MGT
!
dhcpd address 10.1.101.150-10.1.101.249 CORP
dhcpd dns server-dc 96.31.0.32 interface CORP
dhcpd wins server-dc interface CORP
dhcpd lease 604800 interface CORP
dhcpd domain domain.local interface CORP
dhcpd enable CORP
!
dhcpd address 10.1.102.150-10.1.102.249 SCEO
dhcpd dns server-dc 96.31.0.32 interface SCEO
dhcpd wins server-dc interface SCEO
dhcpd lease 604800 interface SCEO
dhcpd domain domain.local interface SCEO
dhcpd enable SCEO
!
dhcpd address 10.1.103.150-10.1.103.249 SCP4O
dhcpd dns server-dc 96.31.0.32 interface SCP4O
dhcpd wins server-dc interface SCP4O
dhcpd lease 604800 interface SCP4O
dhcpd domain domain.local interface SCP4O
dhcpd enable SCP4O
!
dhcpd address 10.1.104.150-10.1.104.249 SCP3O
dhcpd dns server-dc 96.31.0.32 interface SCP3O
dhcpd wins server-dc interface SCP3O
dhcpd lease 604800 interface SCP3O
dhcpd domain domain.local interface SCP3O
dhcpd enable SCP3O
!
dhcpd address 10.1.105.150-10.1.105.249 SCP2O
dhcpd dns server-dc 96.31.0.32 interface SCP2O
dhcpd wins server-dc interface SCP2O
dhcpd lease 604800 interface SCP2O
dhcpd domain domain.local interface SCP2O
dhcpd enable SCP2O
!
dhcpd address 10.1.106.150-10.1.106.249 SCP1O
dhcpd dns server-dc interface SCP1O
dhcpd wins server-dc server-dc interface SCP1O
dhcpd lease 604800 interface SCP1O
dhcpd domain domain.local interface SCP1O
dhcpd enable SCP1O
!
dhcpd address 10.1.107.150-10.1.107.249 S5O
dhcpd dns server-dc 96.31.0.32 interface S5O
dhcpd wins server-dc interface S5O
dhcpd lease 604800 interface S5O
dhcpd domain domain.local interface S5O
dhcpd enable S5O
!
dhcpd address 10.1.108.150-10.1.108.249 L1O
dhcpd dns server-dc 96.31.0.32 interface L1O
dhcpd wins server-dc interface L1O
dhcpd lease 604800 interface L1O
dhcpd domain domain.local interface L1O
dhcpd enable L1O
!
dhcpd address 10.1.109.150-10.1.109.249 L2O
dhcpd dns server-dc 96.31.0.32 interface L2O
dhcpd wins server-dc interface L2O
dhcpd lease 604800 interface L2O
dhcpd domain domain.local interface L2O
dhcpd enable L2O
!
dhcpd address 10.1.110.150-10.1.110.249 S8O
dhcpd dns server-dc 93.31.0.32 interface S8O
dhcpd wins server-dc interface S8O
dhcpd lease 604800 interface S8O
dhcpd domain domain.local interface S8O
dhcpd enable S8O
!
dhcpd address 10.1.111.150-10.1.111.249 BARN
dhcpd dns server-dc 96.31.0.32 interface BARN
dhcpd wins server-dc interface BARN
dhcpd lease 604800 interface BARN
dhcpd domain domain.local interface BARN
dhcpd enable BARN
!
dhcpd address 10.1.112.150-10.1.112.150 SCEB
dhcpd dns 96.31.0.32 208.67.222.222 interface SCEB
dhcpd lease 604800 interface SCEB
dhcpd domain domain.local interface SCEB
dhcpd enable SCEB
!
dhcpd address 10.1.113.150-10.1.113.249 SCP4B
dhcpd dns 96.31.0.32 208.67.222.222 interface SCP4B
dhcpd lease 604800 interface SCP4B
dhcpd domain domain.local interface SCP4B
dhcpd enable SCP4B
!
dhcpd address 10.1.114.150-10.1.114.249 SCP3B
dhcpd dns 96.31.0.32 208.67.222.222 interface SCP3B
dhcpd lease 604800 interface SCP3B
dhcpd domain domain.local interface SCP3B
dhcpd enable SCP3B
!
dhcpd address 10.1.115.150-10.1.115.249 SCP2B
dhcpd dns 96.31.0.32 208.67.222.222 interface SCP2B
dhcpd lease 604800 interface SCP2B
dhcpd domain domain.local interface SCP2B
dhcpd enable SCP2B
!
dhcpd address 10.1.116.150-10.1.116.249 SCP1B
dhcpd dns 96.31.0.32 208.67.222.222 interface SCP1B
dhcpd lease 604800 interface SCP1B
dhcpd domain domain.local interface SCP1B
dhcpd enable SCP1B
!
dhcpd address 10.1.117.150-10.1.117.249 S5B
dhcpd dns 96.31.0.32 208.67.222.222 interface S5B
dhcpd lease 604800 interface S5B
dhcpd domain domain.local interface S5B
dhcpd enable S5B
!
dhcpd address 10.1.118.150-10.1.118.249 L1B
dhcpd dns 96.31.0.32 208.67.222.222 interface L1B
dhcpd lease 604800 interface L1B
dhcpd domain domain.local interface L1B
dhcpd enable L1B
!
dhcpd address 10.1.119.150-10.1.119.249 L2B
dhcpd dns 96.31.0.32 208.67.222.222 interface L2B
dhcpd lease 604800 interface L2B
dhcpd domain domain.local interface L2B
dhcpd enable L2B
!
dhcpd address 10.1.120.150-10.1.120.249 S8B
dhcpd dns 96.31.0.32 208.67.222.222 interface S8B
dhcpd lease 604800 interface S8B
dhcpd domain domain.local interface S8B
dhcpd enable S8B
!
threat-detection basic-threat
threat-detection scanning-threat shun except object-group BARN_NETWORK
threat-detection scanning-threat shun except object-group OFFICE_NETWORK
threat-detection scanning-threat shun duration 3600
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy VPN internal
group-policy VPN attributes
 wins-server value 10.1.101.2
 dns-server value 10.1.101.2 96.31.0.32
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value VPN_splitTunnelAcl
 default-domain value domain.local
username admin password XXXXX encrypted
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
 address-pool VPN_POOL
 authentication-server-group VPN_AAA
 default-group-policy VPN
tunnel-group VPN ipsec-attributes
 pre-shared-key XXXXX
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:XXXXX
: end

Open in new window

TercestisiAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ken BooneNetwork ConsultantCommented:
I think you might need to add the following command:

same-security-traffic permit inter-interface

this allows traffic to flow between same security level interfaces without NAT and ACLs
0
QuoriCommented:
You've got a lot of ACLs there but only one of them is applied to an interface....
0
TercestisiAuthor Commented:
>I think you might need to add the following command:

>same-security-traffic permit inter-interface

>this allows traffic to flow between same security level interfaces without NAT and ACLs.

I had this earlier and recently removed it, because with this it did allow the flow of traffic but I had the opposite problem, none of the ACL's I would specify would block the traffic.

>You've got a lot of ACLs there but only one of them is applied to an interface....

The other ACL's, other than the outside interface are sub-interfaces.
0
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

Ken BooneNetwork ConsultantCommented:
So typically you use Static and ACLs to allow traffic from a lower level interface to a higher level interface and you use NAT and Global statements to allow traffic from a higher level interface to a lower level interface.  So if I remember correctly, if you use the same level interface without the same-security-traffic permit inter-interface statement - traffic will not flow between these interfaces.

 So you could move everything down to a lower level security than 100 and leave this particular interface at 100 and then use static and ACLs to control it.

But, if you use the same-security-traffic permit inter-interface statement, the ACLs should still apply I would think.  The ACLs should apply to anything that hits that interface irregardless of where it is destined.

So I think you will have to do one or the other..
#1  Use same security interface and figure out why ACLs aren't working
or
#2 Change the security level interfaces.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TercestisiAuthor Commented:
I'll give that a try; thanks.
0
apd32123Commented:
The same-security-traffic permit inter-interface statement allows traffic without the stateful requirement your ACL's should still block traffic.
0
TercestisiAuthor Commented:
In the meantime, let me further elaborate at what I'm trying to accomplish:

1) I need all sub-interfaces ending in "O" and the sub-interface "CORP" to be able to access each other freely.
2) I need all sub-interfaces ending in "B" to be able to access each other freely.
3) By default, sub-interfaces ending in "O" and the sub-interface "CORP" should not be able to access sub-interfaces ending in "B", and vice-versa "B" should not be able to access "O" and "CORP."
4) "O and "CORP" should have full "outside" access.
5) By default,"B" should not have "outside" access.
6) I need hosts 10.1.N.2-9 on "B" to be able to access the "outside" interface.
7) 10.1.111.2 Should have TCP and UCP Ports 16120 - 16129 Open for incoming traffic from "outside" and from the "O" and "CORP"
8) 10.1.111.3 Should have TCP and UCP Ports 16130 - 16139 Open for incoming traffic from "outside" and from the "O" and "CORP"
9) 10.1.112.2 Should have TCP and UCP Ports 16220 - 16229 Open for incoming traffic from "outside"  and from the "O" and "CORP"
10) 10.1.112.3 Should have TCP and UCP Ports 16230 - 16239 Open for incoming traffic from "outside" and from the "O" and "CORP"
11) 10.1.116.2 Should have TCP and UCP Ports Ports 16010 - 16019 Open for incoming traffic from "outside" and from the "O" and "CORP"
0
TercestisiAuthor Commented:
Interestingly if I apply:

access-list CORP_access_in_1 extended deny ip object-group OFFICE_NETWORK object-group BARN_NETWORK

then access is blocked like it should be, but

access-list CORP_access_in extended deny ip object-group OFFICE_NETWORK object-group BARN_NETWORK

doesn't do anything.

Any ideas why?
0
Ken BooneNetwork ConsultantCommented:
Hmm... Not sure about that.  If that is the case I would do the following, assuming lab environment or off hours:

remove access-list CORP_access_in completely
wr mem
reload the ASA
re-configure access-list CORP_access_in
apply the ACL to the appropriate interfaces

and then see what happens.
0
TercestisiAuthor Commented:
Hmm... maybe some insight is helpful:

Though I am a CLI-guy, I admittedly did some GUI config via ASDM, as I do find certain tasks easier/faster via the GUI.

What I need to know is, what is the difference within ASDM between Access Rules and ACL Manager; most of the rules I put in via the CLI went under the ACL Manager within ASDM and not the Access Rules section. During testing I added the same type of rule to the Access Rules section, and that is when it worked and produced the command:

access-list CORP_access_in_1 extended deny ip object-group OFFICE_NETWORK object-group BARN_NETWORK

0
Ken BooneNetwork ConsultantCommented:
Hmm.  I can't answer that without actually being on ASDM.  I do almost all of my configuration in CLI and then get ASDM up and running for the customer.  I don't know ASDM off the top of my head.  It is much better than the old Pix Device Manager, but sometimes the wording of things doesn't match up to exactly what you think it should in the CLI.  Since you were using ASDM maybe you made the ACL but it did not apply it properly to the right interface, or rather it didn't do what you thought it was going to do.  

The ACL has 2 parts  - the actual ACL, and then the application of the ACL  i.e. access-group inside_acl in interface inside

So you can create an ACL and it will sit there all day and not do a thing until it is applied.  I would review the CLI config after making a change in ASDM to see what it did.
0
TercestisiAuthor Commented:
Well I configured the device solely from CLI, and then checked ASDM to see how it applied. It wasn't until I noticed that my CLI commands were falling under the ACL Manager instead of Access List in ASDM, that I setup rules via ASDM under Access List... which thus worked.
0
devangshroffCommented:
simple thing u need to add return route in ASA for all VLAN
0
TercestisiAuthor Commented:
Not sure I understand what you mean devangshroff.
0
devangshroffCommented:
example

route inside 10.1.108.0 255.255.255.0 10.1.108.1
0
Ken BooneNetwork ConsultantCommented:
Route is not needed.  Since the 10.1.108.x network is already directly attached there is no need for these route statements as had been suggested.  
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.