Internet Access through multiple Vlans

Heres my setup:

on my cisco 3560g I have 3 vlans
vlan 18 172.21.0.0 255.255.0.0    int ip 172.21.0.101
vlan 19 10.12.0.0 255.255.255.0    int ip 10.12.100.254

My ASA5505 has an inside ip of 10.12.100.7 /24  It is connected to a port which is configured for vlan19.

i have a route statement in the HP Pro Curve 5308 that routes 0.0.0.0 0.0.0.0 to 10.12.100.7.
So, any member of vlan 2 that uses the ip of the vlan as its gateway can get to the internet without any problem.  When a member of a vlan with a subnet that differs from the inside ip of the ASA, it cant get out to the internet.  I have added a few routing statements from another post but still have issues getting to the internet and pinging the ASA from Vlan 18.  
Below is the running config from the ASA
Result of the command: "sh run"

: Saved
:
ASA Version 8.2(1) 
!
hostname 190077
domain-name xxxxxxxxxxxxxxxxx
enable password xxxxxxxxxxxxxxx4 encrypted
passwd xxxxxxxxxxxxx encrypted
names

!
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.12.100.7 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xx.xx.231.138 255.255.255.252 
!
interface Vlan3
 no forward interface Vlan1
 nameif dmz
 security-level 50
 ip address dhcp 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name xxxxxxxxxxxx.com
object-group service FatSpaniel tcp
 port-object eq 4001
 port-object eq 6051
object-group service xxxxxxxxxx tcp
 description Remote Access to xxxxxxxxServer for xxxxxxxxxxxx090814
 port-object eq 444
object-group service xxxxxxxxxxxxtcp
 description Open outbound port 3389 for xxxxxxxxxxxx RDP
 port-object eq 3389
object-group service xxxxxxxxxxx tcp
 description xxxxxxxxxxxxx RDP
 port-object eq 3900
 port-object eq 3389
object-group service NetFlow udp
 description xxxxxxxxxxx
 port-object eq 9996
object-group service Portal tcp
 description Internet Portal
 port-object eq 8080
object-group service xxxxxxxxxtcp
 description xxxxxxxxxxxxxxxx
 port-object eq 3101
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service xxxxxxxxx tcp-udp
 description Ports used by the xxxxxxxxxxxx
 port-object eq 1701
 port-object eq 500
object-group service VPN_TCP
 service-object tcp-udp eq 500 
 service-object tcp-udp eq 88 

access-list inbound extended permit tcp any xx_PublicIP 255.255.255.252 eq smtp 
access-list inbound extended permit tcp any xx_PublicIP 255.255.255.252 eq https 
access-list INTERNET-PAT extended permit ip 172.21.0.0 255.255.0.0 any 
pager lines 24
logging enable
logging history critical
logging asdm errors
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
flow-export destination inside SRV-890005 9996
flow-export template timeout-rate 1
mtu inside 1500
mtu outside 1500
mtu dmz 1500
ip local pool VPN_Pool1 10.12.100.245-10.12.100.246 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-621.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 access-list INTERNET-PAT
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface https SRV-890007 https netmask 255.255.255.255 
static (inside,outside) tcp interface www SRV-890007 www netmask 255.255.255.255 
static (inside,outside) tcp interface smtp SRV-890007 smtp netmask 255.255.255.255 
static (inside,outside) tcp interface 1677 Blizzard 1677 netmask 255.255.255.255 
access-group inside_access_in in interface inside
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.137 1
route inside 172.21.0.0 255.255.0.0 10.12.100.7 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
url-server (inside) vendor websense host SRV-890004 timeout 30 protocol TCP version 1 connections 5
url-cache dst 1
http server enable
http DATA_NETWORK 255.255.255.0 inside

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp authenticate
ntp server 66.79.148.39 source outside prefer
webvpn
group-policy Managers internal
group-policy Managers attributes
 wins-server value 10.12.100.5
 dns-server value 10.12.100.5
 vpn-tunnel-protocol IPSec 
 default-domain value ku.kaukaunautilities.com

class-map global-class
 match any
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 description Global Policy for NetFlow
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
 class global-class
  flow-export event-type all destination SRV-890005
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:cb93b19e60dc25be90a7e3895ec12e19
: end

Open in new window

LVL 1
lahma35Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

zwart072Commented:
hello there,
your static route in your asa is pointing to the inside interface of the asa 10.12.100.7:
route inside 172.21.0.0 255.255.0.0 10.12.100.7 1

10.12.100.7 should be your router ip adress 10.12.100.254
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lahma35Author Commented:
Thanks...that was it!
0
lahma35Author Commented:
I guess I jumped the gun a little I still cannot access the internet but can ping the ASA now.  Any thoughts?
0
zwart072Commented:
you have a double entry for nat (inside) nat(inside) 1 0.0.0.0 0.0.0.0 is enough
delele nat (inside) 1 access-list INTERNET-PAT
nat (inside) 1 0.0.0.0 0.0.0.0

I see you attach you inside_access_in in interface inside:
access-group inside_access_in in interface inside
But where is your access-list intside_access_in in your configuration?
for example:
access-list inside_access_in permit ip any any

Same for the outside_access_in:
access-group outside_access_in_1 in interface outside
like
access-list outside_access_in permit tcp any x.x.x.x eq 80
access-list outside_access_in deny ip any any
0
lahma35Author Commented:
Thanks,
I got it now.  I apprieciate your help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.