Help!!! NAT Issue on ASA

Cisco newbie here....  I cannot figure out why the 172.15.15.0 network cannot access the internet (outside) interface.  Any ideas? What am I missing?  Any help is appreciated.
Result of the command: "sh run"

: Saved
:
ASA Version 8.2(1) 
!
hostname ciscoasa
enable password UMrZyv1DTPLXGFch encrypted
passwd UMrZyv1DTPLXGFch encrypted
names
name XX.YY.163.39 EDI_XX.YY.163.39
name XX.YY.163.38 EDI2_XX.YY.163.38
name 10.66.91.135 Comp_10.66.91.135 description Comp VPN
name 172.16.16.236 EDI2_172.16.16.236 description Comp EDI2
name 172.16.16.235 EDI_172.16.16.235 description Comp EDI
name 192.168.25.17 ImagingInst_192.168.25.17 description ImagingInstitute
name 192.168.25.21 ImagingInst_192.168.25.21 description ImagingInstitute
name 192.168.25.22 ImagingInst_192.168.25.22 description ImagingInstitute
name 192.168.25.8 ImagingInst_192.168.25.8 description ImagingInstitute
name 10.88.0.4 Comp_10.88.0.4 description Comp VPN
name 10.88.8.80 Comp_10.88.8.80 description Comp VPN
name 172.16.16.231 Utility_172.16.16.231
name XX.YY.163.40 Utility_XX.YY.163.40 description Used for practices to download Medvantx extracts
name 172.16.16.232 EpiChartGateway_172.16.16.232
name XX.YY.163.41 EpiChartGateway_XX.YY.163.41
name 172.15.15.0 MCTraffic
name XX.YY.229.60 CHA_XX.YY.229.60
name XX.YY.32.243 PUER_XX.YY.32.243
name XX.YY.18.80 UMGP_XX.YY.18.80
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.16.254 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address XX.YY.163.36 255.255.255.240 
!
interface Vlan5
 shutdown
 nameif dmz
 security-level 50
 no ip address
!
interface Vlan25
 nameif MCTraffic
 security-level 100
 ip address 172.15.15.254 255.255.255.0 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
 switchport access vlan 25
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone GMT 0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network ImagingInstGroup
 network-object host ImagingInst_192.168.25.17
 network-object host ImagingInst_192.168.25.21
 network-object host ImagingInst_192.168.25.22
 network-object host ImagingInst_192.168.25.8
object-group service EDI2_Ports tcp
 port-object eq https
 port-object eq ssh
object-group service EDI_Ports tcp
 port-object eq ftp
 port-object eq ftp-data
 port-object eq https
object-group network DM_INLINE_NETWORK_1
 network-object host Comp_10.66.91.135
 network-object host Comp_10.88.0.4
 network-object host Comp_10.88.8.80
object-group service ColoSpaceMonitor_Ports
 service-object tcp-udp range 48000 48020 
 service-object tcp eq ssh 
 service-object udp eq snmp 
object-group service DM_INLINE_TCP_1 tcp
 port-object eq www
 port-object eq https
object-group network MedvantxPractices
 network-object host CHA_XX.YY.229.60
 network-object host PUER_XX.YY.32.243
 network-object host UMGP_XX.YY.18.80
object-group service Medvantx_Ports tcp
 port-object eq 990
 port-object range 60000 60050
object-group service Medvantx tcp
 group-object Medvantx_Ports
access-list outside_1_cryptomap extended permit ip 172.16.16.0 255.255.255.0 10.242.55.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip 172.16.16.0 255.255.255.0 10.242.55.0 255.255.255.0 
access-list inside_nat0_outbound extended permit ip host EDI2_172.16.16.236 host Comp_10.66.91.135 
access-list inside_nat0_outbound extended permit ip host EDI2_172.16.16.236 object-group ImagingInstGroup 
access-list inside_nat0_outbound extended permit ip 172.16.16.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 
access-list inside_nat0_outbound extended permit ip any 172.16.16.96 255.255.255.240 
access-list outside_access_in extended permit tcp any host EDI2_XX.YY.163.38 object-group EDI2_Ports 
access-list outside_access_in extended permit tcp any host EDI_XX.YY.163.39 object-group EDI_Ports 
access-list outside_access_in extended permit tcp any host EpiChartGateway_XX.YY.163.41 object-group DM_INLINE_TCP_1 
access-list outside_access_in extended permit tcp object-group MedvantxPractices host Utility_XX.YY.163.40 object-group Medvantx_Ports 
access-list outside_2_cryptomap extended permit ip 172.16.16.0 255.255.255.0 object-group DM_INLINE_NETWORK_1 
access-list outside_3_cryptomap extended permit ip 172.16.16.0 255.255.255.0 object-group ImagingInstGroup 
access-list throttle_edi_servers extended permit ip host EDI2_XX.YY.163.38 any 
access-list throttle_edi_servers extended permit ip any host EDI2_XX.YY.163.38 
access-list throttle_edi_servers extended permit ip host EDI_XX.YY.163.39 any 
access-list throttle_edi_servers extended permit ip any host EDI_XX.YY.163.39 
access-list RemoteAccessVPN_splitTunnelAcl standard permit 172.16.16.0 255.255.255.0 
pager lines 24
logging enable
logging timestamp
logging asdm informational
logging mail errors
logging from-address noreply@utility.epichart.com
logging recipient-address level errors
logging host inside Utility_172.16.16.231
mtu inside 1500
mtu outside 1500
mtu dmz 1500
mtu MCTraffic 1500
ip local pool VPNPool 172.16.16.101-172.16.16.111 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (MCTraffic) 1 0.0.0.0 0.0.0.0
static (MCTraffic,inside) MCTraffic MCTraffic netmask 255.255.255.0 
static (inside,outside) Utility_XX.YY.163.40 Utility_172.16.16.231 netmask 255.255.255.255 
static (inside,outside) EDI_XX.YY.163.39 EDI_172.16.16.235 netmask 255.255.255.255 
static (inside,outside) EDI2_XX.YY.163.38 EDI2_172.16.16.236 netmask 255.255.255.255 
static (inside,outside) EpiChartGateway_XX.YY.163.41 EpiChartGateway_172.16.16.232 netmask 255.255.255.255 
static (inside,MCTraffic) 172.16.16.0 172.16.16.0 netmask 255.255.255.0 
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 XX.YY.163.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 172.16.16.0 255.255.255.0 inside
http 10.242.55.0 255.255.255.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs 
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer XX.YY.125.146 
crypto map outside_map 1 set transform-set ESP-3DES-MD5
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer XX.YY.139.26 
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set peer XX.YY.56.227 
crypto map outside_map 3 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash md5
 group 1
 lifetime 86400
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 172.16.16.0 255.255.255.0 inside
telnet 10.242.55.0 255.255.255.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns XX.YY.136.155 XX.YY.136.100
dhcpd auto_config outside
!
dhcpd address 172.16.16.5-172.16.16.100 inside
dhcpd dns XX.YY.136.155 XX.YY.136.100 interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
 vpn-tunnel-protocol IPSec svc 
group-policy RemoteAccessVPN internal
group-policy RemoteAccessVPN attributes
 dns-server value 172.16.16.230
 vpn-tunnel-protocol IPSec 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RemoteAccessVPN_splitTunnelAcl
 default-domain value epichart.com
username remote password HP6P1nlQDIJY7Y8G encrypted privilege 0
username remote attributes
 vpn-group-policy RemoteAccessVPN
tunnel-group XX.YY.125.146 type ipsec-l2l
tunnel-group XX.YY.125.146 ipsec-attributes
 pre-shared-key *
tunnel-group XX.YY.139.26 type ipsec-l2l
tunnel-group XX.YY.139.26 ipsec-attributes
 pre-shared-key *
tunnel-group XX.YY.56.227 type ipsec-l2l
tunnel-group XX.YY.56.227 ipsec-attributes
 pre-shared-key *
tunnel-group RemoteAccessVPN type remote-access
tunnel-group RemoteAccessVPN general-attributes
 address-pool VPNPool
 default-group-policy RemoteAccessVPN
tunnel-group RemoteAccessVPN ipsec-attributes
 pre-shared-key *
!
class-map throttle-me
 match access-list throttle_edi_servers
!
!
policy-map throttle-policy
 class throttle-me
  police output 524000 4000
  police input 524000 4000
!
service-policy throttle-policy interface outside
smtp-server 172.16.16.231
prompt hostname context 
Cryptochecksum:c7205feeb2093835df72245f9b0671f9
: end

Open in new window

polaris101Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

John MeggersNetwork ArchitectCommented:
Just responded on the other thread.  I don't see anything wrong in the config.  Are there any logs that can help identify what's happening?  Did you change anything that may require clearing some information, such as clearing NAT translations?
0
polaris101Author Commented:
No changes recently.... see attached screen shot of packet tracer. ss
0
Robert Sutton JrSenior Network ManagerCommented:
Line 150 states: static (inside,MCTraffic) 172.16.16.0 172.16.16.0 netmask 255.255.255.0
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

polaris101Author Commented:
Thx Warlock...what should that be?
0
Istvan KalmarHead of IT Security Division Commented:
I advise to remove this:

static (MCTraffic,inside) MCTraffic MCTraffic netmask 255.255.255.0

and configure nonat on MCTraffic and inside interface
0
polaris101Author Commented:
ikalmar - I'd be really hesitant on modifying the inside interface at all.  Anything else I can do to make this work?
0
Istvan KalmarHead of IT Security Division Commented:
you need 4 lines for nonat:

access-list inside_nat0_outbound extended permit ip 172.16.16.0 255.255.255.0 172.15.15.254 255.255.255.0
access-list inside_nat0_MCTraffic extended permit ip 172.15.15.254 255.255.255.0 172.16.16.0 255.255.255.0
nat (MCTraffic) 0 access-list MCTraffic _nat0_outbound
same-security-traffic intra-interface

clear xlate
0
polaris101Author Commented:
I'll try this tonight.  I'll still have to remove this line though right?: no static (MCTraffic,inside) MCTraffic MCTraffic netmask 255.255.255.0


Correct me if I'm wrong here.  

This is allowing the inside int access to the MCTraffic
access-list inside_nat0_outbound extended permit ip 172.16.16.0 255.255.255.0 172.15.15.254 255.255.255.0


This is allowing the MCTraffic network to the inside
access-list inside_nat0_MCTraffic extended permit ip 172.15.15.254 255.255.255.0 172.16.16.0 255.255.255.0

0
Istvan KalmarHead of IT Security Division Commented:
You absolutely right...
0
polaris101Author Commented:
I'm getting this message:

ERROR: IP address,mask <172.15.15.254,255.255.255.0> doesn't pair
0
polaris101Author Commented:
ERROR: Access-list "MCTraffic_nat0_outbound" does not exist
0
Istvan KalmarHead of IT Security Division Commented:
mea culpa:)

This is allowing the inside int access to the MCTraffic
access-list inside_nat0_outbound extended permit ip 172.16.16.0 255.255.255.0 172.15.15.250 255.255.255.0


This is allowing the MCTraffic network to the inside
access-list inside_nat0_MCTraffic extended permit ip 172.15.15.250 255.255.255.0 172.16.16.0 255.255.255.0
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.