Cisco ASA VPN problem

Harold Crane
Harold Crane used Ask the Experts™
on
We have three sites.  Two remote sites (sites B and C) are connected to the main site (site A) using site-to-site vpn tunnels on Cisco ASA 5505s.  Site A IP net is 172.20.28.0/24.  Site B is 172.21.28.0/24.  Site C is 172.22.28.0/24.  At site A, we have two ASA 5505s installed.  ASA #1 is used for systems at site A to access the internet, and it is used for employees to remotely access the network using Cisco's legacy VPN client.  ASA #2 at site A is used for the Site-to-site VPNs between sites A and B and sites A and C.  All systems local to site A network can ping systems on both the site B network and the site C network. Systems on the site B network can ping systems on the Site A network, as can systems on the site C network.  Remote VPN clients receive a 172.20.28.xxx ip address when connected to Site A VPN.  The problem is that VPN clients cannot successfully ping systems in either site B or C, even when systems local to site A can.  We have set up proper routing statements on the VPN clients.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
Hi,

YOu need to configure hairpinnig, and crate nonat for remote users, de you set it?
Top Expert 2011

Commented:
Can you post your config pls?
1.  If split tunneling is enabled, you have to add the subnets for sites B and C.
2.  You have to add the remote access pool subnet to the list of allowed/interesting traffic on the site-to-site VPNs.  There should be a total of four access lists to update for this.  Two on the ASA at A, one on B, one on C.
3.  The site-to-site ASA at A needs to route correctly to the remote access address pool.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Les MooreSr. Systems Engineer
Top Expert 2008

Commented:
ASA #2 has to have a route statement for the range of VPn client ip addresses.
Example:
 route inside 172.20.28.128 255.255.255.128 172.20.28.x  < where X is ASA#1
Harold CraneV. P. of Operations

Author

Commented:
I have been out with a death in the family.  Sorry fir the delay.  I will look at each solution in the next few days when I am at my client's office and see if I can get any of these solutions to work.  Thanks for your patience.
Harold CraneV. P. of Operations

Author

Commented:
Here are the Configs.  I am listing 3 configs...First Site A ASA#1, next site A ASA#2 and Finally the ASA in site B.

Site A ASA 1:

ASA Version 7.2(4)
!
hostname ciscoasa
domain-name sma.local
enable password 8srdyW5Zc220aRXm encrypted
passwd 8srdyW5Zc220aRXm encrypted
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.20.28.10 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.82 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 2
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns server-group DefaultDNS
 domain-name sma.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service RTP udp
 port-object range 10000 20000
object-group service TCP987 tcp
 port-object eq 987
object-group service RDP tcp
 port-object eq 3389
object-group network SIPConnect
 description SIP Servers at Cbeyond
 network-object host 192.168.22.212
 network-object host sip-proxy.chi0.cbeyond.net
access-list outside_access_in extended permit udp object-group SIPConnect host x.x.x.86 eq sip
access-list outside_access_in extended permit udp object-group SIPConnect host x.x.x.86 object-group RTP
access-list outside_access_in extended permit tcp any host x.x.x.83 eq www
access-list outside_access_in extended permit tcp any host x.x.x.83 eq https
access-list outside_access_in extended permit tcp any host x.x.x eq smtp
access-list outside_access_in extended permit tcp a.a.a.40 255.255.255.248 host x.x.x.83 object-group RDP
access-list outside_access_in extended permit tcp host d.d.d.201 host x.x.x.83 object-group RDP
access-list outside_access_in extended permit tcp a.a.a.40 255.255.255.248 host x.x.x.86 eq www
access-list outside_access_in extended permit tcp a.a.a.40 255.255.255.248 host x.x.x.86 eq ssh
access-list outside_access_in extended permit tcp any host x.x.x.84 eq www
access-list outside_access_in extended permit tcp any host x.x.x.84 eq https
access-list outside_access_in extended permit tcp a.a.a.40 255.255.255.248 host x.x.x.84 object-group RDP
access-list outside_access_in extended permit tcp host b.b.b.26 host x.x.x.84 object-group RDP
access-list outside_access_in extended permit tcp host c.c.c.38 host x.x.x.84 object-group RDP
access-list outside_access_in extended permit tcp any host x.x.x.86 eq www inactive
access-list outside_access_in extended permit tcp any host x.x.x.83 object-group TCP987
access-list inside_nat0_outbound extended permit ip any 172.20.28.192 255.255.255.192
access-list inside_nat0_outbound extended permit ip 172.20.28.0 255.255.255.0 172.21.28.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 172.20.28.128 255.255.255.128
access-list inside_nat0_outbound extended permit ip 172.20.28.0 255.255.255.0 172.22.28.0 255.255.255.0
access-list DefaultRAGroup_splitTunnelAcl standard permit any
access-list split standard permit 172.20.28.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool VPN_POOL 172.20.28.200-172.20.28.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) x.x.x.86 172.20.28.21 netmask 255.255.255.255
static (inside,outside) x.x.x.83 172.20.28.1 netmask 255.255.255.255
static (inside,outside) x.x.x.84 172.20.28.2 netmask 255.255.255.255
access-group outside_access_in in interface outside
route inside 172.22.28.0 255.255.255.0 172.20.28.9 1
route inside 172.21.28.0 255.255.255.0 172.20.28.9 1
route outside 0.0.0.0 0.0.0.0 x.x.x.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable 444
http x.x.x.x 255.255.255.248 outside
http 0.0.0.0 0.0.0.0 inside
http x.x.x.x 255.255.255.240 outside
http x.x.x.x.252 255.255.255.252 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set TRANS_ESP_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_ESP_3DES_SHA mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 10 set transform-set TRANS_ESP_3DES_SHA ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp nat-traversal  33
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh x.x.x.x 255.255.255.248 outside
ssh timeout 60
console timeout 0
dhcpd auto_config outside
!
dhcpd address 172.20.28.51-172.20.28.60 inside
!

webvpn
 svc image disk0:/sslclient-win-1.1.0.154.pkg 1
 svc enable
group-policy DefaultRAGroup internal
group-policy DefaultRAGroup attributes
 dns-server value 172.20.28.1
 vpn-tunnel-protocol l2tp-ipsec
 split-tunnel-network-list value DefaultRAGroup_splitTunnelAcl
 default-domain value sma.local
group-policy DfltGrpPolicy attributes
 banner none
 wins-server none
 dns-server value 172.20.28.1
 dhcp-network-scope none
 vpn-access-hours none
 vpn-simultaneous-logins 99
 vpn-idle-timeout 30
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IPSec l2tp-ipsec
 password-storage disable
 ip-comp disable
 re-xauth disable
 group-lock none
 pfs disable
 ipsec-udp disable
 ipsec-udp-port 10000
 split-tunnel-policy tunnelall
 split-tunnel-network-list none
 default-domain value sma.local
 split-dns none
 intercept-dhcp 255.255.255.255 disable
 secure-unit-authentication disable
 user-authentication disable
 user-authentication-idle-timeout 30
 ip-phone-bypass disable
 leap-bypass disable
 nem disable
 backup-servers keep-client-config
 msie-proxy server none
 msie-proxy method no-modify
 msie-proxy except-list none
 msie-proxy local-bypass disable
 nac disable
 nac-sq-period 300
 nac-reval-period 36000
 nac-default-acl none
 address-pools value VPN_POOL
 smartcard-removal-disconnect enable
 client-firewall none
 client-access-rule none
 webvpn
  functions url-entry file-access file-entry file-browsing mapi auto-download
  html-content-filter none
  homepage none
  keep-alive-ignore 4
  http-comp gzip
  filter none
  url-list none
  customization value DfltCustomization
  port-forward none
  port-forward-name value Application Access
  sso-server none
  deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
  svc enable
  svc keep-installer installed
  svc keepalive none
  svc rekey time none
  svc rekey method none
  svc dpd-interval client none
  svc dpd-interval gateway none
  svc compression deflate
group-policy SMA internal
group-policy SMA attributes
 wins-server value 172.20.28.1
 dns-server value 172.20.28.1
 vpn-tunnel-protocol IPSec webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split
 default-domain value sma.local
 webvpn
  svc required
  svc keep-installer installed
username STMA password 0QoA2HnBgE4oZ95E encrypted privilege 0
username STMA attributes
 vpn-group-policy SMA
username SMAVPN password GXhBBT6LW21eDAw1eAHCIQ== nt-encrypted
username SMAVPN attributes
 vpn-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup general-attributes
 address-pool VPN_POOL
 default-group-policy DefaultRAGroup
tunnel-group DefaultRAGroup ipsec-attributes
 pre-shared-key *
 isakmp keepalive disable
tunnel-group DefaultRAGroup ppp-attributes
 authentication ms-chap-v2
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool VPN_POOL
tunnel-group SMA type ipsec-ra
tunnel-group SMA general-attributes
 address-pool VPN_POOL
 default-group-policy SMA
tunnel-group SMA ipsec-attributes
 pre-shared-key *
tunnel-group SMA ppp-attributes
 authentication ms-chap-v2
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect pptp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:6d43ec943097d276416e307a56dd3651
: end
-----------------------------------------

Site A ASA #2

ASA Version 8.2(5)
!
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.20.28.9 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.85 255.255.255.248
!
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list outside_1_cryptomap extended permit ip 172.20.28.0 255.255.255.0 172.21.28.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.20.28.0 255.255.255.0 172.21.28.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.20.28.0 255.255.255.0 172.22.28.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 172.20.28.0 255.255.255.0 172.22.28.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 72.16.171.81 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer d.d.d.194
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs group1
crypto map outside_map 2 set peer e.e.e.253
crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group d.d.d.194 type ipsec-l2l
tunnel-group d.d.d.194 ipsec-attributes
 pre-shared-key *****
tunnel-group e.e.e.253 type ipsec-l2l
tunnel-group e.e.e.253 ipsec-attributes
 pre-shared-key *****
!
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d4ea74c50fd62cc54b1ca421ecf083a7
: end

----------------------------------------------------------

Site B ASA

ASA Version 8.2(1)
!
hostname ciscoasa
enable password 8srdyW5Zc220aRXm encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.22.28.10 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address e.e.e.253 255.255.255.252
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
object-group service rtp udp
 port-object range 10000 20000
access-list outside_1_cryptomap extended permit ip 172.22.28.0 255.255.255.0 172.20.28.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.22.28.0 255.255.255.0 172.20.28.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 172.22.28.192 255.255.255.224
access-list outside_access_in extended permit udp any e.e.e.252 255.255.255.252 object-group rtp
access-list outside_access_in extended permit udp any e.e.e.252 255.255.255.252 eq sip
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool IPPool 172.22.28.201-172.22.28.220 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) udp interface sip 172.22.28.21 sip netmask 255.255.255.255
static (inside,outside) udp interface 10000 172.22.28.21 10000 netmask 255.255.255.255
static (inside,outside) udp interface 10001 172.22.28.21 10001 netmask 255.255.255.255
static (inside,outside) udp interface 10002 172.22.28.21 10002 netmask 255.255.255.255
static (inside,outside) udp interface 10003 172.22.28.21 10003 netmask 255.255.255.255
static (inside,outside) udp interface 10004 172.22.28.21 10004 netmask 255.255.255.255
static (inside,outside) udp interface 10005 172.22.28.21 10005 netmask 255.255.255.255
static (inside,outside) udp interface 10006 172.22.28.21 10006 netmask 255.255.255.255
static (inside,outside) udp interface 10007 172.22.28.21 10007 netmask 255.255.255.255
static (inside,outside) udp interface 10008 172.22.28.21 10008 netmask 255.255.255.255
static (inside,outside) udp interface 10009 172.22.28.21 10009 netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 e.e.e.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group1
crypto map outside_map 1 set peer x.x.x.85
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!
dhcpd address 172.22.28.51-172.22.28.75 inside
dhcpd dns 75.103.5.202 209.244.0.3 interface inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy SMAIN internal
group-policy SMAIN attributes
 dns-server value 172.22.28.1
 vpn-tunnel-protocol IPSec
 default-domain value sma.local
username STMA password 0QoA2HnBgE4oZ95E encrypted privilege 0
username STMA attributes
 vpn-group-policy SMAIN
tunnel-group SMAIN type remote-access
tunnel-group SMAIN general-attributes
 address-pool IPPool
 default-group-policy SMAIN
tunnel-group SMAIN ipsec-attributes
 pre-shared-key *
tunnel-group x.x.x.85 type ipsec-l2l
tunnel-group x.x.x.85 ipsec-attributes
 pre-shared-key *
!
!
prompt hostname context
Cryptochecksum:61af47aa79b93dd95a5d259cc4d6cc8d
: end
Harold CraneV. P. of Operations

Author

Commented:
Adding "access-list split standard permit 172.21.28.0 255.255.255.0" and "access-list split standard permit 172.22.28.0 255.255.255.0" to ASA #1 took care of it.  Thanks for the help and sorry for the delay.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial