Cisco 3560 connected to an ASA, clients don't have internet access

I know this is a simple thing I am not doing but for the life of me I am unable to figure out what.  Here is the break down:
The office in question is a satellite office of a global organization.  The 10 of them connect to a 3560.  The 3560 connects to the ASA.  The ASA connects to the internet.  The switch got factory reset (and this is a new client so I was not able to get the config prior).  The ASA is just as it was when everything was working.  

The office is on the 172.20.1.X /24 network.  The inside interface of the ASA is 172.20.2.253. The DNS servers are in Asia and are on the 10.1.101.X /24 network.  With the config of the switch as it is below the switch can ping the DNS servers but not the internet.  The clients (connected directly to the 3560) can get to anything on the 172.20.1.X subnet and they can ping 172.20.2.254 which is the routed port on the 3560, but they cannot ping 172.20.2.253 (the inside interface of the ASA) even though the switch can, and obviously they cannot access the internet.

3560 Config below:
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname Switch
enable secret 5 $1$vLQ.$1K.XaQiaK4FDLu0aTyNYd.
enable password …………….
no aaa new-model
clock timezone UTC -5
clock summer-time UTC recurring
system mtu routing 1500
ip subnet-zero
ip routing
ip domain-name c………….com
ip dhcp excluded-address 172.20.1.1 172.20.1.49
ip dhcp excluded-address 172.20.1.200 172.20.1.254
ip dhcp pool CWT
   import all
   network 172.20.1.0 255.255.255.0
   domain-name c………...com
   dns-server 10.1.30.101 10.1.30.102
   default-router 172.20.1.254
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
vlan internal allocation policy ascending
interface GigabitEthernet0/1
interface GigabitEthernet0/2
interface GigabitEthernet0/3
interface GigabitEthernet0/4
interface GigabitEthernet0/5
interface GigabitEthernet0/6
interface GigabitEthernet0/7
interface GigabitEthernet0/8
interface GigabitEthernet0/9
interface GigabitEthernet0/10
interface GigabitEthernet0/11
interface GigabitEthernet0/12
interface GigabitEthernet0/13
interface GigabitEthernet0/14
interface GigabitEthernet0/15
interface GigabitEthernet0/16
interface GigabitEthernet0/17
interface GigabitEthernet0/18
interface GigabitEthernet0/19
interface GigabitEthernet0/20
interface GigabitEthernet0/21
interface GigabitEthernet0/22
interface GigabitEthernet0/23
interface GigabitEthernet0/24
 description To ASA
 no switchport
 ip address 172.20.2.254 255.255.255.0
interface GigabitEthernet0/25
interface GigabitEthernet0/26
interface GigabitEthernet0/27
interface GigabitEthernet0/28
interface Vlan1
 ip address 172.20.1.254 255.255.255.0
ip default-gateway 172.20.2.254
ip classless
ip route 0.0.0.0 0.0.0.0 172.20.2.253
ip http server
control-plane
line con 0
 password ………………….
 login
line vty 0 4
 password ………………
 login
 length 0
line vty 5 15
 password ………………
 login
end


I can upload the ASA file if needed, but most of it is VPN stuff.  Here are the important bits:

ASA Version 8.2(1)
!
hostname ASA
enable password NuLKvvWGg.x9HEKO encrypted
passwd NuLKvvWGg.x9HEKO encrypted
names
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 172.20.2.253 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 96.56.81.113 255.255.255.248
interface Ethernet0/0
 switchport access vlan 2
interface Ethernet0/1
!To 3560

global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
!
router eigrp 10
 network 172.20.0.0 255.255.0.0
!
route outside 0.0.0.0 0.0.0.0 96.56.81.112 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy

Just to be clear the ASA has not been changed at all, everything was working fine until the switch was reset so this is not an issue with the ASA.
LVL 8
kind4meAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JustInCaseCommented:
are you sure about default route on ASA?
route outside 0.0.0.0 0.0.0.0 96.56.81.112 1

interface Vlan2
 ip address 96.56.81.113 255.255.255.248
 :)
96.56.81.112 - is network address
96.56.81.119 - is broadcast address
96.56.81.113 -118 - are usable network addresses

And also:
Why is router point to itself as default gateway?
ip default-gateway 172.20.2.254

And for solution of your problem add on switch

router eigrp 10
 network 172.20.0.0 0.0.255.255

and that should be it.

Your problem is that ASA have no 172.20.1.0/24 network in routing table so all traffic for that network is matching with default route, and as a result all traffic for that network is sent to internet

Or you can add static route on ASA that will point to 172.20.2.254 as next hop for 172.20.1.0/24 network

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
kind4meAuthor Commented:
Thank you, thank you, thank you!

The ip in the post on the ASA was changed to protect the innocent, but I am very impressed by your subnetting skills.  

I think
router eigrp 10
 network 172.20.0.0 0.0.255.255

is the answer to the problem.  

Also should the gateway on the switch be pointed to 172.20.2.253?
JustInCaseCommented:
Sure it should point to 172.120.2.253
:)
And thank you for compliment
kind4meAuthor Commented:
If I could buy you a beer I would!  I knew it was one stupid line I was missing but I couldn't see the forest through the trees.  The minute you said it I knew that was it.  

Thanks again.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.