No, these are not. I have been playing with the issue. The routing issue is in the asa. When removed from the network all traffic moves easily. With the ASA in line, traffic from remote subnets can go out to the web but not to the 172.21.0.0 network for email or file sharing. However I can ping computers in that subnet, but not traceroute.

I allowed eigrp to go thru the ASA, but I wonder if the commands are correct.

What commands should be used to allow eigrp to pass from 172.21.0.1 to 172.21.0.7 and vice versa?

I have those configs in the ASA.

That one glitch is all that the problem is and I cannot figure it out.

Have to try again.

I resolved the issue. It was a matter of changing the servers gateway to the router handling the internal subnets.

Thanks for your help.

Glad to hear it's all working.

I have some interesting info, first,

I did a traceroute to the computers that cannot access the web server and traceroute reached the computer. Also, I tested the website access on PC's in remote building and it worked. It seems to affect the macs that are on the remote subnets.

Still poking around.

More interesting info, after I do a traceroute from the server to the machine that fails to connect, the computer can then access the mail server and website.

I tested that on 2 computers and they succeeded.

Any suggestions on how to eliminate this would be great.

The VPN access list is for VPN Server.

The WWW access list is for the WWW and Mail server. They are 2 different servers on a NAT scheme.

I need to apply the Access-list for WWW to the outside interface for HTTP traffic to our web server.