new ASA setup - cannot ping subinterface from VPN tunnel

Kylejb007 · ‎03-29-2016

Hello!

I am setting up a ASA in a new environment - well actually building out a new Datacenter for us to store our servers and equipment in.

So far I have been running into issues and have been able to resolve (like setting up a NAT for internet traffic) for the most part..

Wanted redundant connections to our HP 3800s which are connected to the Data Centers HSRP core, so setup Redundant Outside and Inside Interfaces on the ASA utilizing 2 ports for Outside, and 2 ports for Inside (connected to separate HP 3800 switches) (VLAN'd the Outside and WAN connection to 1000).. Setup Site to Site VPN and verified Ping and connectivity is fine. I can ping from our 192.168.4.x network to the Datacenter network of 10.100.1.x. I can access the ASDM from our office, telnet into the ASDM, telnet into the switches.. This all works great... Tested the Redundant function and it worked as expected when I unplugged either port.

Now the issue I have and did some extensive reading on but cant figure it out is I have created a subinterface with a VLAN ID of 80 on the Inside interface, This will be intended to be used for phone server, so I wanted to VLAN and place it in a different subnet so there is no crossover however I still want to be able to route between the networks since I will have phones in other sites and will need connectivity to the 10.80 at the datacenter for the phone system.. I have enabled the two ticks "Enable Traffic between two or more interfaces w/ same security levels and the enable traffic between two or more hosts connected to same interface.. Both inside and "voice" interface are security level 100.

I cannot ping 10.80.1.1 (IP of the Subint), and I cannot ping 10.80.1.2 or 10.80.1.3 (IP's of the HP 3800's on that VLAN) from my office.

Onsite, I have a laptop that I remote into for testing, I also cant ping 10.80.1.1,1.2, or 1.3, it has a 10.100.1.x address.

However when I am in that VLAN, I can ping between all the devices fine, but cant ping out to the internet or 10.100.1.x network. (I assume I need a NAT for internet bound traffic for that subint).. I also read about setting up a static NAT for each interface to each other to create a basic router on a stick setup but couldn't get that to work.

Any ideas?

Philip D'Ath · ‎03-29-2016

Could you show us your redundant interface configuration, physical interface configuration, NAT configuration, and related access-lists, plus the VPN configuration - might be easier to just show us your whole configuration.

Kylejb007 · ‎03-29-2016

I modified external addresses and removed some of the fluff VPN info such as tunnel-group ipsec attributes and vpn crypto polices. Does this have enough info?

ASA Version 9.2(2)4
!
hostname Cisco5512
domain-name lst1.local
enable password cs7ZVZ21yUzYAPGe encrypted
names
!
interface GigabitEthernet0/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
no nameif
no security-level
no ip address
!
interface Redundant1
member-interface GigabitEthernet0/0
member-interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 136.179.XX.XX 255.255.255.248
!
interface Redundant2
member-interface GigabitEthernet0/2
member-interface GigabitEthernet0/3
nameif inside
security-level 100
ip address 10.100.1.1 255.255.0.0
!
interface Redundant2.80
vlan 80
nameif Voice
security-level 100
ip address 10.80.1.1 255.255.0.0

!
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name lst1.local
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network inside-subnet
subnet 10.100.0.0 255.255.0.0
object network LV-192.168.4.x
subnet 192.168.4.0 255.255.255.0
object network RNV-192.168.1.x
subnet 192.168.1.0 255.255.255.0
object network SNA-192.168.2.x
subnet 192.168.2.0 255.255.255.0
object network LV-10.170.1.x
subnet 10.170.1.0 255.255.255.0
object network RNV-10.172.1.x
subnet 10.172.1.0 255.255.255.0
object network SNA-10.171.1.x
subnet 10.171.1.0 255.255.255.0
object network LOA-10.173.1.0
subnet 10.173.1.0 255.255.255.0
object network LOA-192.168.0.x
subnet 192.168.0.0 255.255.255.0
object network SAC-10.175.1.x
subnet 10.175.1.0 255.255.255.0
object network SAC-192.168.7.x
subnet 192.168.7.0 255.255.255.0
object network SD-10.176.1.x
subnet 10.176.1.0 255.255.255.0
object network SD-192.168.8.x
subnet 192.168.8.0 255.255.255.0
object network SLC-10.179.1.x
subnet 10.179.1.0 255.255.255.0
object network SLC-192.168.11.x
subnet 192.168.11.0 255.255.255.0
object network zspam_69.94.157.114
host 69.94.157.114
object network Las-ITKB-01M
host 10.100.1.5
object network Voice
subnet 10.80.0.0 255.255.0.0
object network voice-network
subnet 10.80.0.0 255.255.0.0
object-group network DM_INLINE_NETWORK_1
network-object object LV-192.168.4.x
network-object object LV-10.170.1.x
object-group network DM_INLINE_NETWORK_2
network-object 10.100.0.0 255.255.0.0
network-object object voice-network
object-group network DM_INLINE_NETWORK_3
network-object 10.100.0.0 255.255.0.0
network-object object voice-network
object-group network DM_INLINE_NETWORK_4
network-object 10.100.0.0 255.255.0.0
network-object object voice-network
object-group network DM_INLINE_NETWORK_6
network-object object RNV-10.172.1.x
network-object object RNV-192.168.1.x
object-group network DM_INLINE_NETWORK_7
network-object object SNA-10.171.1.x
network-object object SNA-192.168.2.x
object-group network DM_INLINE_NETWORK_5
network-object 10.100.0.0 255.255.0.0
network-object object voice-network
object-group network DM_INLINE_NETWORK_8
network-object object SLC-10.179.1.x
network-object object SLC-192.168.11.x
object-group network DM_INLINE_NETWORK_10
network-object object SD-10.176.1.x
network-object object SD-192.168.8.x
object-group network DM_INLINE_NETWORK_9
network-object 10.100.0.0 255.255.0.0
network-object object voice-network
object-group network DM_INLINE_NETWORK_11
network-object 10.100.0.0 255.255.0.0
network-object object voice-network
object-group network DM_INLINE_NETWORK_12
network-object object SAC-10.175.1.x
network-object object SAC-192.168.7.x
object-group network DM_INLINE_NETWORK_13
network-object 10.100.0.0 255.255.0.0
network-object object voice-network
object-group network DM_INLINE_NETWORK_14
network-object object LOA-10.173.1.0
network-object object LOA-192.168.0.x

access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_2 object-group DM_INLINE_NETWORK_1
access-list outside_cryptomap_1 extended permit ip object-group DM_INLINE_NETWORK_3 object-group DM_INLINE_NETWORK_7
access-list outside_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_4 object-group DM_INLINE_NETWORK_6
access-list outside_cryptomap_3 extended permit ip object-group DM_INLINE_NETWORK_5 object-group DM_INLINE_NETWORK_8
access-list outside_cryptomap_4 extended permit ip object-group DM_INLINE_NETWORK_9 object-group DM_INLINE_NETWORK_10
access-list outside_cryptomap_5 extended permit ip object-group DM_INLINE_NETWORK_11 object-group DM_INLINE_NETWORK_12
access-list outside_cryptomap_6 extended permit ip object-group DM_INLINE_NETWORK_13 object-group DM_INLINE_NETWORK_14
access-list outside_access_in extended deny tcp object-group Known_Spam_Hosts any eq smtp
access-list outside_access_in extended permit object-group TCPUDP any object-group http_servers eq www
access-list outside_access_in extended permit tcp any object-group https_servers eq https
access-list outside_access_in extended permit tcp any object-group smtp_servers eq smtp
access-list outside_access_in extended permit tcp any object-group ssh_servers eq ssh
access-list outside_access_in extended permit tcp any object-group rdp_servers eq 3389
access-list outside_access_in extended permit object-group TCPUDP any object LVQuagmire object-group RB_Java_Ports
access-list outside_access_in extended permit tcp any object LVBrian object-group DM_INLINE_TCP_1
access-list outside_access_in extended permit object-group TCPUDP any object Las-Barracuda eq domain
access-list outside_access_in extended permit tcp any object Lassftp object-group DM_INLINE_TCP_2
access-list outside_access_in extended permit tcp any object LVChris object-group DM_INLINE_TCP_3

pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu Voice 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit 192.168.4.0 255.255.255.0 inside
icmp permit any Voice
icmp permit 192.168.4.0 255.255.255.0 Voice
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 no-proxy-arp route-lookup
nat (inside,outside) source static DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 destination static DM_INLINE_NETWORK_6 DM_INLINE_NETWORK_6 no-proxy-arp route-lookup
nat (inside,outside) source static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 destination static DM_INLINE_NETWORK_7 DM_INLINE_NETWORK_7 no-proxy-arp route-lookup
nat (inside,outside) source static DM_INLINE_NETWORK_5 DM_INLINE_NETWORK_5 destination static DM_INLINE_NETWORK_8 DM_INLINE_NETWORK_8 no-proxy-arp route-lookup
nat (inside,outside) source static DM_INLINE_NETWORK_9 DM_INLINE_NETWORK_9 destination static DM_INLINE_NETWORK_10 DM_INLINE_NETWORK_10 no-proxy-arp route-lookup
nat (inside,outside) source static DM_INLINE_NETWORK_11 DM_INLINE_NETWORK_11 destination static DM_INLINE_NETWORK_12 DM_INLINE_NETWORK_12 no-proxy-arp route-lookup
nat (inside,outside) source static DM_INLINE_NETWORK_13 DM_INLINE_NETWORK_13 destination static DM_INLINE_NETWORK_14 DM_INLINE_NETWORK_14 no-proxy-arp route-lookup
!
object network inside-subnet
nat (inside,outside) dynamic interface
object network Las-ITKB-01M
nat (any,any) static 136.179.XX.XX net-to-net
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 136.179.XX.XX 1

crypto ipsec security-association pmtu-aging infinite
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set peer 207.8.XX.XX
crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 2 match address outside_cryptomap_1
crypto map outside_map 2 set peer 66.155.XX.XX
crypto map outside_map 2 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 2 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 3 match address outside_cryptomap_2
crypto map outside_map 3 set peer 40.132.XX.XX
crypto map outside_map 3 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 3 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 4 match address outside_cryptomap_3
crypto map outside_map 4 set peer 63.253.XX.XX
crypto map outside_map 4 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 4 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 5 match address outside_cryptomap_4
crypto map outside_map 5 set peer 63.139.XX.XX
crypto map outside_map 5 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 5 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 6 match address outside_cryptomap_5
crypto map outside_map 6 set peer 40.139.XX.XX
crypto map outside_map 6 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 6 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map 7 match address outside_cryptomap_6
crypto map outside_map 7 set peer 74.8.XX.XX
crypto map outside_map 7 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 7 set ikev2 ipsec-proposal DES 3DES AES AES192 AES256
crypto map outside_map interface outside
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect dns
inspect icmp
inspect icmp error
class class-default
user-statistics accounting
!

Philip D'Ath · ‎03-29-2016

Your redundant interface configuration is correct. Have you configured the switch ports that Redundant2 plugs into as trunk ports, and to present VLAN80 as a tagged VLAN?

From the firewall, can you ping anything in the 10.80.x.x network?

It's quite hard reading your config as you have used so many inline objects with names that have no meaning, and include similar references to many things.

Kylejb007 · ‎03-29-2016

I assume the DM_INLINE_NETWORK was created that way via the VPN Site-to-Site Wizard. I wouldn't have named them that but that must be the way the ASA decided to call them. If I go to the NAT Rules Screen, those are basically what those are but no place for a name.

The HP 3800s - Where the ASA plugs in on our "inside" interface, they are configured as Untagged 1 (default vlan) and tagged 80.

The ASA can ping from the "Voice" Interface (Vlan 80), can ping both Switches in VLAN 80.

Kylejb007 · ‎03-29-2016

I made a little progress based on reading something else -

Essentially I created a Static nat for Voice to Inside - Original source, Original destination and it created the reverse nat for inside to voice - original source, original destination. This allows the traffic to passthru the inside int to the sub int.

With this in place, my Computer located at the datacenter on the 10.100.1.x network can now successfully ping 10.80.1.2 and 10.80.1.3 (both of the Switches IP addresses on the voice vlan).

I still cant ping from my office located at 192.168.4.x to any 10.80 addresses, and the PC located at the Datacenter cannot ping the ASA's subint IP of 10.80.1.1. (policy rule?)

edit:

The ASA log shows this when I try to run a ping from my office to 10.80.1.2

4

Mar 29 2016

14:59:26

Denied ICMP type=0, from laddr 10.80.1.2 on interface inside to 192.168.4.145: no matching session

Kylejb007 · ‎04-01-2016

Anyone else chime in?

On the my office side of the VPN (192.168.4.x), I cannot ping anything in the voice network (10.80.x).

However when I was onsite yesterday, from the 10.80.X network, I can ping to 192.168.4.x and get a reply.

Second, Onsite from the 10.100.x network, I can ping the 10.80.X network, but I tried to telnet into the switch's 10.80.x IP and the connection failed.

Third - How can I NAT my Voice Interface to use the same public IP as the ASA and Internal 10.100.x ??

Thanks for any assistance.

Philip D'Ath · ‎04-03-2016

I've been away for a little bit. Are you still needing this resolved? If so, can you attach a copy of your current config so I can see the state of the NAT at the moment.

Kylejb007 · ‎04-04-2016

I updated the ticket on Friday with the latest news but here is the updated show nat:

Keep in mind the DM_INLINE_NETWORK objects are the VPN site's created thru the Wizard. Here is the notes from the latest issues:

1) On the my office side of the VPN (192.168.4.x), I cannot ping anything in the voice network (10.80.x).

However when I was onsite Thursday, from the 10.80.X network, I can ping to 192.168.4.x and get a reply.

2) Onsite from the 10.100.x network, I can ping the 10.80.X network, but I tried to telnet into the switch's 10.80.x IP and the connection failed.

3) How can I NAT my Voice Interface to use the same public IP as the ASA and Internal 10.100.x ?? or should I use a different public IP? (problem is from what I saw was the ASA couldnt use the same peer IP on the other side even though the source interfaces on this side were different).

Manual NAT Policies (Section 1)
1 (Voice) to (inside) source static Voice-network Voice-network destination st atic inside-subnet inside-subnet
translate_hits = 21, untranslate_hits = 71
2 (inside) to (outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 no-proxy-arp route-lo okup
translate_hits = 7067, untranslate_hits = 7135
3 (inside) to (outside) source static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 destination static DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 no-proxy-arp route-lo okup
translate_hits = 859, untranslate_hits = 859
4 (inside) to (outside) source static DM_INLINE_NETWORK_5 DM_INLINE_NETWORK_5 destination static DM_INLINE_NETWORK_6 DM_INLINE_NETWORK_6 no-proxy-arp route-lo okup
translate_hits = 1127, untranslate_hits = 1128
5 (inside) to (outside) source static DM_INLINE_NETWORK_7 DM_INLINE_NETWORK_7 destination static DM_INLINE_NETWORK_8 DM_INLINE_NETWORK_8 no-proxy-arp route-lo okup
translate_hits = 0, untranslate_hits = 0
6 (inside) to (outside) source static DM_INLINE_NETWORK_9 DM_INLINE_NETWORK_9 destination static DM_INLINE_NETWORK_10 DM_INLINE_NETWORK_10 no-proxy-arp route- lookup
translate_hits = 0, untranslate_hits = 0
7 (inside) to (outside) source static DM_INLINE_NETWORK_11 DM_INLINE_NETWORK_11 destination static DM_INLINE_NETWORK_12 DM_INLINE_NETWORK_12 no-proxy-arp rout e-lookup
translate_hits = 0, untranslate_hits = 0
8 (inside) to (outside) source static DM_INLINE_NETWORK_13 DM_INLINE_NETWORK_13 destination static DM_INLINE_NETWORK_14 DM_INLINE_NETWORK_14 no-proxy-arp rout e-lookup
translate_hits = 0, untranslate_hits = 0

Auto NAT Policies (Section 2)
1 (any) to (any) source static Las-ITKB-01M 136.179.XXX.XXX net-to-net
translate_hits = 3446, untranslate_hits = 5887
2 (inside) to (outside) source dynamic inside-subnet interface
translate_hits = 0, untranslate_hits = 0

Philip D'Ath · ‎04-04-2016

I'm going to propose something radical. Wipe your whole NAT configuration, because it is so hard to understand. Also, lets change to using object NAT to make things easier to understand.

First lets establish a PAT translation for internal networks going to the Internet.

object network voice-network
 nat (any,outside) dynamic interface

object network inside-subnet
 nat (any,outside) dynamic interface

Note how these only apply for traffic going to the outside interface. This means there will be no NAT between the internal networks automatically.

Now we need a NAT exclusion for VPN traffic.

nat (outside,any) source static voice-network voice-network destination static obj-LV-192.168.4.x LV-192.168.4.x no-proxy-arp route-lookup

nat (outside,any) source static inside-subnet inside-subnet destination static obj-LV-192.168.4.x LV-192.168.4.x no-proxy-arp route-lookup

Add more NAT exclusions for any extra VPNs you might have,

Kylejb007 · ‎04-11-2016

I apologize for delay - sometimes its a challenge to get away from the office to go onsite to test.

So I followed your instructions, removed all the NATs... I created a PAT for inside-subnet and Voice-network. I verified both subnets can ping to the internet now and ping each other.

I created individual NATs for Voice and Inside to each VPN site... I cant ping or connect to anything now from either Voice or Inside to the VPN site... I did find if I go to the Site to Site VPN and click NAT Exempt, I can connect from 10.100 to 192.168.4.x, but when I connect from 10.80.x, I cant ping 192.168.4.x. I assume we dont want to do a NAT Exemption though?

Cisco5512(config)# show NAT
Manual NAT Policies (Section 1)
1 (outside) to (any) source static inside-subnet inside-subnet destination static LV-192.168.4.x LV-192.168.4.x no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
2 (outside) to (any) source static Voice-network Voice-network destination static LV-192.168.4.x LV-192.168.4.x no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
3 (outside) to (any) source static Voice-network Voice-network destination static LV-10.170.1.x LV-10.170.1.x no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
4 (outside) to (any) source static inside-subnet inside-subnet destination static LV-10.170.1.x LV-10.170.1.x no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
5 (outside) to (any) source static Voice-network Voice-network destination static SNA-10.171.1.x SNA-10.171.1.x no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
6 (outside) to (any) source static inside-subnet inside-subnet destination static SNA-192.168.2.x SNA-192.168.2.x no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
7 (outside) to (any) source static Voice-network Voice-network destination static RNV-10.172.1.x RNV-10.172.1.x no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
8 (outside) to (any) source static inside-subnet inside-subnet destination static RNV-192.168.1.x RNV-192.168.1.x no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
9 (outside) to (any) source static Voice-network Voice-network destination static SLC-10.179.1.x SLC-10.179.1.x no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
10 (outside) to (any) source static inside-subnet inside-subnet destination static SLC-192.168.11.x SLC-192.168.11.x no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
11 (outside) to (any) source static Voice-network Voice-network destination static SD-10.176.1.x SD-10.176.1.x no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
12 (outside) to (any) source static inside-subnet inside-subnet destination static SD-192.168.8.x SD-192.168.8.x no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
13 (outside) to (any) source static Voice-network Voice-network destination static SAC-10.175.1.x SAC-10.175.1.x no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
14 (outside) to (any) source static inside-subnet inside-subnet destination static SAC-192.168.7.x SAC-192.168.7.x no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
15 (inside) to (outside) source static DM_INLINE_NETWORK_3 DM_INLINE_NETWORK_3 destination static DM_INLINE_NETWORK_4 DM_INLINE_NETWORK_4 no-proxy-arp route-lookup
translate_hits = 21, untranslate_hits = 21
16 (inside) to (outside) source static DM_INLINE_NETWORK_5 DM_INLINE_NETWORK_5 destination static DM_INLINE_NETWORK_6 DM_INLINE_NETWORK_6 no-proxy-arp route-lookup
translate_hits = 4, untranslate_hits = 4
17 (inside) to (outside) source static DM_INLINE_NETWORK_7 DM_INLINE_NETWORK_7 destination static DM_INLINE_NETWORK_8 DM_INLINE_NETWORK_8 no-proxy-arp route-lookup
translate_hits = 11, untranslate_hits = 11
18 (inside) to (outside) source static DM_INLINE_NETWORK_9 DM_INLINE_NETWORK_9 destination static DM_INLINE_NETWORK_10 DM_INLINE_NETWORK_10 no-proxy-arp route-lookup
translate_hits = 3, untranslate_hits = 3
19 (inside) to (outside) source static DM_INLINE_NETWORK_11 DM_INLINE_NETWORK_11 destination static DM_INLINE_NETWORK_12 DM_INLINE_NETWORK_12 no-proxy-arp route-lookup
translate_hits = 4, untranslate_hits = 4
20 (inside) to (outside) source static DM_INLINE_NETWORK_13 DM_INLINE_NETWORK_13 destination static DM_INLINE_NETWORK_14 DM_INLINE_NETWORK_14 no-proxy-arp route-lookup
translate_hits = 94, untranslate_hits = 94
21 (outside) to (any) source static Voice-network Voice-network destination static LOA-10.173.1.0 LOA-10.173.1.0 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
22 (outside) to (any) source static inside-subnet inside-subnet destination static LOA-192.168.0.x LOA-192.168.0.x no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
23 (inside) to (outside) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 no-proxy-arp route-lookup
translate_hits = 16, untranslate_hits = 16

Auto NAT Policies (Section 2)
1 (any) to (outside) source dynamic Voice-network interface
translate_hits = 427, untranslate_hits = 1
2 (any) to (outside) source dynamic inside-subnet interface
translate_hits = 585, untranslate_hits = 0

It looks like the DM_INLINE network appear when NAT Exempt is enabled in the Site to Site screen.