topic ASA will not pass traffic in Network Security

ASA will not pass traffic

blake.d.green.mil1 — Thu, 06 Feb 2020 15:47:42 GMT

Good Morning

My team recent received ASA 5506. I'm currently in the process of setting one up for scanning and ran into some issues. I can not get the thing to pass traffic. I can piing the inside from the inside network and outside from the outside network. But I can not ping thru the device. Any help would be grateful.

ASA Version 9.8(2)
!
hostname CGASATEST
enable password $sha512$5000$fWOBFLyMFFvJ7MXr8LExZg==$HXiVH3aMwKaatZMylDevDw== pbkdf2
names

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 192.168.83.45 255.255.255.0
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.90.185 255.255.255.0
!
interface GigabitEthernet1/3
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside_7
security-level 100
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
no nameif
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
object network obj_any6
subnet 0.0.0.0 0.0.0.0
object network obj_any7
subnet 0.0.0.0 0.0.0.0
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any2
nat (inside_2,outside) dynamic interface
object network obj_any3
nat (inside_3,outside) dynamic interface
object network obj_any4
nat (inside_4,outside) dynamic interface
object network obj_any5
nat (inside_5,outside) dynamic interface
object network obj_any6
nat (inside_6,outside) dynamic interface
object network obj_any7
nat (inside_7,outside) dynamic interface
!
nat (inside,outside) after-auto source dynamic any interface
route outside 0.0.0.0 0.0.0.0 192.168.83.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside_2
http 192.168.1.0 255.255.255.0 inside_3
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_5
http 192.168.1.0 255.255.255.0 inside_6
http 192.168.1.0 255.255.255.0 inside_7
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 513fb9743870b73440418d30930699ff
30820538 30820420 a0030201 02021051 3fb97438 70b73440 418d3093 0699ff30
0d06092a 864886f7 0d01010b 05003081 ca310b30 09060355 04061302 55533117
30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
33313033 31303030 3030305a 170d3233 31303330 32333539 35395a30 7e310b30
09060355 04061302 5553311d 301b0603 55040a13 1453796d 616e7465 6320436f
72706f72 6174696f 6e311f30 1d060355 040b1316 53796d61 6e746563 20547275
7374204e 6574776f 726b312f 302d0603 55040313 2653796d 616e7465 6320436c
61737320 33205365 63757265 20536572 76657220 4341202d 20473430 82012230
0d06092a 864886f7 0d010101 05000382 010f0030 82010a02 82010100 b2d805ca
1c742db5 175639c5 4a520996 e84bd80c f1689f9a 422862c3 a530537e 5511825b
037a0d2f e17904c9 b4967719 81019459 f9bcf77a 9927822d b783dd5a 277fb203
7a9c5325 e9481f46 4fc89d29 f8be7956 f6f7fdd9 3a68da8b 4b823341 12c3c83c
ccd6967a 84211a22 04032717 8b1c6861 930f0e51 80331db4 b5ceeb7e d062acee
b37b0174 ef6935eb cad53da9 ee9798ca 8daa440e 25994a15 96a4ce6d 02541f2a
6a26e206 3a6348ac b44cd175 9350ff13 2fd6dae1 c618f59f c9255df3 003ade26
4db42909 cd0f3d23 6f164a81 16fbf283 10c3b8d6 d855323d f1bd0fbd 8c52954a
16977a52 2163752f 16f9c466 bef5b509 d8ff2700 cd447c6f 4b3fb0f7 02030100
01a38201 63308201 5f301206 03551d13 0101ff04 08300601 01ff0201 00303006
03551d1f 04293027 3025a023 a021861f 68747470 3a2f2f73 312e7379 6d63622e
636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403 02010630
2f06082b 06010505 07010104 23302130 1f06082b 06010505 07300186 13687474
703a2f2f 73322e73 796d6362 2e636f6d 306b0603 551d2004 64306230 60060a60
86480186 f8450107 36305230 2606082b 06010505 07020116 1a687474 703a2f2f
7777772e 73796d61 7574682e 636f6d2f 63707330 2806082b 06010505 07020230
1c1a1a68 7474703a 2f2f7777 772e7379 6d617574 682e636f 6d2f7270 61302906
03551d11 04223020 a41e301c 311a3018 06035504 03131153 796d616e 74656350
4b492d31 2d353334 301d0603 551d0e04 1604145f 60cf6190 55df8443 148a602a
b2f57af4 4318ef30 1f060355 1d230418 30168014 7fd365a7 c2ddecbb f03009f3
4339fa02 af333133 300d0609 2a864886 f70d0101 0b050003 82010100 5e945649
dd8e2d65 f5c13651 b603e3da 9e7319f2 1f59ab58 7e6c2605 2cfa81d7 5c231722
2c3793f7 86ec85e6 b0a3fd1f e232a845 6fe1d9fb b9afd270 a0324265 bf84fe16
2a8f3fc5 a6d6a393 7d43e974 21913528 f463e92e edf7f55c 7f4b9ab5 20e90abd
e045100c 14949a5d a5e34b91 e8249b46 4065f422 72cd99f8 8811f5f3 7fe63382
e6a8c57e fed008e2 25580871 68e6cda2 e614de4e 52242dfd e5791353 e75e2f2d
4d1b6d40 15522bf7 87897812 816ed94d aa2d78d4 c22c3d08 5f87919e 1f0eb0de
30526486 89aa9d66 9c0e760c 80f274d8 2af8b83a ced7d60f 11be6bab 14f5bd41
a0226389 f1ba0f6f 2963662d 3fac8c72 c5fbc7e4 d40ff23b 4f8c29c7
quit
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.83.0 255.255.255.0 outside
ssh 192.168.90.0 255.255.255.0 inside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username spawar password $sha512$5000$HNaO3pmjIzQfSi53n/iLgA==$doLniCACelb8m3E2XJUKGQ== pbkdf2 privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:d9c5b91cad618c11797edf1251d025f0
: end

Re: ASA will not pass traffic

Rob Ingram — Thu, 06 Feb 2020 15:58:47 GMT

Hi,
You are inspecting icmp so I'd expect you to be able to recieve a response to a ping and you are natting behind the outside interface.
What are you pinging from the inside of the ASA?
What ever device you are pinging to that have a route to your ASA's outside interface?

HTH

Re: ASA will not pass traffic

blake.d.green.mil1 — Thu, 06 Feb 2020 16:39:18 GMT

RJI

First thanks for you imput. But I trying to ping from the outside(192.168.83.0 network to a rtr sitting off the insides(192.168.90.0 network) interface. But unable to ping or even ssh to that device. Yes the device has a route ASA's outside interface

Re: ASA will not pass traffic

Rob Ingram — Thu, 06 Feb 2020 16:48:52 GMT

Ok, so if you are attempting to ping from outside to inside then that currently won't work until you define an ACL inbound on the outside interface permitting the traffic. You will also probably need a static NAT.

HTH

Re: ASA will not pass traffic

blake.d.green.mil1 — Thu, 06 Feb 2020 20:11:49 GMT

Can you please help with the last recommendations

here what I created

access-list outside_inbound extended permit icmp any any log

nat (inside,outside) after-auto source static any interface
access-group outside_inbound in interface outside?

Re: ASA will not pass traffic

Rob Ingram — Thu, 06 Feb 2020 21:41:58 GMT

That won't work for accesing the inside network from the outside, you'll need a 121 static nat, e.g:-

object network SRV1
 host 192.168.90.100
 nat (inside,outside) static 192.168.83.100

access-list outside_inbound permit icmp any host 192.168.90.100

access-group outside_inbound in interface outside

Re: ASA will not pass traffic

blake.d.green.mil1 — Thu, 06 Feb 2020 21:27:49 GMT

still no joy

hostname CGASATEST
enable password $sha512$5000$fWOBFLyMFFvJ7MXr8LExZg==$HXiVH3aMwKaatZMylDevDw== pbkdf2
names

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 192.168.83.45 255.255.255.0
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.90.185 255.255.255.0
!
interface GigabitEthernet1/3
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside_7
security-level 100
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
interface BVI1
no nameif
security-level 100
ip address 192.168.1.1 255.255.255.0
!
ftp mode passive
same-security-traffic permit inter-interface
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
object network obj_any6
subnet 0.0.0.0 0.0.0.0
object network obj_any7
subnet 0.0.0.0 0.0.0.0
object network SRV1
host 192.168.90.100
access-list outside_inbound extended permit icmp any host 192.168.83.100
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any2
nat (inside_2,outside) dynamic interface
object network obj_any3
nat (inside_3,outside) dynamic interface
object network obj_any4
nat (inside_4,outside) dynamic interface
object network obj_any5
nat (inside_5,outside) dynamic interface
object network obj_any6
nat (inside_6,outside) dynamic interface
object network obj_any7
nat (inside_7,outside) dynamic interface
object network SRV1
nat (inside,outside) static 192.168.83.100
access-group outside_inbound in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.83.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside_2
http 192.168.1.0 255.255.255.0 inside_3
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_5
http 192.168.1.0 255.255.255.0 inside_6
http 192.168.1.0 255.255.255.0 inside_7
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca 513fb9743870b73440418d30930699ff
30820538 30820420 a0030201 02021051 3fb97438 70b73440 418d3093 0699ff30
0d06092a 864886f7 0d01010b 05003081 ca310b30 09060355 04061302 55533117
30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b
13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504
0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72
20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56
65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043
65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31
33313033 31303030 3030305a 170d3233 31303330 32333539 35395a30 7e310b30
09060355 04061302 5553311d 301b0603 55040a13 1453796d 616e7465 6320436f
72706f72 6174696f 6e311f30 1d060355 040b1316 53796d61 6e746563 20547275
7374204e 6574776f 726b312f 302d0603 55040313 2653796d 616e7465 6320436c
61737320 33205365 63757265 20536572 76657220 4341202d 20473430 82012230
0d06092a 864886f7 0d010101 05000382 010f0030 82010a02 82010100 b2d805ca
1c742db5 175639c5 4a520996 e84bd80c f1689f9a 422862c3 a530537e 5511825b
037a0d2f e17904c9 b4967719 81019459 f9bcf77a 9927822d b783dd5a 277fb203
7a9c5325 e9481f46 4fc89d29 f8be7956 f6f7fdd9 3a68da8b 4b823341 12c3c83c
ccd6967a 84211a22 04032717 8b1c6861 930f0e51 80331db4 b5ceeb7e d062acee
b37b0174 ef6935eb cad53da9 ee9798ca 8daa440e 25994a15 96a4ce6d 02541f2a
6a26e206 3a6348ac b44cd175 9350ff13 2fd6dae1 c618f59f c9255df3 003ade26
4db42909 cd0f3d23 6f164a81 16fbf283 10c3b8d6 d855323d f1bd0fbd 8c52954a
16977a52 2163752f 16f9c466 bef5b509 d8ff2700 cd447c6f 4b3fb0f7 02030100
01a38201 63308201 5f301206 03551d13 0101ff04 08300601 01ff0201 00303006
03551d1f 04293027 3025a023 a021861f 68747470 3a2f2f73 312e7379 6d63622e
636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403 02010630
2f06082b 06010505 07010104 23302130 1f06082b 06010505 07300186 13687474
703a2f2f 73322e73 796d6362 2e636f6d 306b0603 551d2004 64306230 60060a60
86480186 f8450107 36305230 2606082b 06010505 07020116 1a687474 703a2f2f
7777772e 73796d61 7574682e 636f6d2f 63707330 2806082b 06010505 07020230
1c1a1a68 7474703a 2f2f7777 772e7379 6d617574 682e636f 6d2f7270 61302906
03551d11 04223020 a41e301c 311a3018 06035504 03131153 796d616e 74656350
4b492d31 2d353334 301d0603 551d0e04 1604145f 60cf6190 55df8443 148a602a
b2f57af4 4318ef30 1f060355 1d230418 30168014 7fd365a7 c2ddecbb f03009f3
4339fa02 af333133 300d0609 2a864886 f70d0101 0b050003 82010100 5e945649
dd8e2d65 f5c13651 b603e3da 9e7319f2 1f59ab58 7e6c2605 2cfa81d7 5c231722
2c3793f7 86ec85e6 b0a3fd1f e232a845 6fe1d9fb b9afd270 a0324265 bf84fe16
2a8f3fc5 a6d6a393 7d43e974 21913528 f463e92e edf7f55c 7f4b9ab5 20e90abd
e045100c 14949a5d a5e34b91 e8249b46 4065f422 72cd99f8 8811f5f3 7fe63382
e6a8c57e fed008e2 25580871 68e6cda2 e614de4e 52242dfd e5791353 e75e2f2d
4d1b6d40 15522bf7 87897812 816ed94d aa2d78d4 c22c3d08 5f87919e 1f0eb0de
30526486 89aa9d66 9c0e760c 80f274d8 2af8b83a ced7d60f 11be6bab 14f5bd41
a0226389 f1ba0f6f 2963662d 3fac8c72 c5fbc7e4 d40ff23b 4f8c29c7
quit
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.83.0 255.255.255.0 outside
ssh 192.168.90.0 255.255.255.0 inside
ssh timeout 30
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username spawar password $sha512$5000$HNaO3pmjIzQfSi53n/iLgA==$doLniCACelb8m3E2XJUKGQ== pbkdf2 privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
Cryptochecksum:da77ea1e7cb7812c77a5f1842b94ab4c
: end

?

Re: ASA will not pass traffic

Rob Ingram — Thu, 06 Feb 2020 21:41:09 GMT

I gave you the wrong example on the ACL, modify the destination to be the real IP address. E.g. "access-list outside_inbound permit icmp any host 192.168.90.100" - bear in mind this is an example, change 192.168.90.100 to be the real IP address of the host on the inside of the network. Connect to it using from the outside using the nat ip address - 192.168.83.100 < this address could be changed if required.

Also confirm your existing nat rules are not above this new nat rule, provide the output of "show nat detail" if needs be.

If this is an internal firewall segmenting traffic inside your network, you could of course just route traffic and remove all nat.

Re: ASA will not pass traffic

blake.d.green.mil1 — Thu, 06 Feb 2020 22:33:14 GMT

Good news I was able to go back and make some correction and I can now go from outside to inside. my next issues is now I cant hit me server vlan on my router .

output listed below

ASA Version 9.8(2)

hostname CGASATEST

enable password $sha512$5000$fWOBFLyMFFvJ7MXr8LExZg==$HXiVH3aMwKaatZMylDevDw== pbkdf2

names

interface GigabitEthernet1/1

nameif outside

security-level 0

ip address 192.168.83.45 255.255.255.0

interface GigabitEthernet1/2

nameif inside

security-level 100

ip address 192.168.90.185 255.255.255.0

interface GigabitEthernet1/3

bridge-group 1

nameif inside_2

security-level 100

interface GigabitEthernet1/4

bridge-group 1

nameif inside_3

security-level 100

interface GigabitEthernet1/5

bridge-group 1

nameif inside_4

security-level 100

interface GigabitEthernet1/6

bridge-group 1

nameif inside_5

security-level 100

interface GigabitEthernet1/7

bridge-group 1

nameif inside_6

security-level 100

interface GigabitEthernet1/8

bridge-group 1

nameif inside_7

security-level 100

interface Management1/1

management-only

no nameif

no security-level

no ip address

interface BVI1

no nameif

security-level 100

ip address 192.168.1.1 255.255.255.0

ftp mode passive

same-security-traffic permit inter-interface

object network obj_any1

subnet 0.0.0.0 0.0.0.0

object network obj_any2

subnet 0.0.0.0 0.0.0.0

object network obj_any3

subnet 0.0.0.0 0.0.0.0

object network obj_any4

subnet 0.0.0.0 0.0.0.0

object network obj_any5

subnet 0.0.0.0 0.0.0.0

object network obj_any6

subnet 0.0.0.0 0.0.0.0

object network obj_any7

subnet 0.0.0.0 0.0.0.0

object network inside-subnet

subnet 192.168.83.0 255.255.255.0

object network outside_IP

host 10.19.83.45

access-list inside_out_acl extended permit ip any any

access-list inside_out_acl extended permit icmp any any

pager lines 24

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu inside_2 1500

mtu inside_3 1500

mtu inside_4 1500

mtu inside_5 1500

mtu inside_6 1500

mtu inside_7 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

arp rate-limit 16384

object network obj_any2

nat (inside_2,outside) dynamic interface

object network obj_any3

nat (inside_3,outside) dynamic interface

object network obj_any4

nat (inside_4,outside) dynamic interface

object network obj_any5

nat (inside_5,outside) dynamic interface

object network obj_any6

nat (inside_6,outside) dynamic interface

object network obj_any7

nat (inside_7,outside) dynamic interface

object network inside-subnet

nat (inside,outside) dynamic interface

access-group inside_out_acl in interface outside

access-group inside_out_acl out interface outside

route outside 0.0.0.0 0.0.0.0 192.168.83.1 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

timeout conn-holddown 0:00:15

timeout igp stale-route 0:01:10

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication login-history

http server enable

http 192.168.1.0 255.255.255.0 inside_2

http 192.168.1.0 255.255.255.0 inside_3

http 192.168.1.0 255.255.255.0 inside_4

http 192.168.1.0 255.255.255.0 inside_5

http 192.168.1.0 255.255.255.0 inside_6

http 192.168.1.0 255.255.255.0 inside_7

no snmp-server location

no snmp-server contact

service sw-reset-button

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpoint _SmartCallHome_ServerCA

no validation-usage

crl configure

crypto ca trustpool policy

crypto ca certificate chain _SmartCallHome_ServerCA

certificate ca 513fb9743870b73440418d30930699ff

30820538 30820420 a0030201 02021051 3fb97438 70b73440 418d3093 0699ff30

0d06092a 864886f7 0d01010b 05003081 ca310b30 09060355 04061302 55533117

30150603 55040a13 0e566572 69536967 6e2c2049 6e632e31 1f301d06 0355040b

13165665 72695369 676e2054 72757374 204e6574 776f726b 313a3038 06035504

0b133128 63292032 30303620 56657269 5369676e 2c20496e 632e202d 20466f72

20617574 686f7269 7a656420 75736520 6f6e6c79 31453043 06035504 03133c56

65726953 69676e20 436c6173 73203320 5075626c 69632050 72696d61 72792043

65727469 66696361 74696f6e 20417574 686f7269 7479202d 20473530 1e170d31

33313033 31303030 3030305a 170d3233 31303330 32333539 35395a30 7e310b30

09060355 04061302 5553311d 301b0603 55040a13 1453796d 616e7465 6320436f

72706f72 6174696f 6e311f30 1d060355 040b1316 53796d61 6e746563 20547275

7374204e 6574776f 726b312f 302d0603 55040313 2653796d 616e7465 6320436c

61737320 33205365 63757265 20536572 76657220 4341202d 20473430 82012230

0d06092a 864886f7 0d010101 05000382 010f0030 82010a02 82010100 b2d805ca

1c742db5 175639c5 4a520996 e84bd80c f1689f9a 422862c3 a530537e 5511825b

037a0d2f e17904c9 b4967719 81019459 f9bcf77a 9927822d b783dd5a 277fb203

7a9c5325 e9481f46 4fc89d29 f8be7956 f6f7fdd9 3a68da8b 4b823341 12c3c83c

ccd6967a 84211a22 04032717 8b1c6861 930f0e51 80331db4 b5ceeb7e d062acee

b37b0174 ef6935eb cad53da9 ee9798ca 8daa440e 25994a15 96a4ce6d 02541f2a

6a26e206 3a6348ac b44cd175 9350ff13 2fd6dae1 c618f59f c9255df3 003ade26

4db42909 cd0f3d23 6f164a81 16fbf283 10c3b8d6 d855323d f1bd0fbd 8c52954a

16977a52 2163752f 16f9c466 bef5b509 d8ff2700 cd447c6f 4b3fb0f7 02030100

01a38201 63308201 5f301206 03551d13 0101ff04 08300601 01ff0201 00303006

03551d1f 04293027 3025a023 a021861f 68747470 3a2f2f73 312e7379 6d63622e

636f6d2f 70636133 2d67352e 63726c30 0e060355 1d0f0101 ff040403 02010630

2f06082b 06010505 07010104 23302130 1f06082b 06010505 07300186 13687474

703a2f2f 73322e73 796d6362 2e636f6d 306b0603 551d2004 64306230 60060a60

86480186 f8450107 36305230 2606082b 06010505 07020116 1a687474 703a2f2f

7777772e 73796d61 7574682e 636f6d2f 63707330 2806082b 06010505 07020230

1c1a1a68 7474703a 2f2f7777 772e7379 6d617574 682e636f 6d2f7270 61302906

03551d11 04223020 a41e301c 311a3018 06035504 03131153 796d616e 74656350

4b492d31 2d353334 301d0603 551d0e04 1604145f 60cf6190 55df8443 148a602a

b2f57af4 4318ef30 1f060355 1d230418 30168014 7fd365a7 c2ddecbb f03009f3

4339fa02 af333133 300d0609 2a864886 f70d0101 0b050003 82010100 5e945649

dd8e2d65 f5c13651 b603e3da 9e7319f2 1f59ab58 7e6c2605 2cfa81d7 5c231722

2c3793f7 86ec85e6 b0a3fd1f e232a845 6fe1d9fb b9afd270 a0324265 bf84fe16

2a8f3fc5 a6d6a393 7d43e974 21913528 f463e92e edf7f55c 7f4b9ab5 20e90abd

e045100c 14949a5d a5e34b91 e8249b46 4065f422 72cd99f8 8811f5f3 7fe63382

e6a8c57e fed008e2 25580871 68e6cda2 e614de4e 52242dfd e5791353 e75e2f2d

4d1b6d40 15522bf7 87897812 816ed94d aa2d78d4 c22c3d08 5f87919e 1f0eb0de

30526486 89aa9d66 9c0e760c 80f274d8 2af8b83a ced7d60f 11be6bab 14f5bd41

a0226389 f1ba0f6f 2963662d 3fac8c72 c5fbc7e4 d40ff23b 4f8c29c7

quit

telnet timeout 5

ssh stricthostkeycheck

ssh 192.168.83.0 255.255.255.0 outside

ssh 192.168.90.0 255.255.255.0 inside

ssh timeout 30

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd auto_config outside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

dynamic-access-policy-record DfltAccessPolicy

username spawar password $sha512$5000$HNaO3pmjIzQfSi53n/iLgA==$doLniCACelb8m3E2XJUKGQ== pbkdf2 privilege 15

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

no tcp-inspection

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

service-policy global_policy global

prompt hostname context

call-home reporting anonymous

Cryptochecksum:bb53ef66da7015a5afd23b14d5867193

: end

and here is my router output

interface GigabitEthernet0/0/0

description Connection to Rack 82 Switch

ip address 192.168.90.186 255.255.255.252

negotiation auto

interface GigabitEthernet0/0/1

no ip address

shutdown

negotiation auto

interface GigabitEthernet0/1/0

switchport access vlan 30

switchport mode access

interface GigabitEthernet0/1/1

switchport access vlan 40

switchport mode access

interface GigabitEthernet0/1/2

switchport access vlan 40

switchport mode access

interface GigabitEthernet0/1/3

switchport access vlan 40

switchport mode access

interface GigabitEthernet0/1/4

switchport access vlan 40

switchport mode access

interface GigabitEthernet0/1/5

switchport access vlan 40

switchport mode access

interface GigabitEthernet0/1/6

interface GigabitEthernet0/1/7

interface GigabitEthernet0

vrf forwarding Mgmt-intf

no ip address

shutdown

negotiation auto

interface Vlan1

no ip address

interface Vlan30

description Server VLAN

ip address 192.168.90.161 255.255.255.240

interface Vlan40

description Workstations VLAN

ip address 192.168.90.129 255.255.255.224

router ospf 1

network 192.168.90.128 0.0.0.31 area 0

network 192.168.90.160 0.0.0.15 area 0

network 192.168.90.184 0.0.0.3 area 0

Re: ASA will not pass traffic

Rob Ingram — Thu, 06 Feb 2020 22:48:24 GMT

So the ASA is connected to the router's Gi0/0/0 interface?
On the ASA you've defined the internal network as 192.168.90.0/24 but then on the router the Gi0/0/0 subnet mask is /30 and then the VLANs are also segmented in to a /28 and /29 within the 192.168.90.0/24 subnet.

Change the Gi0/0/0 subnet mask to /24 to match the ASA and then change the VLANs to something else, e.g 192.168.91.0/24 and 192.168.92.0/24. Define a static route on the ASA for those networks pointing to the Gi0/0/0 IP address of the router.