Solved: Oh gotcha CLI :-) BTW: thank

CyborgX_CZ · ‎03-09-2017

Hi,

For past 2 days I have been searching and looking to solve this one simple problem on my home lab with ASA 5510 and it seems there is no straight forward answer to that, beside most of the answers that I found are related to older pre 8.3 version so many of the commands that people suggesting to try are obsolete .

This is my scenario.

Security Level 0 F0/0 Outside (Internet)
Security Level 100 F0/1 Inside-LAN 192.168.75.0/24 (L3 Switch)
Security Level 100 F0/2 Inside-R1 192.168.76.0/24 (Router)
Security Level 100 F0/3 Inside-R2 192.168.77.0/24 (Router)

What I'm trying to accomplish is that host sitting behind F0/2 or F0/3 will be able to communicate (ping) with host sitting behind F0/1. These are all inside interfaces with security level 100 and both

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

are enabled and still no luck. I was trying different "obj" NAT rules, playing with ACL's but still I can't reach (ping) from the router connected to F0/2 in to F0/1. However I'm able to ping all interfaces with in the ASA itself.

Can somebody please give me some hints what else to do? or try? I'm open to any suggestions or changing the level of security as long as I get those inside ports communicate with each other.

trdatta · ‎03-09-2017

Yes, that true. You won't be able to ping any device using ASA's IP address as the source in the packet tracer and it will always give you result as "drop" because when you take ASA's interface IP address as "source" then it becomes to-the-box traffic where as the tools like packet-tracer are used to check the through-the-box traffic.

Now, as you said, you are able to ping the rest of the IP addresses in the subnet, so after this what exactly you trying to achieve.

Just a more bit of information:: If you can only ping the facing interface of the ASA and not the far ones. for eg: users behind inside-lan can only ping 192.168.75.1 and cannot Inside-R2 192.168.77.1 due to security reasons.

As mentioned earlier, the pings between the hosts of Inside-lan and Inside-R2 are working, so is that resolve the purpose or is there something else you looking for ?

If this answers all your concerns, you can mark the answer as correct.

Regards

Tripat Kaur

View solution in original post

trdatta · ‎03-09-2017

Can you please run a packet tracer from source to destination and share the results.

you can find the packet tracer functionality in ASDM.

Regards

Tripat Kaur

CyborgX_CZ · ‎03-09-2017

I can't find anything that would save the result from POCKET TRACER but running ICMP echo-replay from

Inside-LAN 192.168.75.1 -> 192.168.77.2 :

Route Lookup: OK

ACCESS LIST: X

Config
Implicit Rule

Result: The packet is dropped.
Info: (acl-drop) Flow is denied by configured rule

Inside-LAN 192.168.75.1 -> 192.168.77.1 :

Route Lookup: OK

Route Lookup: OK

Result: The packet is dropped.
Info: (no-route) no route to host

trdatta · ‎03-09-2017

Hi,

That drop is not necessarily due to ACL and could be any reason. Here is the CLI synatx:

packet-tracer input [src_int] protocol src_addr src_port dest_addr dest_port [detailed] [xml]

Eg as per your IP addresses (run the cmd in the same way on CLI):

for ICMP:

packet-tracer input Inside-LAN icmp 192.168.75.1 8 0 192.168.77.2 detail

and for other communications like HTTP:

packet-tracer input inside tcp 192.168.75.1 1024 192.168.77.2 80 detail

Regards

Tripat Kaur

CyborgX_CZ · ‎03-09-2017

Oh gotcha CLI :-) BTW: thank you so much for taking your time....

ASA-5510# packet-tracer input Inside-LAN icmp 192.168.75.1 8 0 192.168.77.2 detail

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xace647c8, priority=1, domain=permit, deny=false
        hits=12741, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=Inside-LAN, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.77.0    255.255.255.0   Inside-R2

Phase: 3
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xace6ec00, priority=500, domain=permit, deny=true
        hits=0, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=192.168.75.1, mask=255.255.255.255, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=Inside-LAN, output_ifc=any

Result:
input-interface: Inside-LAN
input-status: up
input-line-status: up
output-interface: Inside-R2
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

ASA-5510# packet-tracer input inside-lan tcp 192.168.75.1 1024 192.168.77.2 80 detail

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.77.0    255.255.255.0   Inside-R2

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xace6ec00, priority=500, domain=permit, deny=true
        hits=1, user_data=0x6, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=192.168.75.1, mask=255.255.255.255, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=Inside-LAN, output_ifc=any

Result:
input-interface: Inside-LAN
input-status: up
input-line-status: up
output-interface: Inside-R2
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

CyborgX_CZ · ‎03-09-2017

here is a piece from "sh run" showing all my access rules.

.

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Inside-LAN
subnet 192.168.75.0 255.255.255.0
object network Inside-R1
subnet 192.168.76.0 255.255.255.0
object network Inside-R2
subnet 192.168.77.0 255.255.255.0
object network NETWORK_OBJ_172.16.0.0_28
subnet 172.16.0.0 255.255.255.240
object-group service DM_INLINE_TCP_1 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_3 tcp
port-object eq www
port-object eq https
object-group service DM_INLINE_TCP_4 tcp
port-object eq www
port-object eq https
access-list Outside-TWC_access_in extended permit icmp any any echo-reply
access-list Outside-TWC_access_in extended permit tcp any any object-group DM_INLINE_TCP_4
access-list Outside-TWC_access_in extended permit udp any any eq ntp
access-list Inside-LAN_access_in extended permit ip any any
access-list Inside-LAN_access_in extended permit tcp any any object-group DM_INLINE_TCP_2
access-list Inside-LAN_access_in extended permit icmp any any
access-list Inside-LAN_access_in extended permit udp any any eq ntp
access-list Inside-R1_access_in extended permit ip any any
access-list Inside-R1_access_in extended permit tcp any any object-group DM_INLINE_TCP_1
access-list Inside-R1_access_in extended permit icmp any any
access-list Inside-R1_access_in extended permit udp any any eq ntp
access-list Inside-R2_access_in extended permit ip any any
access-list Inside-R2_access_in extended permit tcp any any object-group DM_INLINE_TCP_3
access-list Inside-R2_access_in extended permit icmp any any
access-list Inside-R2_access_in extended permit udp any any eq ntp
access-list CyberNet_LAN standard permit 192.168.75.0 255.255.255.0
access-list CyberNet_LAN standard permit 192.168.76.0 255.255.255.0
access-list CyberNet_LAN standard permit 192.168.77.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu Outside-TWC 1500
mtu Inside-LAN 1500
mtu Inside-R1 1500
mtu Inside-R2 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (Inside-LAN,Outside-TWC) source static any any destination static NETWORK_OBJ_172.16.0.0_28 NETWORK_OBJ_172.16.0.0_28 no-proxy-arp route-lookup
!
object network Inside-LAN
nat (any,Outside-TWC) dynamic interface
object network Inside-R1
nat (any,Outside-TWC) dynamic interface
object network Inside-R2
nat (any,Outside-TWC) dynamic interface
access-group Outside-TWC_access_in in interface Outside-TWC
access-group Inside-LAN_access_in in interface Inside-LAN
access-group Inside-R1_access_in in interface Inside-R1
access-group Inside-R2_access_in in interface Inside-R2

.

trdatta · ‎03-09-2017

You're most welcome and we can give try to some more commands like running another packet tracer from another source like 192.168.75.10 as 192.168.75.1 could be ASA's interface IP address ? Is that so ?? If yes, the results are not accurate and we might have to run them again. After running the tests, if it again comes the ACL drop, then we also try creating one nat exemption for the traffic as nat comes before ACL and that phase looks missing though thats not required for internal communication but would sometimes also cause the issue.

For testing, I am writing a nat statement for specifically above source and destination and let's see the results (run the packet tracer again after implementing nat statement)

object network obj-192.168.75.10

host 192.168.75.10

object network obj-192.168.77.20

host 192.168.77.2

nat (Inside-LAN, Inside-R2) 1 source static obj-192.168.75.10 obj-192.168.75.10 destination static obj-192.168.77.20 obj-192.168.77.20

and let me know how it goes.

Regard

Tripat Kaur

CyborgX_CZ · ‎03-09-2017

Yes you right 192.168.75.1 is the ASA F0/1 Interface static IP.

Anyway assuming in your NAT statement you meant host 192.168.77.20 not host 192.168.77.2 here is the result.... Oh and also I switch your 192.168.75.10 to 192.168.75.200 because 192.168.75.10 is a IP address of my printer in case that will give wrong results.

Note: I was experimenting and created another obj rule for entire subnet and I'm able to ping any address in range 192.168.75.2 - 254 and 192.168.77.2-254 but once I use the ASA ethernet IP address... in my case 192.168.75.1 or 192.168.76.1 or 192.168.77.1 packet gets dropped :-( even changing security level doesn't help.

ASA-5510# packet-tracer input Inside-LAN icmp 192.168.75.200 8 0 192.168.77.20 detail

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xace692f8, priority=1, domain=permit, deny=false
        hits=3320, user_data=0x0, cs_id=0x0, l3_type=0x8
        src mac=0000.0000.0000, mask=0000.0000.0000
        dst mac=0000.0000.0000, mask=0100.0000.0000
        input_ifc=Inside-LAN, output_ifc=any

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.77.0    255.255.255.0   Inside-R2

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Inside-LAN,Inside-R2) source static obj-192.168.75.200 obj-192.168.75.200 destination static obj-192.168.77.20 obj-192.168.77.20
Additional Information:
NAT divert to egress interface Inside-R2
Untranslate 192.168.77.20/0 to 192.168.77.20/0

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Inside-LAN_access_in in interface Inside-LAN
access-list Inside-LAN_access_in extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xacf17b98, priority=13, domain=permit, deny=false
        hits=697, user_data=0xaa46b880, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=Inside-LAN, output_ifc=any

Phase: 5
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside-LAN,Inside-R2) source static obj-192.168.75.200 obj-192.168.75.200 destination static obj-192.168.77.20 obj-192.168.77.20
Additional Information:
Static translate 192.168.75.200/0 to 192.168.75.200/0
Forward Flow based lookup yields rule:
in id=0xae1dff48, priority=6, domain=nat, deny=false
        hits=0, user_data=0xac5b1898, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=192.168.75.200, mask=255.255.255.255, port=0, tag=0
        dst ip/id=192.168.77.20, mask=255.255.255.255, port=0, tag=0 dscp=0x0
        input_ifc=Inside-LAN, output_ifc=Inside-R2

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac71ac48, priority=0, domain=nat-per-session, deny=true
        hits=1372, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xace6eb50, priority=0, domain=inspect-ip-options, deny=true
        hits=862, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=Inside-LAN, output_ifc=any

Phase: 8
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xace6e650, priority=66, domain=inspect-icmp-error, deny=false
        hits=113, user_data=0xace6dc60, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0 dscp=0x0
        input_ifc=Inside-LAN, output_ifc=any

Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (Inside-LAN,Inside-R2) source static obj-192.168.75.200 obj-192.168.75.200 destination static obj-192.168.77.20 obj-192.168.77.20
Additional Information:
Forward Flow based lookup yields rule:
out id=0xae1e0170, priority=6, domain=nat-reverse, deny=false
        hits=1, user_data=0xace9f068, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=192.168.75.200, mask=255.255.255.255, port=0, tag=0
        dst ip/id=192.168.77.20, mask=255.255.255.255, port=0, tag=0 dscp=0x0
        input_ifc=Inside-LAN, output_ifc=Inside-R2

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1268, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...

Result:
input-interface: Inside-LAN
input-status: up
input-line-status: up
output-interface: Inside-R2
output-status: up
output-line-status: up
Action: allow

ASA-5510# packet-tracer input inside-lan tcp 192.168.75.200 1024 192.168.77.20 80 detail

Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   192.168.77.0    255.255.255.0   Inside-R2

Phase: 2
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (Inside-LAN,Inside-R2) source static obj-192.168.75.200 obj-192.168.75.200 destination static obj-192.168.77.20 obj-192.168.77.20
Additional Information:
NAT divert to egress interface Inside-R2
Untranslate 192.168.77.20/80 to 192.168.77.20/80

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group Inside-LAN_access_in in interface Inside-LAN
access-list Inside-LAN_access_in extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0xacf17b98, priority=13, domain=permit, deny=false
        hits=883, user_data=0xaa46b880, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=Inside-LAN, output_ifc=any

Phase: 4
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (Inside-LAN,Inside-R2) source static obj-192.168.75.200 obj-192.168.75.200 destination static obj-192.168.77.20 obj-192.168.77.20
Additional Information:
Static translate 192.168.75.200/1024 to 192.168.75.200/1024
Forward Flow based lookup yields rule:
in id=0xae1dff48, priority=6, domain=nat, deny=false
        hits=1, user_data=0xac5b1898, cs_id=0x0, flags=0x0, protocol=0
        src ip/id=192.168.75.200, mask=255.255.255.255, port=0, tag=0
        dst ip/id=192.168.77.20, mask=255.255.255.255, port=0, tag=0 dscp=0x0
        input_ifc=Inside-LAN, output_ifc=Inside-R2

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xac718948, priority=0, domain=nat-per-session, deny=false
        hits=1047, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xace6eb50, priority=0, domain=inspect-ip-options, deny=true
        hits=1102, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=Inside-LAN, output_ifc=any

Phase: 7
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (Inside-LAN,Inside-R2) source static obj-192.168.75.200 obj-192.168.75.200 destination static obj-192.168.77.20 obj-192.168.77.20
Additional Information:
Forward Flow based lookup yields rule:
out id=0xae1e0170, priority=6, domain=nat-reverse, deny=false
        hits=2, user_data=0xace9f068, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
        src ip/id=192.168.75.200, mask=255.255.255.255, port=0, tag=0
        dst ip/id=192.168.77.20, mask=255.255.255.255, port=0, tag=0 dscp=0x0
        input_ifc=Inside-LAN, output_ifc=Inside-R2

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xac718948, priority=0, domain=nat-per-session, deny=false
        hits=1049, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=any, output_ifc=any

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xacebc700, priority=0, domain=inspect-ip-options, deny=true
        hits=642, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0 dscp=0x0
        input_ifc=Inside-R2, output_ifc=any

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 1603, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: Inside-LAN
input-status: up
input-line-status: up
output-interface: Inside-R2
output-status: up
output-line-status: up
Action: allow

trdatta · ‎03-09-2017

Yes, that true. You won't be able to ping any device using ASA's IP address as the source in the packet tracer and it will always give you result as "drop" because when you take ASA's interface IP address as "source" then it becomes to-the-box traffic where as the tools like packet-tracer are used to check the through-the-box traffic.

Now, as you said, you are able to ping the rest of the IP addresses in the subnet, so after this what exactly you trying to achieve.

Just a more bit of information:: If you can only ping the facing interface of the ASA and not the far ones. for eg: users behind inside-lan can only ping 192.168.75.1 and cannot Inside-R2 192.168.77.1 due to security reasons.

As mentioned earlier, the pings between the hosts of Inside-lan and Inside-R2 are working, so is that resolve the purpose or is there something else you looking for ?

If this answers all your concerns, you can mark the answer as correct.

Regards

Tripat Kaur

CyborgX_CZ · ‎03-10-2017

Well my problem is basically this ... and I will try to explain to you as much as I can but this is just me playing around with bunch of older Cisco gear with 0 real time experience so bear with me.

F0/0 Outside (Internet)
F0/1 Inside-LAN 192.168.75.0/24 -> valn75 on 3750G switch
F0/2 Inside-R1 192.168.76.0/24 (Router)
F0/3 Inside-R2 192.168.77.0/24 (Router)

Now the ASA and my 3750G are the only devices that will give me full internet speed so all my wired computers are connected to that switch in to vlan75. Besides the vlan75 there is also vlan99 on my switch and on rest of mine devices except the ASA which is mine management vlan. The switch has connection from vlan99 to each of my devices:

2x 1811W

1x 2811

1x 2950

Now on my computer which is connected to vlan75 I'm able to receive ICMP packets through the vlan99 IP address 192.168.90.x from any devices on my network except that switch. Basically I'm practicing now with some Network Monitor tools and I would like to add my switch in to the list and this is the only one that is unreachable. If I trace the ping it get stuck on the Router R2 which is connected like this:

WANport

F0/1 to F0/3 on ASA

Switchport

F0/5 to G0/23 on 3750G via vlan99

This is only happening when I'm trying to ping that switch with my computer vlan75 (same as ASA F0/1) if I SSH in to any devices on my network using their vlan99 address I have no problem to communicate with that switch.

If i ping any other devices like S2-2950 with my computer the tracert command will show me:

C:\Users\VMStation-1>tracert 192.168.90.40

Tracing route to 192.168.90.40 over a maximum of 30 hops

1 1 ms <1 ms <1 ms 192.168.77.9
2 2 ms 2 ms 2 ms 192.168.90.40

Trace complete.

C:\Users\VMStation-1>

and this is when I ping the S1-3750

C:\Users\VMStation-1>tracert 192.168.90.30

Tracing route to 192.168.90.30 over a maximum of 30 hops

1 1 ms <1 ms <1 ms 192.168.77.9
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 * * * Request timed out.
6 * * * Request timed out.
7 * * * Request timed out.
8 * * * Request timed out.
9 * * * Request timed out.
10 * * * Request timed out.
11

I know that I will be probably better with router sitting after my ASA but unfortunately I have nothing powerful enough to deliver my 100MB internet speed, if I use any other devices the throughput speed cuts in to 30mb.

Anyway I hope that I explained my situations enough and sorry if I wasted your time. I really taught the problem is somewhere with those interfaces on my ASA now I think it's the actual design of my network that is wrong :-(

PS: Including screenshot of my topology, the only thing that is missing on that picture is the ASA

Note: Picture manually edited so you can see my troubled area... I think it's because the ASA is sitting on the same vlan let me know if that's the case and and I will have to figured out different way. I was thinking about few scenarios while I was working that I will try tonight when I get home but want to make sure this is a dead end.

Allow traffic between 2 INSIDE same level security interfaces on ASA Version 9.0.1