It will be on different subnets. Treat it like a Router where every interface should be on different subnet

You manage to configure it yet ? Let us know here for more info if needed

I am still on site and no success yet!

the router and firewall are not communicating.  I have configure OUTSIDE interface of firewall to the router with 192.168.2.1 255.255.255.0 while INSIDE with 192.168.1.1 255.255.255.0. Access list that allows both network and tied to EXTERNAL INTERFACE. yet i can not ping WAN IP on the router also, i can not ping other host on 192.168.1.0

Pls help

There is still no handshake between Router and Firewall!. I had to bypass the firewall to avoid downtime. Below is the working config on the router.

AMENITY_ROUTER#sh run
Building configuration...

Current configuration : 5539 bytes
!
! Last configuration change at 12:07:04 UTC Tue Jan 21 2020 by .....
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname AMENITY_ROUTER
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 5 $1$.e89$Fr1KFh3/5uOkVQWmzMzIZ1
enable password 666666
!
no aaa new-model
bsd-client server url https://cloudsso.cisco.com/as/token.oauth2

ip dhcp excluded-address 192.168.1.0 192.168.1.5
!
ip dhcp pool INTERNAL_NETWORK
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8
lease 2

ip domain name yourdomain.com
ip cef
no ipv6 cef
multilink bundle-name authenticated
!
cts logging verbose
!
crypto pki trustpoint TP-self-signed-
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-
revocation-check none
rsakeypair TP-self-signed-549131248
!
!
crypto pki certificate chain TP-self-signed-5
certificate self-signed 01
3
license udi pid CISCO1941/
!
!
username A privilege 15 secret 5 $1$Q2Gq$cvhgvoNDYAgTN6oTaW6fj0
!
redundancy

interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description INTERNAL LINK TO THE LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
description EXTERNAL LINK TO ISP
ip address m.x.y.z. 255.255.255.224
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
ip default-gateway A.B.C.D
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 A.B.C.D
!
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to
use.

-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN
CREDENTIALS

Here are the Cisco IOS commands.

username <myuser> privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want
to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

AMENITY_ROUTER#

FIREWALL CONFIG:

ciscoasa# sh run
: Saved
:
ASA Version 8.2(5)
!
hostname ciscoasa
enable password W.AKqMdQEbiC07IP encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
description to LAN_INSIDE
nameif INSIDE
security-level 100
ip address 192.168.1.2 255.255.255.0
!
interface Ethernet0/1
nameif OUTSIDE
security-level 0
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list OUTSIDE_IN extended permit tcp 192.168.1.0 255.255.255.0 any eq www
access-list OUTSIDE_IN extended permit tcp 192.168.2.0 255.255.255.0 any eq www
pager lines 24
mtu INSIDE 1500
mtu OUTSIDE 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group OUTSIDE_IN in interface INSIDE
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 OUTSIDE
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:aa64576aef38f9593a31c31ebcb0e5b8
: end
ciscoasa#

Please Help

Hi,

I have notice 2 things;

1) when you connect Router LAN to ASA outside, u changed the IP on the router from 192.168.1.0 to 192.168.2.0 ?

2) if u did above then u need to also add the Route of 192.168.1.0 pointing to the Asa interface

i would suggest below changes on the Router and Firewall:

interface GigabitEthernet0/0
description INTERNAL LINK TO THE LAN
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip dhcp pool INTERNAL_NETWORK
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8
lease 2
!
ip route 192.168.1.0 255.255.255.0 192.168.2.2

At FW

interface Ethernet0/0
description to LAN_INSIDE
nameif INSIDE
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/1
nameif OUTSIDE
security-level 0
ip address 192.168.2.2 255.255.255.0

!
no access-list OUTSIDE_IN extended permit tcp 192.168.1.0 255.255.255.0 any eq www
no access-list OUTSIDE_IN extended permit tcp 192.168.2.0 255.255.255.0 any eq www

!no need to put above as traffic from inside network to outside will be allowed

Test it using below:

From ASA: Ping 192.168.2.1 ?
Inside your network , ping ASA Inside interface, Router LAN Interface

What i could deduce from your recommendation is:

**Router interface to Firewall External interface to be on 192.168.2.1 and 192.168.2.2 - same network.

**Firewall interface to switch to be on 192.168.1.1 - DHCP pool network

On the router:

ip route 192.168.1.0 255.255.255.0 192.168.2.2

What about adding this default route to the router to forward traffic to ISP gateway (A.B.C.D):

ip route 0.0.0.0 0.0.0.0 A.B.C.D

yes thats correct and default route should be there on the Router pointing to ISP to make your traffic reachable to Internet.

Further, you need to also have default Route on the FW pointing to Router LAN Side interface ( 192.168.2.0)

Command at FW:

route outside 0.0.0.0 0.0.0.0 192.168.2.x ( where x is Router IP )