@AJPujol if "can see how the RX counter keeps going up but TX is zero." this is probably a NAT issue, where you have another NAT rule that is unintentially translating the traffic. You need a NAT exemption rule, here is an example.

Thank you so much for the information! It seems that, whether i like it or not, the 4 hosts on the 90.0/24 that were not responding , were specific asterisks that "suddenly" started to inject TX ...

This scenario does not make me happy since now the VPN tunnel has no NAT exception, still, it "works"

While being logged on a 33.0/24 host, i try to ping a 90.0/24 hosts and it say something about asymmetric  NAT rules matched.... (which i cannot see an ICMP response) but i guess i should ask that question on another post on a new topic ?

Thank you again!

And FINALLY, this is the sh run output

Result of the command: "show running-config"

: Saved

:

: Serial Number: JMX190540J6

: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz

:

ASA Version 9.2(3)

!

hostname FW-HOSTNAME

enable password kwn0Q1zI.A6CxRDI encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport trunk allowed vlan 83,87-89

switchport mode trunk

shutdown

!

interface Ethernet0/2

!

interface Ethernet0/3

description INSIDE-OFFICE

switchport trunk allowed vlan 1,80,90

switchport mode trunk

!

interface Ethernet0/4

switchport access vlan 80

!

interface Ethernet0/5

switchport access vlan 90

switchport trunk allowed vlan 80,90

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.79.1 255.255.255.0

!

interface Vlan2

description Internet-Office

nameif outside

security-level 0

ip address 190.210.195.241 255.255.255.252

!

interface Vlan80

description ALL

nameif inside-80

security-level 100

ip address 192.168.80.1 255.255.255.0

!

interface Vlan83

description Devs

nameif inside-83

security-level 100

ip address 192.168.83.1 255.255.255.0

!

interface Vlan87

description CCR

nameif inside-87

security-level 100

ip address 192.168.87.1 255.255.255.0

!

interface Vlan88

description QA

nameif inside-88

security-level 100

ip address 192.168.88.1 255.255.255.0

!

interface Vlan89

description Guest

nameif inside-89

security-level 100

ip address 192.168.89.1 255.255.255.0

!

interface Vlan90

description INFRA

nameif inside-90

security-level 100

ip address 192.168.90.1 255.255.255.0

!

ftp mode passive

clock timezone ART -3

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj_any

subnet 0.0.0.0 0.0.0.0

object network FW-CORE

host 192.168.9.125

object network Red-20

subnet 192.168.20.0 255.255.255.0

object network Red-33

subnet 192.168.33.0 255.255.255.0

object network Red-34

subnet 192.168.34.0 255.255.255.0

object network Red-35

subnet 192.168.35.0 255.255.255.0

object network Red-9

subnet 192.168.9.0 255.255.255.0

object network PUBLICA-FW-CORE

host 200.XXX.XXX.XXX

object network Red-80

subnet 192.168.80.0 255.255.255.0

object network Red-90

subnet 192.168.90.0 255.255.255.0

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object ip

protocol-object icmp

object-group network DM_INLINE_NETWORK_1

network-object object Red-80

network-object object Red-90

object-group network DM_INLINE_NETWORK_2

network-object object Red-33

network-object object Red-34

network-object object Red-35

access-list outside_cryptomap extended permit ip object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2

access-list outside_access_in extended permit ip any any

access-list inside-90_access_in extended permit ip any any

access-list inside-90_access_in extended permit ip object Red-90 any

access-list inside-80_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any

access-list inside_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu inside 1500

mtu outside 1500

mtu inside-80 1500

mtu inside-83 1500

mtu inside-87 1500

mtu inside-88 1500

mtu inside-89 1500

mtu inside-90 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

nat (outside,inside-90) source static DM_INLINE_NETWORK_1 DM_INLINE_NETWORK_1 destination static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 no-proxy-arp route-lookup

!

object network obj_any

nat (any,outside) dynamic interface

!

nat (outside,inside-90) after-auto source static any any unidirectional no-proxy-arp

access-group inside_access_in in interface inside

access-group outside_access_in in interface outside

access-group inside-80_access_in in interface inside-80

access-group inside-90_access_in in interface inside-90

route outside 0.0.0.0 0.0.0.0 190.XXX.XXXX.XXX 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 192.168.79.0 255.255.255.0 inside

http 192.168.35.37 255.255.255.255 inside

http 192.168.12.0 255.255.255.0 inside

http 192.168.90.0 255.255.255.0 inside-90

http 192.168.80.0 255.255.255.0 inside-80

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac

crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac

crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport

crypto ipsec ikev2 ipsec-proposal AES256

protocol esp encryption aes-256

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES192

protocol esp encryption aes-192

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal AES

protocol esp encryption aes

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal 3DES

protocol esp encryption 3des

protocol esp integrity sha-1 md5

crypto ipsec ikev2 ipsec-proposal DES

protocol esp encryption des

protocol esp integrity sha-1 md5

crypto ipsec security-association pmtu-aging infinite

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set peer 200.XXX.XXX.XXX

crypto map outside_map 1 set ikev1 transform-set ESP-AES-128-SHA

crypto map outside_map 1 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES

crypto map outside_map interface outside

crypto ca trustpool policy

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 10

encryption aes-192

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 20

encryption aes

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 30

encryption 3des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 policy 40

encryption des

integrity sha

group 5 2

prf sha

lifetime seconds 86400

crypto ikev2 enable inside

crypto ikev2 enable outside

crypto ikev2 enable inside-80

crypto ikev2 enable inside-90

crypto ikev1 enable inside

crypto ikev1 enable outside

crypto ikev1 enable inside-80

crypto ikev1 enable inside-90

crypto ikev1 policy 1

authentication pre-share

encryption aes

hash md5

group 2

lifetime 86400

crypto ikev1 policy 2

authentication pre-share

encryption aes-256

hash md5

group 1

lifetime 86400

crypto ikev1 policy 3

authentication pre-share

encryption 3des

hash md5

group 2

lifetime 86400

telnet timeout 5

no ssh stricthostkeycheck

ssh 192.168.12.0 255.255.255.0 inside

ssh timeout 60

ssh key-exchange group dh-group1-sha1

console timeout 0

dhcpd auto_config outside

!

dhcpd address 192.168.79.5-192.168.79.6 inside

!

dhcpd address 192.168.80.100-192.168.80.200 inside-80

dhcpd dns 8.8.8.8 interface inside-80

dhcpd enable inside-80

!

dhcpd address 192.168.83.100-192.168.83.200 inside-83

dhcpd enable inside-83

!

dhcpd address 192.168.87.100-192.168.87.200 inside-87

dhcpd enable inside-87

!

dhcpd address 192.168.88.100-192.168.88.200 inside-88

dhcpd enable inside-88

!

dhcpd address 192.168.89.60-192.168.89.200 inside-89

dhcpd enable inside-89

!

dhcpd address 192.168.90.100-192.168.90.149 inside-90

dhcpd dns 8.8.8.8 interface inside-90

dhcpd enable inside-90

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

anyconnect-essentials

group-policy GroupPolicy_200.XXX.XXX.XXX internal

group-policy GroupPolicy_200.XXX.XXX.XXX attributes

vpn-tunnel-protocol ikev1 ikev2

username ROOT-USERNAME password xxXXxxxxXXxxXX encrypted privilege 15

username SU-ROOT-USERNAME password xxXXxxxxXXxxXX encrypted privilege 15

tunnel-group 200.xxx.xxx.xxx type ipsec-l2l

tunnel-group 200.xxx.xxx.xxx general-attributes

default-group-policy GroupPolicy_200.xxx.xxx.xxx

tunnel-group 200.xxx.xxx.xxx ipsec-attributes

ikev1 pre-shared-key xxxxx

ikev2 remote-authentication pre-shared-key xxxxx

ikev2 local-authentication pre-shared-key xxxxx

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum: xxXXXxxxxXXXxxxxxXX

: end