dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
353
markysharkey
Premium Member
join:2012-12-20
united kingd

2 edits

markysharkey

Premium Member

[HELP] More ASA woes...

This one is going to be an easy answer but I just can't see it!
I have a working VPN using the Cisco EZVPN client and when I am on it I can ping anything on the default VLAN, which is VLAN 10, 192.168.10.x
However I cannot ping anything on any other VLAN, 192.168.20.x, 192.168.30.x etc etc.
Here's the full config. What dumb-arsery am I missing?
ASA# sho run
: Saved
:
ASA Version 8.2(5)
!
hostname ASA
domain-name cisco.com
enable password xxxxxx
passwd xxxxxx encrypted
names
!
interface GigabitEthernet0/0
 nameif inside
 security-level 100
 ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/0.20
 vlan 20
 nameif vlan20
 security-level 100
 ip address 192.168.20.1 255.255.255.0
!
interface GigabitEthernet0/0.30
 vlan 30
 nameif vlan30
 security-level 100
 ip address 192.168.30.1 255.255.255.0
!
interface GigabitEthernet0/0.35
 vlan 35
 nameif vlan35
 security-level 100
 ip address 192.168.35.1 255.255.255.0
!
interface GigabitEthernet0/0.40
 vlan 40
 nameif vlan40
 security-level 100
 ip address 192.168.40.1 255.255.255.0
!
interface GigabitEthernet0/0.60
 vlan 60
 nameif vlan60
 security-level 100
 ip address 192.168.60.1 255.255.255.0
!
interface GigabitEthernet0/0.70
 vlan 70
 nameif vlan70
 security-level 100
 ip address 192.168.70.1 255.255.255.0
!
interface GigabitEthernet0/0.80
 vlan 80
 nameif vlan80
 security-level 100
 ip address 192.168.80.1 255.255.255.0
!
interface GigabitEthernet0/0.90
 vlan 90
 nameif vlan90
 security-level 100
 ip address 192.168.90.1 255.255.255.0
!
interface GigabitEthernet0/0.100
 vlan 100
 nameif vlan100
 security-level 100
 ip address 192.168.100.1 255.255.255.0
!
interface GigabitEthernet0/1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/3
 description WAN interface
 nameif outside
 security-level 0
 ip address 62.x.x.x 255.255.255.248
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
 management-only
!
ftp mode passive
clock summer-time BST recurring last Sun Mar 1:00 last Sun Sep 1:00
dns server-group DefaultDNS
 domain-name cisco.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
access-list vlan35 extended permit tcp 192.x.x.x 255.255.255.0 host 62.x.x.x eq smtp
access-list vlan35 extended permit tcp 192.x.x.x 255.255.255.0 host 62.x.x.x eq smtp
access-list vlan35 extended permit tcp 192.x.x.x 255.255.255.0 host 62.x.x.x eq smtp
access-list vlan35 extended permit tcp 208.x.x.x 255.255.255.0 host 62.x.x.x eq smtp
access-list vlan35 extended permit tcp 208.x.x.x 255.255.255.0 host 62.x.x.x eq smtp
access-list vlan35 extended permit tcp 208.x.x.x 255.255.255.0 host 62.x.x.x eq smtp
access-list vlan35 extended permit tcp 5.x.x.x 255.255.255.0 host 62.x.x.x eq smtp
access-list vlan35 extended permit tcp 92.x.x.x 255.255.255.0 host 62.x.x.x eq smtp
access-list vlan35 extended permit tcp 94.x.x.x 255.255.255.0 host 62.x.x.x eq smtp
access-list vlan35 extended permit tcp 174.x.x.x 255.255.255.0 host 62.x.x.x eq smtp
access-list vlan35 extended permit tcp 192.x.x.x 255.255.252.0 host 62.x.x.x eq smtp
access-list vlan35 extended permit tcp 208.x.x.x 255.255.255.0 host 62.x.x.x eq smtp
access-list vlan35 extended permit tcp 208.x.x.x 255.255.252.0 host 62.x.x.x eq smtp
access-list vlan35 extended permit tcp any host 62.x.x.x eq 20001
access-list vlan35 extended permit tcp any host 62.x.x.x eq smtp
access-list vlan35 extended permit tcp any host 62.x.x.x eq 3389
access-list vlan35 extended permit tcp host 62.x.x.x host 62.x.x.x eq www
access-list vlan35 extended permit tcp host 62.x.x.x host 62.x.x.x eq ftp-data
access-list vlan35 extended permit tcp host 62.x.x.x host 62.x.x.x eq ftp
access-list vlan35 extended permit tcp host 62.x.x.x host 62.x.x.x eq 57612
access-list vlan35 extended permit tcp host 62.x.x.x host 62.x.x.x eq 10050
access-list vlan35 extended permit tcp any host 62.x.x.x eq 38880
access-list vlan35 extended permit tcp any host 62.x.x.x eq 38881
access-list vlan35 extended permit tcp any host 62.x.x.x eq 6000
access-list vlan35 extended permit udp any host 62.x.x.x eq 38880
access-list vlan35 extended permit udp any host 62.x.x.x eq 38881
access-list vlan35 extended permit udp any host 62.x.x.x eq 6000
access-list EZVPN standard permit 192.168.10.0 255.255.255.0
access-list EZVPN standard permit 192.168.20.0 255.255.255.0
access-list EZVPN standard permit 192.168.30.0 255.255.255.0
access-list EZVPN standard permit 192.168.35.0 255.255.255.0
access-list EZVPN standard permit 192.168.60.0 255.255.255.0
access-list EZVPN standard permit 192.168.70.0 255.255.255.0
access-list EZVPN standard permit 192.168.80.0 255.255.255.0
access-list EZVPN standard permit 192.168.90.0 255.255.255.0
access-list no_nat_vpn extended permit ip 172.16.1.0 255.255.255.224 192.168.10.0 255.255.255.0
access-list no_nat_vpn extended permit ip 192.168.10.0 255.255.255.0 172.16.1.0 255.255.255.224
access-list no_nat_vpn extended permit ip 172.16.1.0 255.255.255.224 192.168.20.0 255.255.255.0
access-list no_nat_vpn extended permit ip 192.168.20.0 255.255.255.0 172.16.1.0 255.255.255.224
access-list no_nat_vpn extended permit ip 172.16.1.0 255.255.255.224 192.168.30.0 255.255.255.0
access-list no_nat_vpn extended permit ip 192.168.30.0 255.255.255.0 172.16.1.0 255.255.255.224
access-list no_nat_vpn extended permit ip 172.16.1.0 255.255.255.224 192.168.35.0 255.255.255.0
access-list no_nat_vpn extended permit ip 192.168.35.0 255.255.255.0 172.16.1.0 255.255.255.224
access-list no_nat_vpn extended permit ip 172.16.1.0 255.255.255.224 192.168.40.0 255.255.255.0
access-list no_nat_vpn extended permit ip 192.168.40.0 255.255.255.0 172.16.1.0 255.255.255.224
access-list no_nat_vpn extended permit ip 172.16.1.0 255.255.255.224 192.168.60.0 255.255.255.0
access-list no_nat_vpn extended permit ip 192.168.60.0 255.255.255.0 172.16.1.0 255.255.255.224
access-list no_nat_vpn extended permit ip 172.16.1.0 255.255.255.224 192.168.70.0 255.255.255.0
access-list no_nat_vpn extended permit ip 192.168.70.0 255.255.255.0 172.16.1.0 255.255.255.224
access-list no_nat_vpn extended permit ip 172.16.1.0 255.255.255.224 192.168.80.0 255.255.255.0
access-list no_nat_vpn extended permit ip 192.168.80.0 255.255.255.0 172.16.1.0 255.255.255.224
access-list no_nat_vpn extended permit ip 172.16.1.0 255.255.255.224 192.168.90.0 255.255.255.0
access-list no_nat_vpn extended permit ip 192.168.90.0 255.255.255.0 172.16.1.0 255.255.255.224
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu vlan20 1500
mtu vlan30 1500
mtu vlan35 1500
mtu vlan40 1500
mtu vlan60 1500
mtu vlan70 1500
mtu vlan80 1500
mtu vlan90 1500
mtu outside 1500
mtu management 1500
mtu vlan100 1500
ip local pool vpn 172.16.1.1-172.16.1.30 mask 255.255.255.224
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (outside) 1 interface
nat (inside) 0 access-list no_nat_vpn
nat (inside) 1 192.168.10.0 255.255.255.0 outside
nat (vlan20) 0 access-list no_nat_vpn
nat (vlan20) 1 192.168.20.0 255.255.255.0 outside
nat (vlan30) 0 access-list no_nat_vpn
nat (vlan30) 1 192.168.30.0 255.255.255.0 outside
nat (vlan35) 0 access-list no_nat_vpn
nat (vlan35) 1 192.168.35.0 255.255.255.0 outside
nat (vlan40) 0 access-list no_nat_vpn
nat (vlan40) 1 192.168.40.0 255.255.255.0 outside
nat (vlan60) 0 access-list no_nat_vpn
nat (vlan60) 1 192.168.60.0 255.255.255.0 outside
nat (vlan70) 0 access-list no_nat_vpn
nat (vlan70) 1 192.168.70.0 255.255.255.0 outside
nat (vlan80) 0 access-list no_nat_vpn
nat (vlan80) 1 192.168.80.0 255.255.255.0 outside
nat (vlan90) 0 access-list no_nat_vpn
nat (vlan90) 1 192.168.90.0 255.255.255.0 outside
nat (vlan100) 1 192.168.100.0 255.255.255.0 outside
static (vlan35,outside) tcp interface smtp 192.168.35.10 smtp netmask 255.255.255.255
static (vlan35,outside) tcp interface 3389 192.168.35.10 3389 netmask 255.255.255.255
static (vlan80,outside) tcp interface 38881 192.168.80.120 38881 netmask 255.255.255.255
static (vlan80,outside) tcp interface 38880 192.168.80.120 38880 netmask 255.255.255.255
static (vlan90,outside) tcp interface www 192.168.90.51 www netmask 255.255.255.255
static (vlan90,outside) tcp interface 10050 192.168.90.51 10050 netmask 255.255.255.255
static (vlan90,outside) tcp interface ftp-data 192.168.90.51 ftp-data netmask 255.255.255.255
static (vlan90,outside) tcp interface ftp 192.168.90.51 ftp netmask 255.255.255.255
static (vlan90,outside) udp interface 57612 192.168.90.51 57612 netmask 255.255.255.255
static (vlan80,outside) tcp interface 6000 192.168.80.126 6000 netmask 255.255.255.255
static (vlan80,outside) udp interface 38881 192.168.80.120 38881 netmask 255.255.255.255
static (vlan80,outside) udp interface 38880 192.168.80.120 38880 netmask 255.255.255.255
static (vlan80,outside) udp interface 6000 192.168.80.126 6000 netmask 255.255.255.255
static (vlan35,outside) tcp interface 20001 192.168.35.10 20001 netmask 255.255.255.255
static (inside,vlan20) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (vlan20,inside) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (vlan20,vlan30) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (vlan30,vlan20) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
static (inside,vlan30) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (vlan30,inside) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
static (inside,vlan60) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (vlan60,inside) 192.168.60.0 192.168.60.0 netmask 255.255.255.0
static (inside,vlan70) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (vlan70,inside) 192.168.70.0 192.168.70.0 netmask 255.255.255.0
static (inside,vlan80) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (vlan80,inside) 192.168.80.0 192.168.80.0 netmask 255.255.255.0
static (inside,vlan90) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (vlan90,inside) 192.168.90.0 192.168.90.0 netmask 255.255.255.0
static (inside,vlan35) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (vlan35,inside) 192.168.35.0 192.168.35.0 netmask 255.255.255.0
static (inside,management) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (management,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (vlan40,vlan20) 192.168.40.0 192.168.40.0 netmask 255.255.255.0
static (vlan20,vlan40) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (inside,vlan100) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (vlan100,inside) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (vlan35,vlan20) 192.168.35.0 192.168.35.0 netmask 255.255.255.0
static (vlan20,vlan35) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (vlan100,vlan35) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (vlan20,vlan60) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (vlan60,vlan20) 192.168.60.0 192.168.60.0 netmask 255.255.255.0
static (vlan20,vlan100) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (vlan100,vlan20) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (vlan20,vlan70) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (vlan70,vlan20) 192.168.70.0 192.168.70.0 netmask 255.255.255.0
static (vlan20,vlan80) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (vlan80,vlan20) 192.168.80.0 192.168.80.0 netmask 255.255.255.0
static (vlan20,vlan90) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (vlan90,vlan20) 192.168.90.0 192.168.90.0 netmask 255.255.255.0
access-group vlan35 in interface outside
route outside 0.0.0.0 0.0.0.0 62.x.x.x
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
no http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.10.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set tunnel esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map tunnel 1 set transform-set tunnel
crypto map tunnel 1 ipsec-isakmp dynamic tunnel
crypto map tunnel interface outside
crypto isakmp enable outside
crypto isakmp policy 1
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 3600
no crypto isakmp nat-traversal
telnet timeout 30
ssh 192.168.10.0 255.255.255.0 inside
ssh 192.168.20.0 255.255.255.0 vlan20
ssh 192.168.60.0 255.255.255.0 vlan60
ssh timeout 30
ssh version 2
console timeout 0
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 141.40.103.101
webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1 regex "Windows NT"
 svc profiles iconconnect disk0:/iconconnect.xml
 svc enable
group-policy EZVPN internal
group-policy EZVPN attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value EZVPN
username xxxxxx password xxxxxx encrypted privilege 15
tunnel-group tunnel type remote-access
tunnel-group tunnel general-attributes
 address-pool vpn
 default-group-policy EZVPN
tunnel-group tunnel ipsec-attributes
 pre-shared-key *****
tunnel-group EZVPN type remote-access
tunnel-group EZVPN general-attributes
 default-group-policy EZVPN
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
  inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxx
: end
 

Thanks...

Nubiatech
soy capitan
join:2007-09-02
Chicago, IL

Nubiatech

Member

Before bothering with the nat statements, first take a looks at how the trunking is setup. You don't have a vlan 10 defined on the ASA itself.
Since you stated that 192.168.10.0/24 works, that means traffic to this subnet lands on the default native vlan, untagged on the egress, and also inbound traffic is received from the switch's trunk untagged as well.

tldr; check switch trunk configs first: allowed vlans, native vlan, etc ...
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey

Premium Member

Switch config is fine. It's the one thing I am sure about! The ASA not so much...
VLAN 10 is on the physical Gig 0/0, or so I thought!

Nubiatech
soy capitan
join:2007-09-02
Chicago, IL

Nubiatech to markysharkey

Member

to markysharkey
Ok, I take it that the switch is configured properly, and that the following checks out:
1. Switch trunk port to the ASA is configured to allow all vlans.
2. Each access port is set to access the correct vlan.

Now, there is no vlan 10 on this ASA. We already established that traffic to the working subnet is carried over native vlans, untagged.

Just to be on the safe side, can you verify the ASA interfaces:
1. Clear the interface statistics: "clear interface". This will just clear the counters.
2. Clear asp drop stats: "clear asp drop"
3. Try to generate some traffic to all vlan if possible, or wait for a few minutes, then check the interface counters:
sho interface | i error|drops|line
This will show if there are any L2 issues, verify L2/L3 interfaces are up.
4. sho asp drop frame
5. sho asp drop flow

After that, can you post the output of:
show xlate
show nat
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey

Premium Member

Cleared the counters.
It's a line site so traffic appears immediately.
Here's the output
ASA# sho asp drop frame
  Invalid encapsulation (invalid-encap)                                        2
  Flow is denied by configured rule (acl-drop)                               259
  First TCP packet not SYN (tcp-not-syn)                                       3
  TCP RST/FIN out of order (tcp-rstfin-ooo)                                    8
 
Last clearing: 15:44:02 UTC Oct 14 2014 by enable_15
ASA# sho asp drop flow
  Inspection failure (inspect-fail)                                            2
 
Last clearing: 15:44:02 UTC Oct 14 2014 by enable_15
 

sho nat and sho xlate output is enormous! What am I looking for? Maybe I can sub it down a bit?

Nubiatech
soy capitan
join:2007-09-02
Chicago, IL

Nubiatech

Member

said by markysharkey:

sho nat and sho xlate output is enormous! What am I looking for? Maybe I can sub it down a bit?

We're looking for the nat order, and also to verify the xlate slots are created and nat sessions are up.
In this case, you can do show nat, and grep for the subnet that is working and compare it to the non-working subnets.
Did you verify there are no L2 drops or any other issues on the interfaces? sho interface | i error|drops|line
aryoba
MVM
join:2002-08-22

aryoba to markysharkey

MVM

to markysharkey
said by markysharkey:

nat-control
global (outside) 1 interface
nat (inside) 0 access-list no_nat_vpn
nat (inside) 1 192.168.10.0 255.255.255.0 outside
nat (vlan20) 0 access-list no_nat_vpn
nat (vlan20) 1 192.168.20.0 255.255.255.0 outside
nat (vlan30) 0 access-list no_nat_vpn
nat (vlan30) 1 192.168.30.0 255.255.255.0 outside
nat (vlan35) 0 access-list no_nat_vpn
nat (vlan35) 1 192.168.35.0 255.255.255.0 outside
nat (vlan40) 0 access-list no_nat_vpn
nat (vlan40) 1 192.168.40.0 255.255.255.0 outside
nat (vlan60) 0 access-list no_nat_vpn
nat (vlan60) 1 192.168.60.0 255.255.255.0 outside
nat (vlan70) 0 access-list no_nat_vpn
nat (vlan70) 1 192.168.70.0 255.255.255.0 outside
nat (vlan80) 0 access-list no_nat_vpn
nat (vlan80) 1 192.168.80.0 255.255.255.0 outside
nat (vlan90) 0 access-list no_nat_vpn
nat (vlan90) 1 192.168.90.0 255.255.255.0 outside
nat (vlan100) 1 192.168.100.0 255.255.255.0 outside
static (vlan35,outside) tcp interface smtp 192.168.35.10 smtp netmask 255.255.255.255
static (vlan35,outside) tcp interface 3389 192.168.35.10 3389 netmask 255.255.255.255
static (vlan80,outside) tcp interface 38881 192.168.80.120 38881 netmask 255.255.255.255
static (vlan80,outside) tcp interface 38880 192.168.80.120 38880 netmask 255.255.255.255
static (vlan90,outside) tcp interface www 192.168.90.51 www netmask 255.255.255.255
static (vlan90,outside) tcp interface 10050 192.168.90.51 10050 netmask 255.255.255.255
static (vlan90,outside) tcp interface ftp-data 192.168.90.51 ftp-data netmask 255.255.255.255
static (vlan90,outside) tcp interface ftp 192.168.90.51 ftp netmask 255.255.255.255
static (vlan90,outside) udp interface 57612 192.168.90.51 57612 netmask 255.255.255.255
static (vlan80,outside) tcp interface 6000 192.168.80.126 6000 netmask 255.255.255.255
static (vlan80,outside) udp interface 38881 192.168.80.120 38881 netmask 255.255.255.255
static (vlan80,outside) udp interface 38880 192.168.80.120 38880 netmask 255.255.255.255
static (vlan80,outside) udp interface 6000 192.168.80.126 6000 netmask 255.255.255.255
static (vlan35,outside) tcp interface 20001 192.168.35.10 20001 netmask 255.255.255.255
static (inside,vlan20) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (vlan20,inside) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (vlan20,vlan30) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (vlan30,vlan20) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
static (inside,vlan30) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (vlan30,inside) 192.168.30.0 192.168.30.0 netmask 255.255.255.0
static (inside,vlan60) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (vlan60,inside) 192.168.60.0 192.168.60.0 netmask 255.255.255.0
static (inside,vlan70) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (vlan70,inside) 192.168.70.0 192.168.70.0 netmask 255.255.255.0
static (inside,vlan80) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (vlan80,inside) 192.168.80.0 192.168.80.0 netmask 255.255.255.0
static (inside,vlan90) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (vlan90,inside) 192.168.90.0 192.168.90.0 netmask 255.255.255.0
static (inside,vlan35) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (vlan35,inside) 192.168.35.0 192.168.35.0 netmask 255.255.255.0
static (inside,management) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (management,inside) 192.168.1.0 192.168.1.0 netmask 255.255.255.0
static (vlan40,vlan20) 192.168.40.0 192.168.40.0 netmask 255.255.255.0
static (vlan20,vlan40) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (inside,vlan100) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (vlan100,inside) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (vlan35,vlan20) 192.168.35.0 192.168.35.0 netmask 255.255.255.0
static (vlan20,vlan35) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (vlan100,vlan35) 192.168.10.0 192.168.10.0 netmask 255.255.255.0
static (vlan20,vlan60) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (vlan60,vlan20) 192.168.60.0 192.168.60.0 netmask 255.255.255.0
static (vlan20,vlan100) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (vlan100,vlan20) 192.168.100.0 192.168.100.0 netmask 255.255.255.0
static (vlan20,vlan70) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (vlan70,vlan20) 192.168.70.0 192.168.70.0 netmask 255.255.255.0
static (vlan20,vlan80) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (vlan80,vlan20) 192.168.80.0 192.168.80.0 netmask 255.255.255.0
static (vlan20,vlan90) 192.168.20.0 192.168.20.0 netmask 255.255.255.0
static (vlan90,vlan20) 192.168.90.0 192.168.90.0 netmask 255.255.255.0
 

Thanks...

As Nubiatech See Profile mentioned of Order of NAT, you may need to clean up the static and nat commands. Some nat commands can be consolidated by using access-lists. You should also migrate certain static commands into nat 0 commands.