Routing and Switching and VLAN's OH MY

I have a Cisco 2911
4 Cisco 2960 Switches.

Management IP for Routers and Switches are 192.168.0.X
Virtual Machine Host IP's 192.168.1.X
Cisco ASA 5512 - Firepower -  ASA Interface 192.168.2.1
                                                Firepower Module - 192.168.2.2
                                                Sourcefire Database - 192.168.2.3 ( Running on EXSi Host 192.168.1.X )

The Cisco 2911 has Gig0/0 as 192.168.0.1
                                 Gig0/1 as 192.168.1.1
                                 Gig0/2 as 192.168.2.5

I can't figure out with this routing is not working properly between all the hosts and switches and routers.
I want to have the ASA with the 192.168.2.X network to do my VPN into my router for traffic to the VM Machines.

The VM Machines are All on the 192.168.1.X and One Database is on 192.168.2.3, and the Windows Servers are on 192.168.1.1XX

How do I get it from a PC to reach everything that is needed.  Having a hard time.  

Also Cellular0/0/0 has a 0.0.0.0 out to the internet with a static ip.
NJ_CONSULTANTAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JustInCaseCommented:
As usual, there's more than one way to skin a cat.
Most logical (read - the easiest way), would be that for all of your networks default gateway is set to your Cisco 2911 interface for each network, and everything should work from the box if there is no some filtering involved. But I guess that's not the case, so could you draw you topology and basic IP configuration. I guess routing tables of devices would help a lot beside drawing.
NJ_CONSULTANTAuthor Commented:
Attached is my current ip scheme and the theory part is what I am trying to accomplish.   There won't be any Physical machines connected to the switches other than my laptop for management.
CiscoNetwork.txt
NJ_CONSULTANTAuthor Commented:
I am attaching my Visio Diagram.

Trying to figure out the 192.168.3.X networked PCs that sit on a VMware machine with 192.168.1.8 host IP.  

Also,
I have 0.0.0.0 0.0.0.0 to cellular 0/0/0 with nat for internet out.    
But how would i config the cellular 0/1/0 to the VPN endpoint to route BGP to remote network.

EnterpriseNJLab_Public.pdf
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

JustInCaseCommented:
Trying to figure out the 192.168.3.X networked PCs that sit on a VMware machine with 192.168.1.8 host IP.
In drawing, how I understood it, my guess was that network 192.168.3.x is behind NAT on server (that can be burden to server's memory and CPU). Although I think I used topology like that without NAT (you can test that solution easily, just add static route and see does it work, I believe it will work) - routers must know where network 192.168.3.0 is located, otherwise traffic will be dropped. In any case, without additional VLAN, you need to add static route on routers to point on server as next hop to reach 192.168.3.x network. Since IP address of server that you will use to access virtual machines is 192.168.1.8 than static route on both routers should be
ip route 192.168.3.0 255.255.255.0 192.168.1.8

Other solution would be to add another VLAN that reaches from routers to those servers and you should create trunk to connect switch to that server also.
Link typesStill, there are many assumption from my side how topology is really designed, so this is generic topology.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
NJ_CONSULTANTAuthor Commented:
Predrag,
Thank you for the reply.  I will try the static route,  like you said about the NAT, that I didn't do.
With the route ip route 192.168.3.0 255.255.255.0 192.168.1.8.   For the Windows 7 PCs being that the default gateway on the router is 192.168.1.1 for the Cellular Internet.    I know the IP's to choose and Subnet, but would the Default Gateway then be set outside the 3.X network and be the routers 192.168.1.1 or do I need to set another Default Gateway on the Router.  

For the ASA - The 192.168.2.1 is currently being used.   The Link between the ASA on Gig0/0 and the Cradlepoint Router is just IP Pass Through.    The Gig0/0 is outside , and the Gig0/1 192.18.2.1 is inside.   No Wireless SSID's being used on the  Cradlepoint.    The ASA will be used for VPN into the network.   I want to be able to have access to the LAN on 192.168.1.X and the PC's on the 192.168.3.1 network.
JustInCaseCommented:
In the case that you turn on routing on Windows server 2012 (Routing and Remote Access Service), I guess that you can have 192.168.3.x as gateway for your VMs and windows server will forward traffic according to its route table. But, if I remember correctly by default windows will NAT traffic, but I guess that there is a way not to NAT traffic from VM, and that would solve your problem. I know how to exclude traffic from natting on Cisco, but I don't have a clue how to do it on Windows server. All articles about RRAS that I found were about how to NAT traffic.
NJ_CONSULTANTAuthor Commented:
I will try and make the changes this weekend, and see how I make out.
NJ_CONSULTANTAuthor Commented:
Well I did the modifications.
I did
Switch
VLAN 1 as 192.168.1.X
VLAN 2 as 192.168.2.X
VLAN 3 as 192.168.3.X
VLAN 4 as 192.168.4.X
VLAN 10 as 192.168.0.X VLAN NATIVE
Gig 1/0/10 to the Cisco 2911 Router is Switchport Trunk and allowed vlans 1-4,10 and then 10 set as Native.

Router
Gig 0/1.1
ip address 192.168.1.1 255.255.255.0
encap 802.q 1
through Gig 0/1.4
Gig 0/1.10
encap 802.q 10 native

The ASA has IP Address 192.168.2.5 for inside on /24
The ASA FirePower Module is on 192.168.2.2 /24
ASA Ports on the 2960 Switch are Switchport Access with VLAN 2

The Switch will only route traffic to the ASA if I have my PC assigned with 192.168.2.X network and have my Port as VLAN 2 -  If I try any other IP Address or VLAN or even Trunk Group for the ASA, I can't get access.  

Also,
The VM Machines -  The One that is 192.168.1.8 and 192.168.1.9 are on the switch as trunks with VLAN allowed 1,2
I set a VLAN 3 with IP Address 192.168.3.20 and the Router has Gig0/1.3 with 192.168.3.1/30 currently.   If I set a VM Windows 7 Machine on 192.168.3.X with GW 192.168.3.1 it doesn't seem to work for some reason.

The reason I find this odd, is that the Other VM Host 192.168.1.7 and 192.168.1.10 have the Cisco Sourcefire/FirePower VM Database sitting on it with 192.168.2.3 and GW 192.168.2.1 and it works perfectly across all IP/Subnets/VLANS.

It almost makes me thing the traffic isn't getting to the router properly for the ASA and the VM for the 192.168.3.X network.    From the router if I ping to the ASA 192.168.2.X network it works.  If I ping the 192.168.2.5 or 2.2 and source from 192.168.1.1 or 3,1 or 4,1 it fails.  

Thanks for all the help so far.
JustInCaseCommented:
To check do packets get from host to ASA, use tracert 192.168.2.5 on host and you will see path (hops), If you see packet jumps into VLAN 2 (interface VLAN 2 on switch or subinterface for VLAN 2 IP address) there are few posibilites:
Missing route on ASA - ASA need route back to that host (to that network) - Check ASA's routing table with #sh route and what is most specific route that can be used to reach other VLANs - if there is no better route than default route ping reply packets will get to internet...
adjust ASA configuration - permit ping from/to other subnets.
Check default gateways for devices. Here in configuration you have interface VLANs IP addresses, and you have IP addresses on router's subinterfaces
If packet don't come into VLAN 2 check routes on devices.
Also, check are there ACL to prevent traffic between VLANs etc ...
NJ_CONSULTANTAuthor Commented:
Overall Routing is working, so the ASA, I will just have to login with a IP on the 2.X network and reconfigure the policies or ACL's.   That isn't the biggest priority currently, that was the routing issues.  
And I am annoyed that some of the issues was all because of mis-counting a port number on the switch and had a incorrect VLAN allowed tag on the trunk.  Fixed that and now the 3.X network is routing.  

THank you for your help sir.
NJ_CONSULTANTAuthor Commented:
Excellent support and feedback, and very understanding.  Been a long time since I touched a router.
JustInCaseCommented:
I am glad I could help.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.