Routing and Switching and VLAN's OH MY

I have a Cisco 2911
4 Cisco 2960 Switches.

Management IP for Routers and Switches are 192.168.0.X
Virtual Machine Host IP's 192.168.1.X
Cisco ASA 5512 - Firepower -  ASA Interface
                                                Firepower Module -
                                                Sourcefire Database - ( Running on EXSi Host 192.168.1.X )

The Cisco 2911 has Gig0/0 as
                                 Gig0/1 as
                                 Gig0/2 as

I can't figure out with this routing is not working properly between all the hosts and switches and routers.
I want to have the ASA with the 192.168.2.X network to do my VPN into my router for traffic to the VM Machines.

The VM Machines are All on the 192.168.1.X and One Database is on, and the Windows Servers are on

How do I get it from a PC to reach everything that is needed.  Having a hard time.  

Also Cellular0/0/0 has a out to the internet with a static ip.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

As usual, there's more than one way to skin a cat.
Most logical (read - the easiest way), would be that for all of your networks default gateway is set to your Cisco 2911 interface for each network, and everything should work from the box if there is no some filtering involved. But I guess that's not the case, so could you draw you topology and basic IP configuration. I guess routing tables of devices would help a lot beside drawing.
NJ_CONSULTANTAuthor Commented:
Attached is my current ip scheme and the theory part is what I am trying to accomplish.   There won't be any Physical machines connected to the switches other than my laptop for management.
NJ_CONSULTANTAuthor Commented:
I am attaching my Visio Diagram.

Trying to figure out the 192.168.3.X networked PCs that sit on a VMware machine with host IP.  

I have to cellular 0/0/0 with nat for internet out.    
But how would i config the cellular 0/1/0 to the VPN endpoint to route BGP to remote network.

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

Trying to figure out the 192.168.3.X networked PCs that sit on a VMware machine with host IP.
In drawing, how I understood it, my guess was that network 192.168.3.x is behind NAT on server (that can be burden to server's memory and CPU). Although I think I used topology like that without NAT (you can test that solution easily, just add static route and see does it work, I believe it will work) - routers must know where network is located, otherwise traffic will be dropped. In any case, without additional VLAN, you need to add static route on routers to point on server as next hop to reach 192.168.3.x network. Since IP address of server that you will use to access virtual machines is than static route on both routers should be
ip route

Other solution would be to add another VLAN that reaches from routers to those servers and you should create trunk to connect switch to that server also.
Link typesStill, there are many assumption from my side how topology is really designed, so this is generic topology.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
NJ_CONSULTANTAuthor Commented:
Thank you for the reply.  I will try the static route,  like you said about the NAT, that I didn't do.
With the route ip route   For the Windows 7 PCs being that the default gateway on the router is for the Cellular Internet.    I know the IP's to choose and Subnet, but would the Default Gateway then be set outside the 3.X network and be the routers or do I need to set another Default Gateway on the Router.  

For the ASA - The is currently being used.   The Link between the ASA on Gig0/0 and the Cradlepoint Router is just IP Pass Through.    The Gig0/0 is outside , and the Gig0/1 is inside.   No Wireless SSID's being used on the  Cradlepoint.    The ASA will be used for VPN into the network.   I want to be able to have access to the LAN on 192.168.1.X and the PC's on the network.
In the case that you turn on routing on Windows server 2012 (Routing and Remote Access Service), I guess that you can have 192.168.3.x as gateway for your VMs and windows server will forward traffic according to its route table. But, if I remember correctly by default windows will NAT traffic, but I guess that there is a way not to NAT traffic from VM, and that would solve your problem. I know how to exclude traffic from natting on Cisco, but I don't have a clue how to do it on Windows server. All articles about RRAS that I found were about how to NAT traffic.
NJ_CONSULTANTAuthor Commented:
I will try and make the changes this weekend, and see how I make out.
NJ_CONSULTANTAuthor Commented:
Well I did the modifications.
I did
VLAN 1 as 192.168.1.X
VLAN 2 as 192.168.2.X
VLAN 3 as 192.168.3.X
VLAN 4 as 192.168.4.X
VLAN 10 as 192.168.0.X VLAN NATIVE
Gig 1/0/10 to the Cisco 2911 Router is Switchport Trunk and allowed vlans 1-4,10 and then 10 set as Native.

Gig 0/1.1
ip address
encap 802.q 1
through Gig 0/1.4
Gig 0/1.10
encap 802.q 10 native

The ASA has IP Address for inside on /24
The ASA FirePower Module is on /24
ASA Ports on the 2960 Switch are Switchport Access with VLAN 2

The Switch will only route traffic to the ASA if I have my PC assigned with 192.168.2.X network and have my Port as VLAN 2 -  If I try any other IP Address or VLAN or even Trunk Group for the ASA, I can't get access.  

The VM Machines -  The One that is and are on the switch as trunks with VLAN allowed 1,2
I set a VLAN 3 with IP Address and the Router has Gig0/1.3 with currently.   If I set a VM Windows 7 Machine on 192.168.3.X with GW it doesn't seem to work for some reason.

The reason I find this odd, is that the Other VM Host and have the Cisco Sourcefire/FirePower VM Database sitting on it with and GW and it works perfectly across all IP/Subnets/VLANS.

It almost makes me thing the traffic isn't getting to the router properly for the ASA and the VM for the 192.168.3.X network.    From the router if I ping to the ASA 192.168.2.X network it works.  If I ping the or 2.2 and source from or 3,1 or 4,1 it fails.  

Thanks for all the help so far.
To check do packets get from host to ASA, use tracert on host and you will see path (hops), If you see packet jumps into VLAN 2 (interface VLAN 2 on switch or subinterface for VLAN 2 IP address) there are few posibilites:
Missing route on ASA - ASA need route back to that host (to that network) - Check ASA's routing table with #sh route and what is most specific route that can be used to reach other VLANs - if there is no better route than default route ping reply packets will get to internet...
adjust ASA configuration - permit ping from/to other subnets.
Check default gateways for devices. Here in configuration you have interface VLANs IP addresses, and you have IP addresses on router's subinterfaces
If packet don't come into VLAN 2 check routes on devices.
Also, check are there ACL to prevent traffic between VLANs etc ...
NJ_CONSULTANTAuthor Commented:
Overall Routing is working, so the ASA, I will just have to login with a IP on the 2.X network and reconfigure the policies or ACL's.   That isn't the biggest priority currently, that was the routing issues.  
And I am annoyed that some of the issues was all because of mis-counting a port number on the switch and had a incorrect VLAN allowed tag on the trunk.  Fixed that and now the 3.X network is routing.  

THank you for your help sir.
NJ_CONSULTANTAuthor Commented:
Excellent support and feedback, and very understanding.  Been a long time since I touched a router.
I am glad I could help.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.