Thanks for the information. What device is at 10.0.2.1?

10.0.2.1 is D-Link Wireless Router (LAN Side)

It has a DHCP Server 10.0.2.5-10.0.2.130.

Everything is default setting except the ‘10.0.1.0 255.255.255.0 10.0.2.124’ route. 

I continue to wonder about the traceroute output and want to verify a few things. Am I correct in understanding that the traceroute is from a PC that is connected to an access port in vlan 10 on the catalyst. And in understanding that the PC has an IP address in 10.0.1.0 and that the default gateway for the PC is the ASA interface in vlan 10?

One of the things I wonder about is the possibility of asymmetry in the path when the static route is not used. I think that this might be what is happening without the static route:

1) PC generates a traceroute packet and sends it to the ASA.

2) ASA checks its routing table and sees that 10.0.2.0 is locally connected

3) ASA forwards the packet directly to the server

4) the server generates a response packet. But the response does not go directly to the ASA but goes to the server default gateway which is D-link.

5) D-link forwards to ASA.

this might be what is happening with the static route:
1) PC generates a traceroute packet and sends it to the ASA.
2) ASA checks its routing table and sees that 10.0.2.0 is locally connected but that this host address should be forwarded to D-link.
3) ASA forwards the packet to D-link.

4) D-link forwards the packet to the server.

5) the server generates a response packet. The response goes to the server default gateway which is D-link.
6) D-link forwards to ASA.

When I think about this possibility there are 2 issues that I can not explain:

1) why would asymmetry impact data access but not impact ping?

2) why would asymmetry impact one server but not the other server?

In the face of these issues I believe that while asymmetry may exist it is not the real problem.

That is correct, 10.0.1.5 (PC) is connected to Catalyst vlan 10 which is connected to ASA which is 10.0.1.0. 

I do see the differences between having a static route and not. I can see where the paths take different steps. My understanding of Cisco and Routing ends with that though. I can see your words of asymmetry but am unclear how to resolve. Quite the scenario.  

Would this be resolved by bringing up what was mentioned earlier. Right now there are 2 different subnets trying to communicate with various routes and routers and gateways etc.

Wouls it be simplified by creating a 3rd (or should I say ONE) subnet with EVERYTHING on it be it PC or NAS which would allow persistent and consistent communication , no more crazy routing,   
such as 192.168.5.0 and have 192.168.5.2-10 use a “higher” 192.168.1.1 as default Internet route, 192.168.5.11-20 use 10.0.2.1 as default internet gateway and 192.168.5.21-30 use 10.0.1.1 as its internet gateway. I believe at one time you called that PBR. All IP’s on same Subnet talk to each other but are configured to use specific WAN (outside) IPS for their internet. 

So my idea is, Catalyst will have 3 vlans. Interface vlan 10 192.168.1.5, Interface vlan 11 10.0.2.124, and vlan 12 10.0.1.5. and would have an Interface in each vlan connected to its server (10.0.1.1, 10.0.2.1 and 192.168.1.1). I would create a trunk from Calayst to my SG350X and have trunk on an interface with vlan 10,11,12. On SG350G I’d create a vlan 15 192.168.5.0 subnet so all devices could communicate without higher routing. But 192.168.5.2-10 would use 192.168.1.1 gateway for internet, 192.168.5.11-15 would use 10.0.2.1 gateway for internet and 192.168.5.16-20 would use 10.0.1.1 gateway for internet. Is this acceptable?

Having a single vlan for all of the devices is an interesting possibility. And it seems logical that if all devices were in the same vlan then they should all communicate without problems. But since we do not know what was causing the original issue it is hard to say if a single vlan would necessarily work.

I have these comments about this:

- This suggestion implies that all of the devices would be connected on the SG switch. In previous discussion I understood that some devices were connected on the Catalyst switch (and perhaps some connected on router/ASA). Are you suggesting that now all of those connections are moved to the SG switch?

- The previous environment adhered to a basic suggestion (note this is not a requirement) of a one to one relationship between vlan and subnet: each vlan has a single subnet, and each subnet is associated with a single vlan. The new suggestion has multiple subnets in a sing vlan. We should be careful about the changes in behavior that this creates.

- In the previous environment it was easy to use DHCP to assign IP addresses to devices. Each vlan was a unique subnet and it was easy to have a unique DHCP scope for each. In the new environment how do you have multiple scopes? It seems to me that this would require static assignments (this specific mac address for a specific device gets this specific IP address). It is doable, but lots of manual effort.

- For this to work it requires Policy Based Routing (devices in a specific IP range get one path to the Internet, devices in another specific IP range get a different path to the Internet). I am not aware that the SG switch can do this and not confident that your Catalyst switch can do it.

Well ideally I wanted to use the SG350X in place of the Catalyst as it is 10GIG Ports but it is only 12 whereas the Catalyst has 24 1 Gigabit. For sake of keeping it clean and without complexity, let us disregard the SG350X.

Would utilizing the Catalyst in the same manner work?

I.E GE 1/0/1 would physically connect to the ASA and on the Cat would be vlan 10. vlan 10 would have an Interface vlan 10 ip 192.168.1.5.

GE 1/0/2 would connect to DLink Router and on Cat would be vlan 11. vlan 11 would have Interface vlan 11 ip 10.0.2.124.

GE 1/0/3-15 (in example) would be a new 3rd subnet, 192.168.5.0.

This way as we say all devices would be of 192.168.5.0 but then as far as Internet access goes, not LAN, I can decide which subnet IP’s (such as 192.168.5.126 and 192.168.5.111) would use 10.0.2.1 (DLink) for its Internet access (through Cat vlan 11 ip 10.0.2.124). And then let’s say 192.168.5.50-100 would use 192.168.1.1 (ASA) for Internet access (through Cat vlan 10 ip 192.168.1.5).

You are correct that this still does not solve the main issue on hand and though I’d love to figure that out, after 6 months of this I’m kinda done with figuring it out. If this, using ONE LAN Subnet but having specific WAN IP’s allows crosstalk to easily occur, then this is the path I’d like. If it will work. 

I do not have enough data currently to explain in more detail but in the "working" scenario  the .126 is mounted by its name and .111 is mounted by 10.0.2.111. When I do the changes off the ASA, I can mount the .126 by 10.0.2.126 but not by name anymore.

Could this all be a DNS issue? I have no idea how this is possible considering I am going based off of IP's but it was just something I noticed, with no further details.

B.T.W all and every DNS is 8.8.8.8 8.8.4.4.

I do not understand what you are describing about possible issues with DNS. If this is true "When I do the changes off the ASA, I can mount the .126 by 10.0.2.126 but not by name anymore" then it does suggest that there is some issue with DNS. I would ask a follow up question: For the issue where ping does work but data access does not work, is the behavior the same if you attempt both using name and if you attempt both using IP?

If you would like to use the SG switch because it has faster interfaces I would think this could work ok. I would not put anything of vlan 10 or 11 on the SG switch. Just make all of the SG ports access ports (no trunking on the SG) and connect one of the SG ports to an access port on the Catalyst in the 192.168.5.0 vlan.

At this point  will hold off on commenting on your response to my DNS theory/findings as I can not perform further testing but as far as your acknowledgement of using the SG350X to utilize it's faster Interfaces you mention to not use any trunking and just connect 1 Interface to an Interface on the Catalyst (the newly created 192.168.5.0 (and it's own vlan)) so that any of the remaining SG350X Interfaces will grab an IP address from that particular subnet. 

Let us say 192.68.5.5 is my PC, 192.168.5.126 would be NAS 1 and 192.168.5.111 NAS 2. This would allow my PC (and really any device on the 192.168.5.0 Subnet) to communicate without any advanced routing.

The Catalyst will still have vlan 10 interface 192.168.1.5 (207.108.x.182 WAN IP on ASA) and vlan 11 interface 10.0.2.124 (207.108.x.179 WAN IP on D-Link).

The issue I would still have would that .111 and .126 need to have the (vlan 11) 207.108.x.179 WAN IP and any other PC device could use the (vlan 10) 207.108.x.182 WAN IP. 

I just feel though initially there is a routing/device issue whether it is Cisco, My devices or my error in some way that what I want just is not logical. In my head I see what I want but this may just not be realistic or practical. 

I am not clear about parts of your response. I continue to believe that it would be quite feasible to use the SG switch and take advantage of its higher speed interfaces. To do this the SG switch could have all of its ports as access ports in 192.168.5.0. There is no need (and no benefit) in trying to have anything about vlan 10 or vlan 11 on the SG switch, and so no need for any trunking on the SG switch.

Frequently more simple is better than more complex. Trying to have vlan 10, vlan 11, or trunking on the SG switch makes it more complex and provides no benefit. So just make everyone on the SG switch an access port in 195.168.5.0.

You say:"The issue I would still have would that .111 and .126 need to have the (vlan 11) 207.108.x.179 WAN IP and any other PC device could use the (vlan 10) 207.108.x.182 WAN IP." This would be true if you have vlan 10, vlan 11, and a vlan for 192.168.5.0. This would be an issue if using the Catalyst, independent of whether the SG switch is used or not.

Hello

I think maybe my meaning and description is losing it's focus. Regardless of if I use Catalyst or SG350G or both the fact remains that 10.0.2.1 (D-Link Router) and 192.168.1.1 (ASA) have to talk and therefore I need 2 separate vlans regardless of which switch I use. I even brought the SG350X into the fold cause eventually to use its 10GB Ports as well as my idea of creating a 3rd vlan subnet 192.168.5.0 so that ALL LAN's (regardless of their WAN Source) could talk. 

Be it SG or CAT, 10.0.2.1 192.168.1.1 need a gateway to each other and so I would assume still need the 2 vlans (10 and 11). 

For simplicity sake I could make a 3rd vlan on the Catalyst and avoid the SG altogether (for now until I figure out wtf is going on) or I can still incorporate the SG as the 192.168.5.0 subnet which is why I mentioned a trunk back to the Catalyst so they can find their way back to their WAN.

I still need 192.168.5.111 (the new 10.0.2.111) and 192.168.5.126 (the new 10.0.2.126) to have their Internet on the 10.0.2.1 (connected to the current vlan 11 10.0.2.124 on Cat) and then 192.168.5.5 (the PC) to connect to it's Internet on the 192.168.1.1 (connected to the current vlan 10  192.168.1.7).

Whether I use SG or Catalyst or both together what I just wanted to do was create a 3rd (or primary I guess JUST 192.168.5.0) and then have specific IP's be routed to their WAN. Normally I would assume this would be NAT or PAT but being that the 3rd party D-Link is involved I am not sure how that works.

Regardless 192.168.1.0 or 10.0.2.0 need to have an association to the SG or Cat from the ASA and D-Link....Now, could I eliminate vlan interface 10/11 and vlan 10/11 and simply make 2 physical Interfaces IP addresses of their respective Routers? Like instead of a vlan interface actually assign 2 interfaces IP's. GE 1/0/1 ip 192.168.1.7 255.255.255.0 and GE 1/0/2 10.0.2.124?

Honestly man, you have helped so much overall with ideas and literals so much that I can calmly and easily and almost gladly quit now and call it good. 

Interesting comment about losing focus. So let me back up and try to re-focus on what you are trying to accomplish and how that might work. You have 2 devices (D-Link and ASA) that communicate with the Internet. You have a vlan and a subnet associated with access to D-Link and a vlan and a subnet associated with access to the ASA. You have some host devices and some servers in the network. There is a Catalyst switch in the network and the possibility of using an SG switch. All host devices need to be able to communicate with the servers. Some of the devices need to use the D-Link to get to the Internet while other devices need to use the ASA to get to the Internet. For all devices to access the servers we need routing logic for inter vlan routing. For some devices to use D-Link while other devices use ASA for Internet access we need other routing logic for Internet access.

We have discussed several scenarios:

- inter vlan routing and Internet routing done on Catalyst switch. Some devices are connected in the D-Link vlan/subnet and other devices are connected in the ASA vlan/subnet. For all of these devices their default gateway would be the Catalyst vlan interface for their subnet. local access (host to server and host to host) would be routed locally by the Catalyst switch. The Catalyst switch would need to implement Policy Based Routing to achieve the requirement that some devices access the Internet using D-Link while other devices would use the ASA.

- inter vlan routing and Internet routing done on D-Link and ASA. We still have some devices connected in the D-Link vlan/subnet and other devices connected in the ASA vlan/subnet. For all of these devices their default gateway would be the D-Link or the ASA and not the Catalyst. The Catalyst would have ip routing enabled but would not have any default route (or any route for any destination that is not locally connected). Since the default gateway for each host is the appropriate path to the Internet then Internet routing would be accomplished. For inter vlan routing to be accomplished the D-Link would need a static route for the ASA subnet (with the Catalyst vlan interface as the next hop) and the ASA would need a static route for the D-Link subnet (with the Catalyst vlan interface as the next hop). You tried to implement this but there was some issue that we were not able to solve. So we thought of another scenario.

- Create a new subnet 192.168.5.0. This vlan/subnet would exist on the switch(s) and not on the D-Link or ASA. All hosts and all servers would have addresses in this subnet. Access host to host and host to server would be easy and would not require any routing logic. Access for these devices to Internet would require implementation of Policy Based Routing. This would also require that the D-Link and the ASA would have a route for the 192.168.5.0 with the Catalyst switch as the next hop.

- There has been some discussion about using the SG switch in addition to the Catalyst to take advantage of its higher speed interfaces. That should be easy to implement. In the scenario using the 192.168.5.0 network all of the SG interfaces would be configured as access ports. The connection between switches would be access port to access port in the 192.168.5.0 vlan and so no need for any trunks and no routing logic on the SG.

Alright, this is getting good.

I will point out the 2 scenarios which I feel would be best to pursue;

- inter vlan routing and Internet routing done on Catalyst switch. Some devices are connected in the D-Link vlan/subnet and other devices are connected in the ASA vlan/subnet. For all of these devices their default gateway would be the Catalyst vlan interface for their subnet. local access (host to server and host to host) would be routed locally by the Catalyst switch. The Catalyst switch would need to implement Policy Based Routing to achieve the requirement that some devices access the Internet using D-Link while other devices would use the ASA.

--- For this one I will say that you answered a concern of mine by giving full description. See I had implemented this very scenario and could achieve host to host (diff subnet) connectivity when making host GW their respective vlan IP form the Catalyst. I then had no internet so at that time made a 0.0.0.0 0.0.0.0 192.168.1.1 to get onto the Internet, but this did not help for the 10.0.2.0 Internet so long story short was I was missing PBR commands, which at this point I would need to research.

or

- Create a new subnet 192.168.5.0. This vlan/subnet would exist on the switch(s) and not on the D-Link or ASA. All hosts and all servers would have addresses in this subnet. Access host to host and host to server would be easy and would not require any routing logic. Access for these devices to Internet would require implementation of Policy Based Routing. This would also require that the D-Link and the ASA would have a route for the 192.168.5.0 with the Catalyst switch as the next hop.

--- This scenario seems pretty legit. 192.168.5.0 for all hosts connected and then through vlan 10 and 11 I would have vlan interface address (for routing) to the Internet(s) and then implement PBR in the same manner, defining which hosts use which vlan/ Internet. Again PBR would be something I need to learn.

For me I always need to recite what I want.

Catalyst :

vlan 12, 192.168.5.0  Subnets - for Hosts.

vlan 10 interface 10.0.2.124

vlan 11 interface 192.168.1.5

Hosts;

192.168.5.7 (PC Host directed to use vlan 11 interface 192.168.1.5 to reach Internet)

192.168.5.111 \

                          >  Both are NAS but use vlan 10 interface 10.0.2.124 to reach Internet

192.168.5.126 /  

All 3 hosts on 192.168.5.0 talk to each other cause on same subnet,.

QUICK NOTE!!! It just occurred to me that if we were to implement PBR in the 2nd scenario above I assume I would not even need vlan10 or 11 interface IP's or even vlan 10/11 at all but simply assign a GE Interface to ASA and to D-Link.