That is correct.

What I did was not only restore my PC firewall but disabled for testing purposes as well as reset to factory default the 10.0.2.1 Router. I then reassigned the NAS 1 10.0.2.111 and NAS 2 10.0.2.126 and as mentioned a while back, using an Interface on the ASA as a link to the 10.0.2.1 Router I can ping and access everything but still could not access (only ping) when I disabled the ASA 10.2 Interface and moved to the Catalyst, which was my initial original post.

So I am unsure what the cause is but if as you say it isn’t a routing issue (which I do agree with because it works on the 1 NAS, but lose connectivity to the .111 and the Router .1) then this device/software/host issue is following even after a complete reset and restoration and recreation.

Anyway, I suppose as we said before it is what it is and like I said this particular thread was an indirect association to my initial question based upon my possible misunderstanding of keeping vlans the same across switches. Meant no intentions of recreating the same question with a diff title. 

I understand the origins of this discussion was to ask different questions and not to recreate the previous discussion. It is interesting that when switch to switch connection is over access ports then the vlan membership of each switch on those ports is not significant. But when switch to switch connection is over trunk ports then the vlan membership is significant. I hope that the explanations from @Peter Paluch were helpful.

Could STP somehow be causing my devices to have issues?

I do have STP enabled across the board.

Also, if STP has nothing to do with this then my final thoughts are this.

As I mentioned a while back when having an Interface on the ASA I can ping and communicate with everything peachy keen. When I disable that ASA interface and "move" it's IP to vlan 11 on the Catalyst is when I can PING but now have no data movement.

Could this have anything to do with going from a Gigabit Interface IP to vlan interface IP? Is there any sort of difference in how it would route?

It is an interesting thought that STP might be an issue. I am convinced that the issue with data access to that server is not related to STP. If the issue did relate to STP then there would be no access to the server. If ping works then STP is not involved.

I have wondered about what would be going on if ping to the server does work but data access does not. I wondered if there might be some security policy that permits ping but not data access but that does not seem to be the case. I wondered if it might be some mtu issue (small packets for ping work but large packets for data do not) but that does not seem to be the case. I wonder if @Peter Paluch might have some suggestions about how to investigate this?

Morning

Yeah to be more detailed, I seem to lose connectivity with the 10.0.2.1 (Router) GUI and the 10.0.2.111 NAS. 10.0.2.126 NAS stays good.

Heres a weird thing, though. When moving the IP to the ASA I do not have connectivity to .126, unless I make a static Route to it but 1.0.2.1 are fine as is 10.0.2.111. When moving to Catalyst, it’s opposite. I can’t access .111 or .1 but can (without Static route) to .126 but when I make route to .1 and .111 still no. Just a verrrrrry weird supernatural issue here. 

you have mentioned in the past a possible Device issue. But I just can’t wrap myself around as .1 and .111 stay in sync whereas .126 isn’t. Meaning one way the 2 will work and 1 won’t without a route, the other way 1 works but they other 2 work regardless of a route. A device will either work or won’t.

Both the NAS devices are simple in nature. IP, Gateway, Netmask. Router I suppose could be more complicated but it is 10.0.2.1 which is (Both) NAS’s Gateway. Router has 0 ACL or Firewall. ASA has no ACL (restrictive) enabled. If it were a firewall or ACL or would be per IP address, so be it ASA or Catalyst, IP is an IP. Maybe a MAC ACL/firewall? I’ve never in my love enabled or messed with MAC restrictions.

I just find it odd .111 NAS and .1 Router work together whereas .126 seems more versatile. I would say for now to hell with .111 and just work with .1 Router. Why is it being blocked via Catalyst but open through ASA. It just freaks me the freak out. It’s telling me 1+1=3 but it’s NOT. 

Perhaps we can hold off just a bit before claiming defeat. I am not fully understanding what you suggest. But I think I understand enough to respond. You are describing this issue as a routing issue (and many of our issues are indeed routing issues). If I am understanding the issue correctly you are able to ping .126 but are not able to access server data from .126. If ping is successful then routing is working and there has to be some other issue that is impacting accessing server data from .126.

ASA;

 no ip route (to 10.0.2.0)

 Interface GE 1/3 10.0.2.124 255.255.255.0

D-Link;

 10.0.2.1 Gateway, 10.0.2.0 Subnet

 ip route: 10.0.1.0 255.255.255.0 10.0.2.124

Catalyst;

 no ip route

 no default route

 vlan 10 (with Ethernet GE 1/0/1 to ASA GE 1/0/2 (10.0.1.0)

 vlan 11 (with Ethernet GE 1/0/11 to D-Link (10.0.2.0)

With the basic configuration above, My PC's (10.0.1.0) can PING and CONNECT to 10.0.2.1 (DLink Router) and 10.0.2.111 (NAS) but can only PING 10.0.2.126, No connection. What I did was add, on the ASA, a route "10.0.2.126 255.255.255.255 10.0.2.1"  and BAM I can now Ping AND Connect to every device on the 10.0.2.0 from the 10.0.1.1.

Cool, but I feel I am just lucky and something is off, but hey, it work's.

My "goal" was to free the Interface on the ASA and "move" it [10.0.2.124] to the Catalyst by making vlan 11 have that as it's IP.

When I do this and the D-Link route stays "10.0.1.0 255.255.255.0 10.0.2.124", what happens next is; I can SEE and PING ALL but ONLY can I now "connect" 10 10.0.2.126 but not 2.1 or 2.111! So it is as if the roles changed.

I figured I would create a route to 10.0.2.0 or 10.0.2.1 or 10.0.2.111 through 10.0.1.5 (ASA vlan 10 IP) but nothing.

I can have "my way" by keeping 10.0.2.124 on ASA on Interface GE 1/3 and a Static Route to 10.0.2.126 255.255.255 10.0.2.1 but when I change anything, it all crumbles. Weird thing is when I move the .124 to the Catalyst and can now connect to .126 without a Route, no matter what route I make to 10.0.2.1 or 10.0.2.111 I can not access!

Man I don't know if this makes this worse or better. This is the most generic way I can explain it and I know I am terrible at explanations.

I continue to believe that if ping works then there is not a routing problem. But your description that if you add a route on the ASA then it makes it work sure does sound like there is a routing issue. So let us dig a bit deeper. Here are some questions:

- on the ASA, before you add the extra route, what do you get when you show the routing table on the ASA?

- on the ASA after you add the extra route, what do you get when you show the routing table on the ASA?

- physically where are .111 and /126 connected?

- do  .111 and .126 get their IP address from DHCP or are they manually configured?

- can you post for both .111 and .126 their IP address, mask, and gateway.

- can you post the output of route print (or other appropriate command depending on OS) for both servers so we can see what routes they know?

- is it possible that something is acting as proxy when you ping .126 so ping works, but it passes data requests on to the server and then they fail?

- could you post the output of a traceroute from a PC to .126 before the extra route is added, and then traceroute again after the extra route is added?

Hello, I can answer in full later but for now I’ll do my best. 

Location;
10.0.2.111 and 10.0.2.126 are both connected to L2 Interfaces on the Catalyst which reside in vlan 11. One of the 10 Interfaces on the Catalyst in vlan 11 connects to one of the 4 LAN Interfaces on the D-Link.

In comparison, PC that I use connects to an L2 Interface on the Catalyst which resides in vlan 10. One of the vlan 10 Interfaces (1 of 10) connects to the ASA Interface GE 1/2.

So that is where they physically connect.

DHCP/ Static Devices;

I will say that I have the devices statically set. 10.0.2.111 255.255.255.0 10.0.2.1 (Gateway)

10.0.2.126 255.255.255.0 10.0.2.2 (Gateway)

I believe that’s all I can say without some output. Unfortunately for the NAS 1 (10.0.2.111) it is a Terastation with proprietary OS and has 0 “commands” avail outside of Ping and Static vs DHCP.

The NAS 2 (10.0.2.126) is a PC I built with “open media vault” OS which works on Linux so I am sure I could get some command line open.

But both devices are manually set as mentioned above.

The rest I will have to get the output data for you. 

I’d there is a proxy of sorts I definitely did not enable it or configure it. 

More to come. 

Thanks for the additional information. Is it a typo, or do the 2 servers have different default gateways(10.0.2.1 and 10.0.2.2)?

Ah! Typo, currently all 10.0.2.0 have 10.0.2.1 Gateways. 

Thanks for the clarification. It is helpful to know that both servers are connected to Catalyst ports in vlan 11 while the PC is connected to Catalyst port in vlan 10.

I continue to be surprised that adding a static route on the ASA seems to make it work. And I continue to looks for possible reasons why this might be the case. Perhaps the other outputs might help to understand this (in particular I am wondering what changes we might see in the ASA routing table.