So the Switch vlan gateways, static routes should be as follows then correct or am I mistaken?

192.168.1.0 /24 192.168.1.3

192.168.9.0 /24 192.168.9.3

192.168.10.0 /24 192.168.10.3

Sub interfaces were created on the router with IPs of 

192.168.1.3

192.168.9.3

192.168.10.3

Hi, 

No need for other static routes on the switch. We already configured one default route on the switch. The routes which you mentioned in your post are not required becuase switch will send traffic to default route and default route will redirect the traffic as per source and destination. 

Regards,

Deepak Kumar

And the default route would be to the Default-gateway correct?

ip default-gateway 192.168.1.3

Yes, correct. 

Regards,

Deepak Kumar

I removed the routes like you said but devices still can't get out to the internet.  I can however ping from a device to 192.168.1.3 on the router successful.  The router can ping its own interface 192.168.2.2 and the firewalls interface 192.168.2.1 but it seems that blank 2 and 1 aren't communicating.

It should be vlan 1 and 2 sorry autocorrect

Hi,

Please share firewall and switch configuration.

Regards,

Deepak Kumar

Here is the Router Configuration

Current configuration : 3461 bytes
!
! Last configuration change at 21:48:38 UTC Wed Mar 28 2018
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname BMR1
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
enable secret 5 $1$x.Un$PmvRDemm5BH6daD5uGstg.
enable password -------------
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
!

!
!
!
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-754677515
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-754677515
 revocation-check none
 rsakeypair TP-self-signed-754677515
!
!
crypto pki certificate chain TP-self-signed-754677515
 certificate self-signed 01
  30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 37353436 37373531 35301E17 0D313830 33313031 36323030
  385A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3735 34363737
  35313530 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  E0C72938 7F887B40 AB83D02E 892A4639 F630D8C6 ED878947 9D4B6482 E05C71C1
  F8709C17 8066CCBD 39086610 ADA59C6E DE1D37B3 2B2E747D 64504C2D CF641C6F
  57C8CD5D 7066D7B1 7BD57D0E 9213A39F 9D82628C EB00F68E 6B9B5CFE 7FA97719
  10F99C93 B686BBAE BF85946E 10D9A593 8393547D 8289078C 1DDC7C1F BF454197
  02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
  23041830 168014F6 89BB9026 B4CEB3F6 9F225117 1BC05BB8 30187D30 1D060355
  1D0E0416 0414F689 BB9026B4 CEB3F69F 2251171B C05BB830 187D300D 06092A86
  4886F70D 01010505 00038181 00383E46 5C4A06B7 60F69237 1C3A7506 20AE94F8
  0ADDFFDF D1A9E718 6914C775 90D5B916 F2C1CCB0 FEEC1511 56075FDB 301FFA0C
  323CEF14 B324D715 F2E7CB1A 19F74762 C2CCC4A6 EAFFAD1A 7D8F6E6D E4040D49
  9ADB343B CCC51B7A C8E4ADBA 4AD00A9C 4CBEE212 8D7D5463 1CD798F1 7EAD0D2C
  4D246EF8 34CCE8C6 F402F727 55
        quit
license udi pid ISR4331/K9 sn FDO21380W80
!
spanning-tree extend system-id
!
!
redundancy
 mode none
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface GigabitEthernet0/0/0
 ip address 192.168.2.2 255.255.255.0
 ip nat outside
 negotiation auto
 vlan-range dot1q 1 2 native
  description Internal
 !
 vlan-range dot1q 9 10
  description Public
 !
!
interface GigabitEthernet0/0/1
 description Router to Switch
 no ip address
 negotiation auto
 ip virtual-reassembly
!
interface GigabitEthernet0/0/1.1
 encapsulation dot1Q 1 native
 ip address 192.168.1.3 255.255.255.0
!
interface GigabitEthernet0/0/1.3
!
interface GigabitEthernet0/0/1.9
 encapsulation dot1Q 9
 ip address 192.168.9.3 255.255.255.0
!
interface GigabitEthernet0/0/1.10
 encapsulation dot1Q 10
 ip address 192.168.10.3 255.255.255.0
!
interface GigabitEthernet0/0/2
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 ip address 192.168.9.3 255.255.255.0
 negotiation auto
!
interface Vlan1
 no ip address
 shutdown
!
ip default-gateway 192.168.2.1
ip forward-protocol nd
no ip http server
ip http secure-server
!
!
access-list 1 permit any
!
!
!
control-plane
!
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 password ------
 login
!
!
end

Switch Configuration

BSW1#sh run
config-file-header
BSW1
v2.3.5.63 / RLINUX_923_093
CLI v1.0
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
!
unit-type-control-start
unit-type unit 1 network gi uplink te
unit-type unit 2 network gi uplink te
unit-type unit 3 network gi uplink te
unit-type unit 4 network gi uplink te
unit-type unit 5 network gi uplink te
unit-type unit 6 network gi uplink te
unit-type unit 7 network gi uplink te
unit-type unit 8 network gi uplink te
unit-type-control-end
!
vlan database
vlan 2,9-10
exit
voice vlan state disabled
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
port-channel load-balance src-dst-mac-ip
bonjour interface range vlan 1
hostname BSW1
line console
exec-timeout 5
exit
line ssh
exec-timeout 5
BSW1#sh run brief
config-file-header
BSW1
v2.3.5.63 / RLINUX_923_093
CLI v1.0
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
!
unit-type-control-start
unit-type unit 1 network gi uplink te
unit-type unit 2 network gi uplink te
unit-type unit 3 network gi uplink te
unit-type unit 4 network gi uplink te
unit-type unit 5 network gi uplink te
unit-type unit 6 network gi uplink te
unit-type unit 7 network gi uplink te
unit-type unit 8 network gi uplink te
unit-type-control-end
!
vlan database
vlan 2,9-10
exit
voice vlan state disabled
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
port-channel load-balance src-dst-mac-ip
bonjour interface range vlan 1
hostname BSW1
line console
exec-timeout 5
exit
line ssh
exec-timeout 5
exit
line telnet
exec-timeout 5
exit
logging origin-id hostname
logging file notifications
username Techman password encrypted 6ca1abfa2ab82599f5277ec0a5786098feb01bb4 privilege 15
ip ssh server
snmp-server location Luray
snmp-server contact John
ip http timeout-policy 300
clock timezone " " -5
clock summer-time web recurring usa
no clock source sntp
ip domain name Bluemont
ip name-server  192.168.1.160
!
interface vlan 1
 name In
 ip address 192.168.1.149 255.255.255.0
 no ip address dhcp
!
interface vlan 2
 ip address 192.168.2.2 255.255.255.0
!
interface vlan 9
 name Extra
 ip address 192.168.9.1 255.255.255.0
!
interface vlan 10
 name "Pub POE"
 ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet1/0/5
 speed 100
 no negotiation
!
interface GigabitEthernet1/0/6
 speed 100
 no negotiation
!
interface GigabitEthernet1/0/7
 speed 100
 no negotiation
!
interface GigabitEthernet1/0/12
 switchport trunk native vlan none
!
interface GigabitEthernet1/0/14
 spanning-tree link-type point-to-point
 switchport mode trunk
 switchport trunk allowed vlan remove 2-4094
 macro description switch
 !next command is internal.
 macro auto smartport dynamic_type switch
!
interface GigabitEthernet1/0/16
 spanning-tree link-type point-to-point
 switchport mode trunk
 switchport trunk allowed vlan remove 2-4094
 macro description switch
 !next command is internal.
 macro auto smartport dynamic_type switch
!
interface GigabitEthernet1/0/19
 speed 100
 no negotiation
!
interface GigabitEthernet1/0/22
 channel-group 23 mode auto
 switchport protected-port
!
interface GigabitEthernet1/0/23
 channel-group 23 mode auto
 switchport general allowed vlan add 1 tagged
 switchport protected-port
 switchport trunk allowed vlan remove 2-4094
!
interface GigabitEthernet1/0/24
 spanning-tree link-type point-to-point
 switchport mode trunk
 macro description switch
 !next command is internal.
 macro auto smartport dynamic_type switch
!
interface TengigabitEthernet1/0/2
 description "Trunk to BSW2"
 switchport mode trunk
 switchport access vlan none
 switchport trunk native vlan none
 switchport trunk allowed vlan remove 3-8,11-4094
 macro description no_switch
 no macro auto smartport
!
interface Port-Channel23
 description S1
 switchport general allowed vlan add 1 tagged
 switchport trunk native vlan none
!
exit
macro auto enabled
macro auto processing type ip_phone disabled
macro auto processing type router enabled
arp 192.168.1.160 98:f2:b3:ed:97:35  vlan1
ip route 192.168.1.0 /24 192.168.1.3

My laptop hooked into the switch can ping the 192.168.1.3 interface on the router but it can not ping the 192.168.2.1 interface on the router which leads to the 192.168.2.1 interface on the firewall to the internet.  It seems like I am getting stuck on allowing the 192.168.2.2 interface and 192.168.2.1 interface to communicate.

Hi, 

I want to ask you something,  where is NAT (for VLANs) configured?  Is it on Router or ASA?

If NAT is configured on ASA then there is some misconfiguration on the router as:

Regards,

Deepak Kumar

I apologize for the late response,

here is what I have starting with the ASA

ASA config

ASA Version 9.8(1)
!
hostname ciscoasa
domain-name Bluemont
enable password $sha512$5000$jH+6BPdsWTcZUPu50bAkgQ==$ZaIAWtoELaHrkBb3w9xk/Q== pbkdf2
names

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 96.84.234.178 255.255.255.248
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
nameif Public
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet1/4
shutdown
no nameif
security-level 0
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
nameif MGMT
security-level 0
ip address 192.168.45.1 255.255.255.0
!
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns domain-lookup inside
dns domain-lookup MGMT
dns server-group DefaultDNS
name-server 192.168.1.160
domain-name Bluemont
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network MGMT
subnet 192.168.45.0 255.255.255.0
object network Gateway
host 96.84.234.182
description Outside Interface
object network SwitchNet
subnet 192.168.10.0 255.255.255.0
object network Public
subnet 0.0.0.0 0.0.0.0
description Public
object-group security Everyone
security-group name Everyone
access-list outside_access_in extended permit ip any 192.168.1.0 255.255.255.0
access-list outside_access_in extended permit icmp any any
access-list OutsideIn standard permit 73.147.208.0 255.255.255.0
access-list InsideOut standard permit 192.168.1.0 255.255.255.0
access-list PublicOut standard permit 192.168.10.0 255.255.255.0
access-list OutsideInPub standard permit 73.147.208.0 255.255.255.0
access-list Outside_Access_Public_In extended permit ip any 192.168.10.0 255.255.255.0
access-list Outside_Access_Public_In extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
logging from-address --------
logging recipient-address -------- level emergencies
mtu outside 1500
mtu inside 1500
mtu Public 1500
mtu MGMT 1500
ip verify reverse-path interface inside
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
!
object network obj_any
nat (inside,outside) dynamic interface
!
nat (Public,outside) after-auto source dynamic obj_any interface
route outside 0.0.0.0 0.0.0.0 96.84.234.182 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authorization http console LOCAL
aaa authentication login-history
http server enable
http server idle-timeout 5
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=ciscoasa
crl configure
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcp-client update dns server both
dhcpd update dns both override
!
dhcpd update dns both override interface outside
!
dhcpd dns 192.168.1.160 interface inside
dhcpd domain Bluemont interface inside
dhcpd auto_config outside interface inside
dhcpd update dns both override interface inside
!
threat-detection basic-threat
threat-detection scanning-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.1.160 source inside prefer
dynamic-access-policy-record DfltAccessPolicy
password-policy minimum-length 8
quota management-session 10
username cisco password $sha512$5000$q7RKKA78ZRN6/3LEAI2r2Q==$4hPhSkOLkeyIMP7htoMEsA== pbkdf2
username Bluemont password $sha512$5000$Rhi7waUz0fSNP2xnxG/r9g==$Mpd5O2BFBekqdxdPI+7Wkg== pbkdf2 privilege 15
!
class-map sfr
match any
class-map inspection_default
match default-inspection-traffic
class-map type inspect http match-all asdm_high_security_methods
match not request method get
match not request method head
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
class sfr
sfr fail-open
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:b9301a352badda1078696c29be192f12
: end

Router Config

BMR1#sh run
Building configuration...

Current configuration : 3401 bytes
!
! Last configuration change at 00:31:13 UTC Fri Mar 30 2018
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname BMR1
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 $1$x.Un$PmvRDemm5BH6daD5uGstg.
enable password -----------
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!
!

!
!
!
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-754677515
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-754677515
revocation-check none
rsakeypair TP-self-signed-754677515
!
!
crypto pki certificate chain TP-self-signed-754677515
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 37353436 37373531 35301E17 0D313830 33313031 36323030
385A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3735 34363737
35313530 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
E0C72938 7F887B40 AB83D02E 892A4639 F630D8C6 ED878947 9D4B6482 E05C71C1
F8709C17 8066CCBD 39086610 ADA59C6E DE1D37B3 2B2E747D 64504C2D CF641C6F
57C8CD5D 7066D7B1 7BD57D0E 9213A39F 9D82628C EB00F68E 6B9B5CFE 7FA97719
10F99C93 B686BBAE BF85946E 10D9A593 8393547D 8289078C 1DDC7C1F BF454197
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 168014F6 89BB9026 B4CEB3F6 9F225117 1BC05BB8 30187D30 1D060355
1D0E0416 0414F689 BB9026B4 CEB3F69F 2251171B C05BB830 187D300D 06092A86
4886F70D 01010505 00038181 00383E46 5C4A06B7 60F69237 1C3A7506 20AE94F8
0ADDFFDF D1A9E718 6914C775 90D5B916 F2C1CCB0 FEEC1511 56075FDB 301FFA0C
323CEF14 B324D715 F2E7CB1A 19F74762 C2CCC4A6 EAFFAD1A 7D8F6E6D E4040D49
9ADB343B CCC51B7A C8E4ADBA 4AD00A9C 4CBEE212 8D7D5463 1CD798F1 7EAD0D2C
4D246EF8 34CCE8C6 F402F727 55
quit
license udi pid ISR4331/K9 sn FDO21380W80
!
spanning-tree extend system-id
!
!
redundancy
mode none
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface GigabitEthernet0/0/0
ip address 192.168.2.2 255.255.255.0
negotiation auto
!
interface GigabitEthernet0/0/1
description Router to Switch
no ip address
negotiation auto
ip virtual-reassembly
!
interface GigabitEthernet0/0/1.1
encapsulation dot1Q 1 native
ip address 192.168.1.3 255.255.255.0
!
interface GigabitEthernet0/0/1.3
!
interface GigabitEthernet0/0/1.9
encapsulation dot1Q 9
ip address 192.168.9.3 255.255.255.0
!
interface GigabitEthernet0/0/1.10
encapsulation dot1Q 10
ip address 192.168.10.3 255.255.255.0
!
interface GigabitEthernet0/0/2
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 192.168.9.3 255.255.255.0
negotiation auto
!
interface Vlan1
no ip address
shutdown
!
ip default-gateway 192.168.2.1
ip forward-protocol nd
no ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/0 192.168.2.1
!
!
access-list 1 permit any
!
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password ---------
login
!
!
end

Switch config

config-file-header
BSW1
v2.3.5.63 / RLINUX_923_093
CLI v1.0
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0a3fdb1f3a1af4e4430033719968c0
!
!
unit-type-control-start
unit-type unit 1 network gi uplink te
unit-type unit 2 network gi uplink te
unit-type unit 3 network gi uplink te
unit-type unit 4 network gi uplink te
unit-type unit 5 network gi uplink te
unit-type unit 6 network gi uplink te
unit-type unit 7 network gi uplink te
unit-type unit 8 network gi uplink te
unit-type-control-end
!
vlan database
vlan 2,9-10
exit
voice vlan state disabled
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
port-channel load-balance src-dst-mac-ip
bonjour interface range vlan 1
hostname BSW1
line console
exec-timeout 5
exit
line ssh
exec-timeout 5
exit
line telnet
exec-timeout 5
exit
logging origin-id hostname
logging file notifications
username ------- password encrypted 6ca1abfa2ab82599f5277ec0a5786098feb01bb4 privilege 15
ip ssh server
snmp-server location ----
snmp-server contact -----
ip http timeout-policy 300
clock timezone " " -5
clock summer-time web recurring usa
no clock source sntp
ip domain name Bluemont
ip name-server 192.168.1.160
!
interface vlan 1
name In
ip address 192.168.1.149 255.255.255.0
no ip address dhcp
!
interface vlan 2
ip address 192.168.2.2 255.255.255.0
!
interface vlan 9
name Extra
ip address 192.168.9.1 255.255.255.0
!
interface vlan 10
name "Pub POE"
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet1/0/5
speed 100
no negotiation
!
interface GigabitEthernet1/0/6
speed 100
no negotiation
!
interface GigabitEthernet1/0/7
speed 100
no negotiation
!
interface GigabitEthernet1/0/12
switchport trunk native vlan none
!
interface GigabitEthernet1/0/14
spanning-tree link-type point-to-point
switchport mode trunk
switchport trunk allowed vlan remove 2-4094
macro description switch
!next command is internal.
macro auto smartport dynamic_type switch
!
interface GigabitEthernet1/0/16
spanning-tree link-type point-to-point
switchport mode trunk
switchport trunk allowed vlan remove 2-4094
macro description switch
!next command is internal.
macro auto smartport dynamic_type switch
!
interface GigabitEthernet1/0/19
speed 100
no negotiation
!
interface GigabitEthernet1/0/22
channel-group 23 mode auto
switchport protected-port
!
interface GigabitEthernet1/0/23
channel-group 23 mode auto
switchport general allowed vlan add 1 tagged
switchport protected-port
switchport trunk allowed vlan remove 2-4094
!
interface GigabitEthernet1/0/24
spanning-tree link-type point-to-point
switchport mode trunk
macro description switch
!next command is internal.
macro auto smartport dynamic_type switch
!
interface TengigabitEthernet1/0/2
description "Trunk to BSW2"
switchport mode trunk
switchport access vlan none
switchport trunk native vlan none
switchport trunk allowed vlan remove 3-8,11-4094
macro description no_switch
no macro auto smartport
!
interface Port-Channel23
description S1
switchport general allowed vlan add 1 tagged
switchport trunk native vlan none
!
exit
macro auto enabled
macro auto processing type ip_phone disabled
macro auto processing type router enabled
arp 192.168.1.160 98:f2:b3:ed:97:35 vlan1
ip route 192.168.1.0 /24 192.168.1.3

Hi, 

There is no route defined for LAN subnets in the Firewall. 

Add following commands in the firewall:

route inside 192.168.1.0 255.255.255.0 192.168.2.2

route inside 192.168.9.0 255.255.255.0 192.168.2.2

Why you configured the same subnet on different devices as Firewall and Router?

interface GigabitEthernet0/0/1.10
encapsulation dot1Q 10
ip address 192.168.10.3 255.255.255.0

The same subnet is configured in Public Interface of ASA.

Regards,

Deepak Kumar

The public interface port, I was tinkering with testing some other stuff but I have left it disabled on the ASA.  The IP route command worked except 1 last thing which I am thinking it is going to be on the firewall side.  Devices can ping from switch all the way to 192.168.2.2 on the router interface but they cant ping 192.168.2.1 on the firewall.  I am thinking this maybe a firewall issue now more than routing.  The firewall can ping to 192.168.1.3 on the router but it cant ping devices on the switch.

I got it working.  After I added the routing addresses you recommended traffic still couldn't flow.  I had forgot to change one last thing on our DHCP server for where it points the clients to the router.  Now I have connectivity and I am working on my last little bit of my ACL listing.  I am making it so that , Vlans 9 and 10 can communicate between each other, while Vlan 1 is by itself and can access only specific IPs on the other 2 Vlans.  

I appreciate all the help you have given me.