our default gateway is 192.168.120.248 which is the inside interface of our cisco pix 515e firewall. (We don't use a router)

it's configured to use a site to site vpn with an asa5520 which has clients on the 10.1.1.0/24 subnet

OK so is it just the switch that can't talk over the VPN?

Can you PING from a host on the 192.168.120.X network to 10.1.1.20?

yes.

I also have a layer 3 switch which had the same issue so I did:

ip route 10.1.1.22 255.255.255.0 192.168.120.248

But I guess this is a quick fix for that switch rather than a solution!

Does your 2960 not support the 'ip route' command?

no, as I understand it this only works on layer switches.

there isn't an ip route command.

I wonder why it could ping 10.1.1.22 before I did:

interface Vlan1
 ip address 192.168.120.240 255.255.192.0

Hello

"I wonder why it could ping 10.1.1.22 before I did:"

That's what we are trying to establish for you,

Can you post the run ning config of this access switch and the core highlighting the physical interfaces they are connected with.

res

Paul 

I think it depends on the IOS version running on your 2960:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/swipstatrout.html

Like Paul said if you can post your running config?

Also I have noticed on various different ports spanning tree is set to either point to point or rapid pvst. Not sure if this is correct?

At the moment this network is one big single point of failure something I would like to sort out!

I'm no STP expert but globally you have:

nmysw03
spanning-tree mode rapid-pvst

nmySW04
spanning-tree mode pvst

nmysw05
spanning-tree mode pvst

"spanning-tree link-type point-to-point Recommended for rapid-PVST+ mode only"

"The rapid PVST+ is available only if you have the EI installed on your switch."

Have a look at:

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2950/software/release/12-1_14_ea1/configuration/guide/2950scg/swstp.html

Firewall - nmypix01:

Cisco PIX Security Appliance Software Version 8.0(4)
Hardware:   PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz

interface Ethernet1
 description Internal Network (192.168.113.0/18)
 speed 100
 duplex full
 nameif inside
 security-level 90
 ip address 192.168.120.248 255.255.192.0 standby 192.168.120.249
!
interface Ethernet1.1
 vlan 20
 nameif guest
 security-level 80
 ip address 192.168.1.248 255.255.255.0 standby 192.168.1.249
 
access-list inside-vpn extended permit ip 192.168.113.0 255.255.192.0 10.1.1.0 255.255.255.0 
access-list site-to-site extended permit ip 192.168.113.0 255.255.192.0 10.1.1.0 255.255.255.0
access-list split-tunnel standard permit 10.1.1.0 255.255.255.0

ethernet1 connects to nmysw03 fa0/15

WS-C2950T-24
Version 12.1(22)EA6
nmysw03#sh run
Building configuration...

Current configuration : 4379 bytes
!
! Last configuration change at 16:42:09 GMT Thu May 29 2014
! NVRAM config last updated at 15:20:07 GMT Thu May 29 2014
!
version 12.1
no service pad
service timestamps debug uptime
service timestamps log datetime
service password-encryption
service sequence-numbers
!
hostname nmysw03
!
!
clock timezone GMT 0
clock summer-time GMT recurring last Sun Mar 1:00 last Sun Oct 2:00
errdisable recovery cause bpduguard
errdisable recovery cause link-flap
errdisable recovery interval 400
mls qos map cos-dscp 0 8 16 26 32 46 46 56
ip subnet-zero
!
udld aggressive
!
!
spanning-tree mode rapid-pvst
no spanning-tree optimize bpdu transmission
spanning-tree extend system-id
!
!
macro global description cisco-global
!
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/15
 description nmypix01 - eth1
 switchport trunk allowed vlan 1-4,20
 switchport mode trunk
 switchport nonegotiate
 speed 100
 duplex full
!
interface FastEthernet0/16
 description nmypix02 - eth1
 switchport trunk allowed vlan 1-4,20
 switchport mode trunk
 switchport nonegotiate
 speed 100
 duplex full
!
interface GigabitEthernet0/2
 description Netgear GS748T
 switchport trunk allowed vlan 1,20
 switchport mode trunk
 switchport nonegotiate
 speed 1000
 duplex full
 flowcontrol receive desired
!
interface Vlan1
 ip address 192.168.120.245 255.255.192.0
 no ip route-cache
!
interface Vlan20
 no ip address
 no ip route-cache
!
ip default-gateway 192.168.120.248

line con 0
 exec-timeout 0 0
line vty 0 4
 exec-timeout 30 0
 password 7 
 login
line vty 5 15
 password 7 
 login
!
end

I've just spotted on nmysw04 it didn't have a default gateway set!

It can ping the 10.1.1.xxx subnet now!

The layer 3 switch nmysw05 did have this set however but wouldn't ping until I did the ip route command. I'll pasted config in a sec.

nmysw05#sh run
Building configuration...

Current configuration : 5952 bytes
!
! Last configuration change at 13:34:29 UTC Mon Jun 2 2014
!
version 15.0
hostname nmysw05
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-vrf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
switch 1 provision ws-c3650-24ps
ip routing
!
ip device tracking
!
ip dhcp pool guest_wifi
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.248
 dns-server 8.8.8.8 8.8.4.4
!
no errdisable detect cause gbic-invalid
errdisable recovery cause bpduguard
errdisable recovery cause link-flap
errdisable recovery interval 400
diagnostic bootup level minimal
spanning-tree mode pvst
spanning-tree extend system-id
!
redundancy
 mode sso
!
!
!
class-map match-any non-client-nrt-class
  match non-client-nrt
!
policy-map port_child_policy
 class non-client-nrt-class
    bandwidth remaining ratio 10
!

macro global description cisco-global
!
interface GigabitEthernet0/0
 vrf forwarding Mgmt-vrf
 no ip address
 shutdown
 negotiation auto
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/24
 description trunk to nmysw02
 switchport trunk allowed vlan 1,20
 switchport mode trunk
 spanning-tree link-type point-to-point
!
interface Vlan1
 ip address 192.168.120.237 255.255.192.0
 no ip route-cache cef
!
interface Vlan20
 ip address 192.168.0.1 255.255.255.0
!
ip default-gateway 192.168.120.248
ip http server
ip http authentication local
ip http secure-server
ip route 10.1.1.0 255.255.255.0 192.168.120.248
!
!
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!UKTD-SW-ITS-02#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
UKTD-SW-ITS-02(config)#no ip route 10.1.1.0 255.255.255.0 192.168.120.248
UKTD-SW-ITS-02(config)#end
UKTD-SW-ITS-02#ping 10.1.1.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.22, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
UKTD-SW-ITS-02#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
UKTD-SW-ITS-02(config)#ip route 10.1.1.0 255.255.255.0 192.168.120.248
UKTD-SW-ITS-02(config)#end
UKTD-SW-ITS-02#ping 10.1.1.22
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.22, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/6/10 ms

So our layer 3 switch can only ping 10.1.1.xxx once the ip route has been set even though default gateway has been configured.