Well the NATn is set for the entire block /24 and its working fine for anything on vlan 100 the other part is that the router on 192.168.1.1 uplinks to another site and everything on vlan 100 can see the other site and vice versa but vlan 200 is dark beyond that router or beyond the asa (though I can ping the inside interfaces of both from vlan 200)

Is vlan 100 192.168.1.0/24?

What is the IP space for vlan 200?

The jpg attached should clear up some of the things I'm referrencing, but to answer that question,

vlan 100 is 192.168.1.0/27

vlan 200 is 192.168.1.32/27

The reason Im not looking at NAT statements is due to the fact that the NATs happen on the ASA 192.168.1.3 for network 0/0- and what Im seeing is traffic destined for 192.168.0.0 network should go to the uplink on router 192.168.1.1 and they arent, at this point there is no NATTING as its a remote site connection and they are on IP 192.168.0.0/16.

however everything on vlan 100 goes to any destination on 192.168.0.0/16 - again with no NATs as they are all internal real IPs.

Ok, the drawing wasn't correct earlier. I think that helps.

You are trying to get client 4 to pass traffic through the router at 192.168.1.1, correct?

If so, on the router that has 192.168.1.1/27, you will need to make some modifications.

You will need to re-do interface g0/0 and set up subinterfaces for each vlan.

interface gig0/0.100 and gig0/0.200. 0/0.100 will have the same IP information as the current interface. 0/0.200 will need to have the GW address for vlan 200.

You will also have to configure the link between that router and the switch as a trunk and permit vlans 100 and 200. It looks like the current link between the 2 is an access port on vlan 100.

Sorry about the picture earlier I had a line highlighted when I went to save.

Well I'm trying to do avoid doing sub ints, plus looking at two things.

The vlans are all defined on the core switch which is doing L3 and the network 170.10.10.x/24 is set up in similar way and all things are working there with no sub interfaces set up.  On this network vlan 10 and 20 work with no problems.

Plus on the 192.168.1.0 network I can go from say 192.168.1.35 with GW of 192.168.1.33 and ping 192.168.1.1 and 192.168.1.5, and 192.168.1.10 with no problems I can get to all other vlans that all exist on the switch, long as I make routing statements such as

192.168.1.32/27 192.168.1.5 - which in this case is vlan 100 IP of the switch.

Its basically same way the 170.10.10.x network is set up, which avoids doing hairpinning.

Can you provide a specific example of a host that 192.168.1.35 cannot access?

Robert, as I've not said it, thanks for your time looking at this, I appreciate the help.

Client 4 can not reach host 192.168.2.1 to reach that host it should take route via g0/1 50.50.50.50

Client 3 can reach host 192.168.2.1 and does so by going over 50.50.50.50 and following the ip route statement on that router 192.168.0.0/16 - 50.50.50.50

Now if  you look at client 1 or 2 they can both reach clients on 170.10.11.0/24 network which go over an MPLS map on that router.

To get to the internet anything would be required to go through the asa which I marked at 8.8.8.8 the outside interface.  I'm frankly ok with cutting off internet in certain vlans but I'm stumped why it wont route the traffic to 192.168.2.1 for example.

Interesting point.

Couple of questions,

How come we're able to move traffic from 192.168.1.10 to 192.168.2.1?  is that taking a different route?

I was curious if the traffic was been sent to the router on 170.10.10.2 - but the vlan 100 traffic isnt been sent there.

Last question.

There is a route on the L3 switch 192.168.1.0 via 192.168.1.1 are  you saying I should than add routes for the remote sites as well meaning 192.168.2.1 |192 168.3.1 etc all via 192.168.1.1

I guess Im trying to figure out how to make vlan 200 have the same results as vlan 100 - that is it routes 192.168.0.0/16 traffic and internet traffic both bypassing 170.10.0.2 router.

Thanks for your help its appreciated.

I'm also considering doing internal routemap for the subnet on the inside interface of the 192.168.1.1 router.

>How come we're able to move traffic from 192.168.1.10 to 192.168.2.1?  is that taking a different route?

For 192.168.1.0, the gateway is on the router, not the L3 switch. Since the router knows where to go, the traffic gets to the destination.

>are  you saying I should than add routes for the remote sites as well meaning 192.168.2.1 |192 168.3.1 etc all via 192.168.1

That's one way to do it. Or you could summarize the remote networks for the static route depending on what they are. But, I think subinterfaces on that router would be cleaner than maintaining static routes on the L3 switch. 

.

Thanks Robert,

You're correct the static routes will work.

Im going to try to test your other suggestions in a lab.  Have to create one over the weekend.

Appreciate the help.

Thanks again Robert once you figured out for me where the problem was I went ahead and added a simple route map to the SVI on the L3 switch, that matches the routing on the 192.168.1.1 router.  Now traffic moves exactly as I want it, and better yet I have more control over certain VLANs not having internet access.

Your help was much appreciated.