IP Scheme Changeover

I am putting together a plan to change the IP scheme of the internal LAN from a 192.168.1.x (255.255.255.0) to a 10.x.x.x (255.0.0.0). I am trying to lay out the plan of action and also have to account for some remote locations. Our current topology is:

Corporate Headquarters:
192.168.1.x (255.255.255.0)
We have a Cisco ASA 5510 (192.68.1.1) with a VLAN of 192.168.2.1 which routes to a provider managed CheckPoint Firewall. This CheckPoint device creates a site-to-site vpn to a remote network for business applications.

Remote sites: Each remote site is currently managed by an outside vendor, but we are taking these sites back into our corporate network. I am planning on putting a Cisco ASA 5505 in each location.

My plan of action is;

Change the IP of the router (10.0.1.1 - 255.0.0.0) and the DC (10.0.1.11 - 255..0.0.0)
Set the new scope for the internal LAN (10.0.1.100 - 10.0.10.255 - 255.0.0.0)
Change static devices (servers, printers, routers, switches, etc.)
Change the internal routes on the Cisco 5510 (mail, ftp, etc)
Boot up the DHCP devices (PC's, MAC's, etc)
Insure that everything is running on the local LAN and the WAN connections are fine.

For the remote locations (6):
I am planning on giving each of them 10.0.11.x - 255.0.0.0 and then moving to 10.0.12.x, etc.
I would set the ASA in each location to 10.0.11.1, 10.0.12.1, etc. with subnets masks of 255.0.0.0. All of the PC's are static so that's fine.
The ASA at each remote location would create a site-to-site vpn back to the corporate LAN.

What am I missing?
LVL 12
michaelgoldsmithAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pro4iaCommented:
do your remote sites have any domain controllers?
0
michaelgoldsmithAuthor Commented:
No. The remote sites all consist of 3-5 PC's (all static IP), an MQ server, a router (which are all being replaced by the 5510's), and a wireless hot-spot.
0
Pro4iaCommented:
you seem to have most if not all down.. just don't forget DNS.. I didn't see it mentioned anywhere.
If you have any static internal DNS records, make sure to update them..  also you may need to recreate your reverse dns zone
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

gavvingCommented:
The class A subnet mask 255.0.0.0 will not work for what you want to do.  You won't be able to use 10.0.1.0 / 255.0.0.0 at the main site, and 10.0.11.0 / 255.0.0.0 at the remote site.  Those are on the same network due to the subnet mask being 255.0.0.0, traffic will not route correctly through a VPN.

I would recommend you do something like:

corporate site: 10.0.0.0 - 10.0.15.0 / mask of 255.255.240.0

Remote site: 10.0.0.16.0 / 255.255.255.0, 10.0.17.0 / 255.255.255.0 and so on.

The 255.255.240.0 subnet mask at the corporate site allows you to use any of the first 16 class C's in the 10.0.0.0 range.  

FYI as an asside, I would consider not using 10.0.0.0 at all, starting at 10.5.0.0 thru 10.5.15.0 instead.  That way if you have to establish site-to-site tunnels later with other companies, your less likely to have a duplicate IP range and have to jump through alot of hoops to get the VPN connected.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
michaelgoldsmithAuthor Commented:
Right. I am with you 'gavving' on you suggestion. If I want to keep everything simple I can go with:

Main Location: 10.0.0.0 - 10.0.15.0 (255.255.240.0)
Remote Location 1: 10.0.16.0 - 10.0.31.0 (255.255.240.0)
Remote Location 2: 10.0.32.0 - 10.0.47.0 (255.255.240.0)
...
Remote Location 6: 10.0.96.0 - 10.0.111.0 (255.255.240.0)

I don't see any reason why this won't work since it gives me 9,000 + subnets with 9,000 + nodes per subnet.

Can you explain the vpn scenario? We do have 2 VPN connections to remote sites. One currently runs on the DMZ (192.168.2.0) and the other is a site-to-site.
0
gavvingCommented:
Yes using a 255.255.240.0 subnet for each location will work fine as well.  

As for VPN connection, if you connect to another network that's using the same IP block like 10.0.0.0, then your VPN tunnel to them will have problems.  It can be solved with NAT configuration in the tunnel, but it complicates matters.  It may not apply to you or your company, It just depends on how interconnected with other vendors or companies you have to be.  If quite a bit, then I would try to use an IP block that is less likely to be used by someone else.  I.e. start at 10.5.x.x or something like that.  If you don't feel like you're going to have this need, then using 10.0.x.x and starting from there will work.

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.