[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

IP Scheme Changeover

Posted on 2010-04-09
6
Medium Priority
?
357 Views
Last Modified: 2012-05-09
I am putting together a plan to change the IP scheme of the internal LAN from a 192.168.1.x (255.255.255.0) to a 10.x.x.x (255.0.0.0). I am trying to lay out the plan of action and also have to account for some remote locations. Our current topology is:

Corporate Headquarters:
192.168.1.x (255.255.255.0)
We have a Cisco ASA 5510 (192.68.1.1) with a VLAN of 192.168.2.1 which routes to a provider managed CheckPoint Firewall. This CheckPoint device creates a site-to-site vpn to a remote network for business applications.

Remote sites: Each remote site is currently managed by an outside vendor, but we are taking these sites back into our corporate network. I am planning on putting a Cisco ASA 5505 in each location.

My plan of action is;

Change the IP of the router (10.0.1.1 - 255.0.0.0) and the DC (10.0.1.11 - 255..0.0.0)
Set the new scope for the internal LAN (10.0.1.100 - 10.0.10.255 - 255.0.0.0)
Change static devices (servers, printers, routers, switches, etc.)
Change the internal routes on the Cisco 5510 (mail, ftp, etc)
Boot up the DHCP devices (PC's, MAC's, etc)
Insure that everything is running on the local LAN and the WAN connections are fine.

For the remote locations (6):
I am planning on giving each of them 10.0.11.x - 255.0.0.0 and then moving to 10.0.12.x, etc.
I would set the ASA in each location to 10.0.11.1, 10.0.12.1, etc. with subnets masks of 255.0.0.0. All of the PC's are static so that's fine.
The ASA at each remote location would create a site-to-site vpn back to the corporate LAN.

What am I missing?
0
Comment
Question by:michaelgoldsmith
  • 2
  • 2
  • 2
6 Comments
 
LVL 4

Expert Comment

by:Pro4ia
ID: 30230571
do your remote sites have any domain controllers?
0
 
LVL 12

Author Comment

by:michaelgoldsmith
ID: 30230918
No. The remote sites all consist of 3-5 PC's (all static IP), an MQ server, a router (which are all being replaced by the 5510's), and a wireless hot-spot.
0
 
LVL 4

Expert Comment

by:Pro4ia
ID: 30231240
you seem to have most if not all down.. just don't forget DNS.. I didn't see it mentioned anywhere.
If you have any static internal DNS records, make sure to update them..  also you may need to recreate your reverse dns zone
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
LVL 9

Accepted Solution

by:
gavving earned 2000 total points
ID: 30478355
The class A subnet mask 255.0.0.0 will not work for what you want to do.  You won't be able to use 10.0.1.0 / 255.0.0.0 at the main site, and 10.0.11.0 / 255.0.0.0 at the remote site.  Those are on the same network due to the subnet mask being 255.0.0.0, traffic will not route correctly through a VPN.

I would recommend you do something like:

corporate site: 10.0.0.0 - 10.0.15.0 / mask of 255.255.240.0

Remote site: 10.0.0.16.0 / 255.255.255.0, 10.0.17.0 / 255.255.255.0 and so on.

The 255.255.240.0 subnet mask at the corporate site allows you to use any of the first 16 class C's in the 10.0.0.0 range.  

FYI as an asside, I would consider not using 10.0.0.0 at all, starting at 10.5.0.0 thru 10.5.15.0 instead.  That way if you have to establish site-to-site tunnels later with other companies, your less likely to have a duplicate IP range and have to jump through alot of hoops to get the VPN connected.
0
 
LVL 12

Author Comment

by:michaelgoldsmith
ID: 30533732
Right. I am with you 'gavving' on you suggestion. If I want to keep everything simple I can go with:

Main Location: 10.0.0.0 - 10.0.15.0 (255.255.240.0)
Remote Location 1: 10.0.16.0 - 10.0.31.0 (255.255.240.0)
Remote Location 2: 10.0.32.0 - 10.0.47.0 (255.255.240.0)
...
Remote Location 6: 10.0.96.0 - 10.0.111.0 (255.255.240.0)

I don't see any reason why this won't work since it gives me 9,000 + subnets with 9,000 + nodes per subnet.

Can you explain the vpn scenario? We do have 2 VPN connections to remote sites. One currently runs on the DMZ (192.168.2.0) and the other is a site-to-site.
0
 
LVL 9

Expert Comment

by:gavving
ID: 30541238
Yes using a 255.255.240.0 subnet for each location will work fine as well.  

As for VPN connection, if you connect to another network that's using the same IP block like 10.0.0.0, then your VPN tunnel to them will have problems.  It can be solved with NAT configuration in the tunnel, but it complicates matters.  It may not apply to you or your company, It just depends on how interconnected with other vendors or companies you have to be.  If quite a bit, then I would try to use an IP block that is less likely to be used by someone else.  I.e. start at 10.5.x.x or something like that.  If you don't feel like you're going to have this need, then using 10.0.x.x and starting from there will work.

0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

608 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question