Solved

Changing my gateway IP address at a DR location to match my office gateway address

Posted on 2013-06-06
2
283 Views
Last Modified: 2013-06-10
Hello,

I have a question about routed traffic across a site to site VPN between 2 Cisco ASA 5510's. We have our office side and our DR side and the question is could I have an IP conflict of gateway IP address' if I make changes on my DR side's ASA. Below is a description of our set up.

We rent a cabinet offsite for DR purposes. We have a Cisco ASA 5510 at this DR site, 5510 at the main site too, and a site to site VPN set up between them. The subnet at the DR site is the same as our server subnet (to make life easy if we need to bring up servers for an emergency) but the gateway address is different at DR than the main site. When sending any traffic between sites, we have to reach over certain subnets created in the site to site VPN and they are routable between.

So from the office to get to DR site's 10 subnet (server subnet), the site to site VPN translates: 192.168.10.0/24 to 192.168.53.0/24

From DR to the office, it translates 192.168.10.0/24 to 192.168.52.0/24.

So if you're at DR and you need to see something back at the office, you reach out to 192.168.52.1 for a server for example. From the office to get to one of our VM hosts' that are storing shut down servers at DR, 192.168.53.25. This all routes fine and it's working for us.

What I'd like to do, and I believe I should be ok to change it since all traffic between sites has to translate to those other subnets is change that 192.168.10.8 gateway address at DR (inside interface IP on my DR ASA) to 192.168.10.10 like the gateway address I have at the office. Several reasons I'd want to do so but since I'm already a pretty wordy typer, I won't bore with more details. Let's just say it will make it a heck of a lot easier in case of an emergency but I don't want to shut one site down or the other if making this change is a bad thing.

Does someone have experience with this and would I be ok?

Thanks for any assistance,

Brett
0
Comment
Question by:discmakers
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 500 total points
ID: 39226737
yes, there is no problem with this.  you are already doing the proper policy NAT between the two sites so each site's hosts are none-the-wiser about the gateways being the same.  As for the ASA's, there is no problem there either as they wouldn't be aware the other is using the IP address on their inside interface.

I see no reason to not do what you want to do.  But as usual, be careful when you do this.  There could be things you're not aware of (sounds like you have everything covered; but always good to be prudent when making big changes like this) and cause lots of issues.  So I would make sure you have access to the ASA at all times so be sure to be able to reach it from the external interface if necessary or a console/aux port some how.  This way if you make the change and you start seeing issues then you can change it back.

and if you can't be local and  you have hosts with static configurations I would change a single host to the new gateway first, then change the asa.  The reason is that after the change the current hosts won't be able to get back out since their gateway doesn't exist anymore.  At least then you can get into the one host you changed the gateway on and then RDP or whatever to the other hosts to fix them afterward.  And I say just do one because if you have to revert it'd suck to do all the gateway changes only to switch them back again; granted you can pry create a psexec script that does it all for you as well.
0
 

Author Comment

by:discmakers
ID: 39235311
Hello Cyclops3590,
I tested this yesterday morning and it all worked without an issue. It's not in "production" yet as I do need to get on site to change the gateways (as you mentioned) on the local servers there but am planning to do so tomorrow.

Thanks for your help,
Brett
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question