Solved

Changing my gateway IP address at a DR location to match my office gateway address

Posted on 2013-06-06
2
273 Views
Last Modified: 2013-06-10
Hello,

I have a question about routed traffic across a site to site VPN between 2 Cisco ASA 5510's. We have our office side and our DR side and the question is could I have an IP conflict of gateway IP address' if I make changes on my DR side's ASA. Below is a description of our set up.

We rent a cabinet offsite for DR purposes. We have a Cisco ASA 5510 at this DR site, 5510 at the main site too, and a site to site VPN set up between them. The subnet at the DR site is the same as our server subnet (to make life easy if we need to bring up servers for an emergency) but the gateway address is different at DR than the main site. When sending any traffic between sites, we have to reach over certain subnets created in the site to site VPN and they are routable between.

So from the office to get to DR site's 10 subnet (server subnet), the site to site VPN translates: 192.168.10.0/24 to 192.168.53.0/24

From DR to the office, it translates 192.168.10.0/24 to 192.168.52.0/24.

So if you're at DR and you need to see something back at the office, you reach out to 192.168.52.1 for a server for example. From the office to get to one of our VM hosts' that are storing shut down servers at DR, 192.168.53.25. This all routes fine and it's working for us.

What I'd like to do, and I believe I should be ok to change it since all traffic between sites has to translate to those other subnets is change that 192.168.10.8 gateway address at DR (inside interface IP on my DR ASA) to 192.168.10.10 like the gateway address I have at the office. Several reasons I'd want to do so but since I'm already a pretty wordy typer, I won't bore with more details. Let's just say it will make it a heck of a lot easier in case of an emergency but I don't want to shut one site down or the other if making this change is a bad thing.

Does someone have experience with this and would I be ok?

Thanks for any assistance,

Brett
0
Comment
Question by:discmakers
2 Comments
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 500 total points
Comment Utility
yes, there is no problem with this.  you are already doing the proper policy NAT between the two sites so each site's hosts are none-the-wiser about the gateways being the same.  As for the ASA's, there is no problem there either as they wouldn't be aware the other is using the IP address on their inside interface.

I see no reason to not do what you want to do.  But as usual, be careful when you do this.  There could be things you're not aware of (sounds like you have everything covered; but always good to be prudent when making big changes like this) and cause lots of issues.  So I would make sure you have access to the ASA at all times so be sure to be able to reach it from the external interface if necessary or a console/aux port some how.  This way if you make the change and you start seeing issues then you can change it back.

and if you can't be local and  you have hosts with static configurations I would change a single host to the new gateway first, then change the asa.  The reason is that after the change the current hosts won't be able to get back out since their gateway doesn't exist anymore.  At least then you can get into the one host you changed the gateway on and then RDP or whatever to the other hosts to fix them afterward.  And I say just do one because if you have to revert it'd suck to do all the gateway changes only to switch them back again; granted you can pry create a psexec script that does it all for you as well.
0
 

Author Comment

by:discmakers
Comment Utility
Hello Cyclops3590,
I tested this yesterday morning and it all worked without an issue. It's not in "production" yet as I do need to get on site to change the gateways (as you mentioned) on the local servers there but am planning to do so tomorrow.

Thanks for your help,
Brett
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

Suggested Solutions

As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now