Solved

Changing my gateway IP address at a DR location to match my office gateway address

Posted on 2013-06-06
2
279 Views
Last Modified: 2013-06-10
Hello,

I have a question about routed traffic across a site to site VPN between 2 Cisco ASA 5510's. We have our office side and our DR side and the question is could I have an IP conflict of gateway IP address' if I make changes on my DR side's ASA. Below is a description of our set up.

We rent a cabinet offsite for DR purposes. We have a Cisco ASA 5510 at this DR site, 5510 at the main site too, and a site to site VPN set up between them. The subnet at the DR site is the same as our server subnet (to make life easy if we need to bring up servers for an emergency) but the gateway address is different at DR than the main site. When sending any traffic between sites, we have to reach over certain subnets created in the site to site VPN and they are routable between.

So from the office to get to DR site's 10 subnet (server subnet), the site to site VPN translates: 192.168.10.0/24 to 192.168.53.0/24

From DR to the office, it translates 192.168.10.0/24 to 192.168.52.0/24.

So if you're at DR and you need to see something back at the office, you reach out to 192.168.52.1 for a server for example. From the office to get to one of our VM hosts' that are storing shut down servers at DR, 192.168.53.25. This all routes fine and it's working for us.

What I'd like to do, and I believe I should be ok to change it since all traffic between sites has to translate to those other subnets is change that 192.168.10.8 gateway address at DR (inside interface IP on my DR ASA) to 192.168.10.10 like the gateway address I have at the office. Several reasons I'd want to do so but since I'm already a pretty wordy typer, I won't bore with more details. Let's just say it will make it a heck of a lot easier in case of an emergency but I don't want to shut one site down or the other if making this change is a bad thing.

Does someone have experience with this and would I be ok?

Thanks for any assistance,

Brett
0
Comment
Question by:discmakers
2 Comments
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 500 total points
ID: 39226737
yes, there is no problem with this.  you are already doing the proper policy NAT between the two sites so each site's hosts are none-the-wiser about the gateways being the same.  As for the ASA's, there is no problem there either as they wouldn't be aware the other is using the IP address on their inside interface.

I see no reason to not do what you want to do.  But as usual, be careful when you do this.  There could be things you're not aware of (sounds like you have everything covered; but always good to be prudent when making big changes like this) and cause lots of issues.  So I would make sure you have access to the ASA at all times so be sure to be able to reach it from the external interface if necessary or a console/aux port some how.  This way if you make the change and you start seeing issues then you can change it back.

and if you can't be local and  you have hosts with static configurations I would change a single host to the new gateway first, then change the asa.  The reason is that after the change the current hosts won't be able to get back out since their gateway doesn't exist anymore.  At least then you can get into the one host you changed the gateway on and then RDP or whatever to the other hosts to fix them afterward.  And I say just do one because if you have to revert it'd suck to do all the gateway changes only to switch them back again; granted you can pry create a psexec script that does it all for you as well.
0
 

Author Comment

by:discmakers
ID: 39235311
Hello Cyclops3590,
I tested this yesterday morning and it all worked without an issue. It's not in "production" yet as I do need to get on site to change the gateways (as you mentioned) on the local servers there but am planning to do so tomorrow.

Thanks for your help,
Brett
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Need Help setting up a Virtual Lan on existing network for Test Domain 10 72
Filter IP range with PowerShell 1 41
eigrp routing loop 5 41
Set up secondary Domain Controller 4 71
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question