Solved

Changing my gateway IP address at a DR location to match my office gateway address

Posted on 2013-06-06
2
281 Views
Last Modified: 2013-06-10
Hello,

I have a question about routed traffic across a site to site VPN between 2 Cisco ASA 5510's. We have our office side and our DR side and the question is could I have an IP conflict of gateway IP address' if I make changes on my DR side's ASA. Below is a description of our set up.

We rent a cabinet offsite for DR purposes. We have a Cisco ASA 5510 at this DR site, 5510 at the main site too, and a site to site VPN set up between them. The subnet at the DR site is the same as our server subnet (to make life easy if we need to bring up servers for an emergency) but the gateway address is different at DR than the main site. When sending any traffic between sites, we have to reach over certain subnets created in the site to site VPN and they are routable between.

So from the office to get to DR site's 10 subnet (server subnet), the site to site VPN translates: 192.168.10.0/24 to 192.168.53.0/24

From DR to the office, it translates 192.168.10.0/24 to 192.168.52.0/24.

So if you're at DR and you need to see something back at the office, you reach out to 192.168.52.1 for a server for example. From the office to get to one of our VM hosts' that are storing shut down servers at DR, 192.168.53.25. This all routes fine and it's working for us.

What I'd like to do, and I believe I should be ok to change it since all traffic between sites has to translate to those other subnets is change that 192.168.10.8 gateway address at DR (inside interface IP on my DR ASA) to 192.168.10.10 like the gateway address I have at the office. Several reasons I'd want to do so but since I'm already a pretty wordy typer, I won't bore with more details. Let's just say it will make it a heck of a lot easier in case of an emergency but I don't want to shut one site down or the other if making this change is a bad thing.

Does someone have experience with this and would I be ok?

Thanks for any assistance,

Brett
0
Comment
Question by:discmakers
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 25

Accepted Solution

by:
Cyclops3590 earned 500 total points
ID: 39226737
yes, there is no problem with this.  you are already doing the proper policy NAT between the two sites so each site's hosts are none-the-wiser about the gateways being the same.  As for the ASA's, there is no problem there either as they wouldn't be aware the other is using the IP address on their inside interface.

I see no reason to not do what you want to do.  But as usual, be careful when you do this.  There could be things you're not aware of (sounds like you have everything covered; but always good to be prudent when making big changes like this) and cause lots of issues.  So I would make sure you have access to the ASA at all times so be sure to be able to reach it from the external interface if necessary or a console/aux port some how.  This way if you make the change and you start seeing issues then you can change it back.

and if you can't be local and  you have hosts with static configurations I would change a single host to the new gateway first, then change the asa.  The reason is that after the change the current hosts won't be able to get back out since their gateway doesn't exist anymore.  At least then you can get into the one host you changed the gateway on and then RDP or whatever to the other hosts to fix them afterward.  And I say just do one because if you have to revert it'd suck to do all the gateway changes only to switch them back again; granted you can pry create a psexec script that does it all for you as well.
0
 

Author Comment

by:discmakers
ID: 39235311
Hello Cyclops3590,
I tested this yesterday morning and it all worked without an issue. It's not in "production" yet as I do need to get on site to change the gateways (as you mentioned) on the local servers there but am planning to do so tomorrow.

Thanks for your help,
Brett
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question