Out of IP's

I’ve pretty much talked myself into this, but just want a little community sign-off.

The original admin setup our network as a sub net thus giving me .1 to .254 of addresses. Well we’ve been bumping pretty hard against that. I understand what all needs to be done, and I can just move us to a to get twice the addressing. However what complicates things are our remote sites on VPN tunnels to our ASA. There are about 15 of them subnetted to 192.168.X.0/24 (,, etc), so if I just flip us to /23 and a client here needs to see it won’t know if that is here or the VPN tunnel to I know could probably tunnel using externals IPs or some funky stuff but that seems like it could get cumbersome. To make matters worse we have a local VLAN on for our VoIP, that I don’t really want to touch.

So my gut tells me to pick a higher subnet say giving me to for future-proofing (hah! Like it’s possible in IT lets say future resisting). That would put it far out enough that none of the VPN tunnels would interfere, and my VLAN wouldn’t be impacted either. Either that or move up to a 20bit 172 subnet but that seems overkill and may tax my equipment too much on broadcast traffic.

If this all makes sense and passes mustard here is my plan.


Obviously starting at the ASA I have to reconfigure the internal interface. While I’m in there reconfigure all VPN connections, and reconfigure them on the remote end as well. Plus any NAT or other dozen things that could need my attention in there.


Then reconfigure every statically assigned device.


Setup a new DHCP scope.


Detox from all the caffine and finally sleep.
Little misc info. We are a Windows 2008 shop. We use a Cisco ASA and Cisco 3560G's for the bulk of the work (there are a few workgroup switches here and there).

Anything I'm missing here??? Or any suggestions.
Who is Participating?
Chris MillardConnect With a Mentor Commented:
Also as you are going through this now, rather than have static IPs on some devices, why not just set them up with reserved addresses in DHCP?
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
I think you have covered all the bases.  Don't forget to make changes on your default gateway.
bhiebAuthor Commented:
The ASA is the gateway in our setup, sounds reasonable to me as well but I cannot overstate the glorious PITA that step 1 is going to be.
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

Chris MillardCommented:
Don't forget any changes to DNS, and if you have web services and email servers, you might have to change the IP addresses that those services listen on too.
bhiebAuthor Commented:
Thanks Roy, I didn't think about the other programs that use SMTP and such like you said they would all need to be changed. The reservations are a good idea as well, but most of the statics are servers and switches. Printers too of course, but I may be better served just using hostnames there.

Lots of "little" things here that I'm sure will crop up.
bhiebAuthor Commented:
One more thing. I was bouncing ideas around, and it wouldn't be too hard to change the one VPN site at Then I could just change ours to It would eliminate some of the changes needed, although if I ever need to go more than this I'd be back to this same scenario.

For example.

DNS would be fine.

Other web services Roy mentioned would be fine.

Here is the part I'm a little foggy on? VPN tunnels and NAT would need to be changed, but not necessarily right away since they would see the subnet and as long as they don't need something in or something in doesn't need them. They would be fine until I get around to it.

Static boxes would be similar to VPN in that they'd see what they see now but not the .1, however there aren't that many so I'd change them.

My gut tells me this is the safer way to minimize something breaking, however it does limit me to just /23 since .2 is on a VLAN that I really don't want to fool with.

Are my assumptions here correct?
Chris MillardCommented:
I concur....
bhiebAuthor Commented:
Sorry for the slow post here, but one last question.

I've setup a test network, and all is working as suspected.


The odd thing is that client2 can see even though the client subnet is still /24. This begs the question, what do I push as a subnet mask via DHCP to my clients. Since either /23 or /24 work fine.

In other words since either .1/24 or .0/24 both see each other, is the only place I need to change it to /23 in the gateway/router?
Mohammed KhawajaManager - Infrastructure:  Information TechnologyCommented:
You need to make a decision that either everything will be part of /23 or that you will have /24  networks and in that case, you will need a sub interfaces on your router for and networks.
Chris MillardCommented:
I take it the server only has one NIC and not two?
bhiebAuthor Commented:
Yes the server only has one, but in production some have more.

And mnkhawajaj that is what I thought too, but then I setup client2 as .0/24 and it was able to ping Which is what gave me pause since I thought 192.168.0.X should NOT be able to ping but it did just fine. The conclusion is that the gateway/route/switch routed the traffic because it viewed both class C's as one net.
bhiebAuthor Commented:
Bumping this up a bit to see if anyone has any answers as to why a device on 192.168.0.X/24 can see a device on 192.168.1.X/24, when only the router has been changed to 192.168.0.X/23.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.