Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 438
  • Last Modified:

Switch routing on Procurve to ASA

I have inherited a project that I need to update. I have an HP Procurve 2848 switch. I have two routers. I have three offices. It was setup in the Switch to route the two branch locations to the second router and not through the ASA. There is only one VLan on the switch. I will be disconnecting the second router. I need to point the ip routes in the switch to the ASA.

Here is my ip route in the switch
  Destination              Gateway               VLAN Type            Sub-Type         Metric           Dist.
                              
  0.0.0.0/0                172.16.4.1            1      static      1      1
  127.0.0.0/8             reject                     static       0      250
  127.0.0.1/32            lo0                              connected       0      0
  172.16.4.0/24            DEFAULT_VLAN   1      connected       0      0
  172.16.17.0/24     172.16.4.3           1      static       1      1
  172.16.19.0/24     172.16.4.3           1      static       1      1

I believe I can just remove the ip route but want to verify what steps to take.

My next question would be what changes do I need to make to the ASA to make sure it recognizes these routes? I believe I need to create these as site to site tunnel but would still need to add them to the access list.

Any help would be greatly appreciated!
0
Jennifer
Asked:
Jennifer
  • 3
  • 3
2 Solutions
 
Schuyler DorseyCommented:
If  you are changing the routes to point to the ASA, the ASA would need static routes added to it for the return traffic.

As far as the site to site question, so are you asking about creating a NEW site to site tunnel to site B?
0
 
JenniferAuthor Commented:
Yes, the first thing I need is to change the switch to move the 172.16.17.0/24 and 172.16.19.0/24 from 172.16.4.3 to the internal default gateway. Just as the 172.16.4.0/24 is in the above post. The 172.16.4.3 router is going to be disconnected 4/7/2014.

I have created a site to site tunnel in the ASA 5510, I used the GUI wizard, for both of these subnets. I have inside-outside NAT rules now. NAT Rules Do I need outside-inside?
I have a Site to Site connection profile for each as well. Site to Site Are the local/remote the right direction?
Do I need to have Access Rules?

I have added a second VPN tunnel in their routers to point to our new external gateway versus the old. I would only need to disable one and enable the other.

Do I need to have their ISP's internet and gateway IP's in my ASA?

I am sorry for all of the questions. I think I know how to do these but having not worked with them enough I would rather confirm. These changes will bring down my branch offices if not done right.

Thanks for all of the help!
0
 
Schuyler DorseyCommented:
By default, in ASAs, you do NOT need to create additional access rules. What you typically need in site to site tunnels are Nat EXCLUSION rules which you have. You do NOT need Outside-Inside NAT exclusion rules.

Basically, you need the NAT exclusion rule because you have a NAT rule at the bottom that automatically NATs Outbound all traffic. The NAT exclusion rule catches traffic destined for the tunnel before it matches on the final NAT OUTBOUND rule preventing it from being NAT'd. This is why you do NOT need an Outside to Inside exclusion rule.

You SHOULD need their ISP IP or their Public IP in your ASA as part of the site to site VPN profile. When your ASA goes to bring up the VPN tunnel, it will first contact the public IP of the other end and negotiate the encryption (IKE). Just the same, the other end needs your public IP.

The easiest way to configure site to site tunnels with ASAs is to use the VPN wizard.
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

 
JenniferAuthor Commented:
Thank you so much. I am still having a problem getting my remote offices changed in my switch. Do I need to re-add them with the 4.1 or will the 0.0.0.0 0.0.0.0 172.16.4.1 existing route take care of them?

Switch
Do I need to leave spanning-tree enabled?
0
 
Schuyler DorseyCommented:
If 4.1 is your ASA and both remote sites will connect only via Site to Site tunnels then you would remove those static routes and only have the default route.

It will be up to the ASA to tunnel the correct traffic for the remote sites through the appropriate tunnel.
0
 
JenniferAuthor Commented:
I did use the VPN site to site wizard. The first time I had put the IP address of the router versus the IP address of the remote ISP so after your response I went in and changed.

I did remove the static route for that location from the switch and left it to use the default, which is what I needed.

Moved the first branch office this morning, minor hiccup but that was a typo, otherwise went great. They are now on a 100mg vs. 3mg tunnel.

THANK YOU SO MUCH FOR THE HELP.
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now