Solved

Switch routing on Procurve to ASA

Posted on 2014-03-12
6
432 Views
Last Modified: 2014-03-18
I have inherited a project that I need to update. I have an HP Procurve 2848 switch. I have two routers. I have three offices. It was setup in the Switch to route the two branch locations to the second router and not through the ASA. There is only one VLan on the switch. I will be disconnecting the second router. I need to point the ip routes in the switch to the ASA.

Here is my ip route in the switch
  Destination              Gateway               VLAN Type            Sub-Type         Metric           Dist.
                              
  0.0.0.0/0                172.16.4.1            1      static      1      1
  127.0.0.0/8             reject                     static       0      250
  127.0.0.1/32            lo0                              connected       0      0
  172.16.4.0/24            DEFAULT_VLAN   1      connected       0      0
  172.16.17.0/24     172.16.4.3           1      static       1      1
  172.16.19.0/24     172.16.4.3           1      static       1      1

I believe I can just remove the ip route but want to verify what steps to take.

My next question would be what changes do I need to make to the ASA to make sure it recognizes these routes? I believe I need to create these as site to site tunnel but would still need to add them to the access list.

Any help would be greatly appreciated!
0
Comment
Question by:Jennifer
  • 3
  • 3
6 Comments
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 39925247
If  you are changing the routes to point to the ASA, the ASA would need static routes added to it for the return traffic.

As far as the site to site question, so are you asking about creating a NEW site to site tunnel to site B?
0
 

Author Comment

by:Jennifer
ID: 39926336
Yes, the first thing I need is to change the switch to move the 172.16.17.0/24 and 172.16.19.0/24 from 172.16.4.3 to the internal default gateway. Just as the 172.16.4.0/24 is in the above post. The 172.16.4.3 router is going to be disconnected 4/7/2014.

I have created a site to site tunnel in the ASA 5510, I used the GUI wizard, for both of these subnets. I have inside-outside NAT rules now. NAT Rules Do I need outside-inside?
I have a Site to Site connection profile for each as well. Site to Site Are the local/remote the right direction?
Do I need to have Access Rules?

I have added a second VPN tunnel in their routers to point to our new external gateway versus the old. I would only need to disable one and enable the other.

Do I need to have their ISP's internet and gateway IP's in my ASA?

I am sorry for all of the questions. I think I know how to do these but having not worked with them enough I would rather confirm. These changes will bring down my branch offices if not done right.

Thanks for all of the help!
0
 
LVL 10

Accepted Solution

by:
Schuyler Dorsey earned 500 total points
ID: 39931412
By default, in ASAs, you do NOT need to create additional access rules. What you typically need in site to site tunnels are Nat EXCLUSION rules which you have. You do NOT need Outside-Inside NAT exclusion rules.

Basically, you need the NAT exclusion rule because you have a NAT rule at the bottom that automatically NATs Outbound all traffic. The NAT exclusion rule catches traffic destined for the tunnel before it matches on the final NAT OUTBOUND rule preventing it from being NAT'd. This is why you do NOT need an Outside to Inside exclusion rule.

You SHOULD need their ISP IP or their Public IP in your ASA as part of the site to site VPN profile. When your ASA goes to bring up the VPN tunnel, it will first contact the public IP of the other end and negotiate the encryption (IKE). Just the same, the other end needs your public IP.

The easiest way to configure site to site tunnels with ASAs is to use the VPN wizard.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 

Author Comment

by:Jennifer
ID: 39934640
Thank you so much. I am still having a problem getting my remote offices changed in my switch. Do I need to re-add them with the 4.1 or will the 0.0.0.0 0.0.0.0 172.16.4.1 existing route take care of them?

Switch
Do I need to leave spanning-tree enabled?
0
 
LVL 10

Assisted Solution

by:Schuyler Dorsey
Schuyler Dorsey earned 500 total points
ID: 39934714
If 4.1 is your ASA and both remote sites will connect only via Site to Site tunnels then you would remove those static routes and only have the default route.

It will be up to the ASA to tunnel the correct traffic for the remote sites through the appropriate tunnel.
0
 

Author Comment

by:Jennifer
ID: 39937295
I did use the VPN site to site wizard. The first time I had put the IP address of the router versus the IP address of the remote ISP so after your response I went in and changed.

I did remove the static route for that location from the switch and left it to use the default, which is what I needed.

Moved the first branch office this morning, minor hiccup but that was a typo, otherwise went great. They are now on a 100mg vs. 3mg tunnel.

THANK YOU SO MUCH FOR THE HELP.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
WiFi Routers with Guest Network capability 14 75
Use packet tracer to verify anyconnect VPN 11 59
ASA ISP failover 3 23
2960 not recognizing subinterface configuraton of 5510 11 30
This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

837 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question