Looking for some feedback on the best way to do this.
I have a remote office that needs to be connected to 2 different systems. System A is over an IPSec VPN, system B has a P2P T1.
The remote office is currently 192.168.12.0/24.
The remote office will become 172.23.10.0/24.
System A will be 172.23.1.0/24
System B will be 192.168.1.0/24, with a bunch of other systems on various other 192.168.x.x subnets.
The remote office is currently directly connected to System B's network, and is on the 192.168.12.0/24 subnet. I want to move the office over to System A, and assign it to 172.23.10.0/24. However, I want users on this network to have full access to System B as well as System A. I also want them to have access to the old office subnet (where some workstations will remain during transition) and I would like the old office subnet to be able to access the new subnet.
What is the best way of doing this?
I was planning on creating two different local networks to stage this, but I would like to know what the best way to allow these two different networks to communicate with each other is. Can I do this all with routing and ACLs, or do I need to NAT from the 172 network to the 192 network and vice versa? Any other complications I should take into account?
Thanks in advance.
Are you re-addressing your remote office from 192.168.12.0/24 t 172.23.10.0/24 ? In that case the best solution to your question- " was planning on creating two different local networks to stage this" is to create secondary addresses on the vlan interfaces which are getting transitioned.. if you have sub-interfaces configured, your transition to the new network will be zero touch, on the network side.. you just need to change the IP of the PCs/servers and you dont need to change any vlan settings on the switch side, or have issues of losing connectivity to systems or switches....
with regards to your other query - "Can I do this all with routing and ACLs, or do I need to NAT from the 172 network to the 192 network and vice versa? " - It really depends on what needs accesss to what.. when transitioning, we generally make NAT translations for the new IP addresses pointing to old IP on the outside, to make sure all systems on System B are fully transitioned.... these are basically for server connections which have hardcoded IP addresses on the clients, and till the servers/applications are fully migrated, the IP addresses will not be be able to change.. Incase the applications work on DNS, you dont have much trouble, as you are just going to point the DNS names to the new IP addresses in 172.23.10.0/24 (from the old IPs 192.168.12.0/24... Hence a combination of NAT and routing will do the trick for you...
Consider these when migrating:
1) tabulate the entire application matrix, and make sure you know which apps connect on direct IP, and which use DNS... for apps using direct IPs make sure you NAT on the remote office and restore connectivity..
2) make sure your ipsec interesting traffic points to the outside nat ip address when you do static nats on remote offices...have a clear network documentation which would ease migration
3) see for other dependencies when you NAT outside.. check if you have any firewalls, load balancers, etc on the way to make sure you have appropriate rules..
4) always have downtimes when migrating devices.. and have an implementation plan in place before the change..
Hope this helps.. all the best