Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
729
Views
10
Helpful
5
Replies

ASA & Multiple networks

Go to solution
dmurray14
Level 1
Level 1

‎12-23-2009 10:32 AM - edited ‎03-06-2019 09:03 AM

Hey guys,

Looking for some feedback on the best way to do this.

I have a remote office that needs to be connected to 2 different systems. System A is over an IPSec VPN, system B has a P2P T1.

The remote office is currently 192.168.12.0/24.

The remote office will become 172.23.10.0/24.

System A will be 172.23.1.0/24

System B will be 192.168.1.0/24, with a bunch of other systems on various other 192.168.x.x subnets.

The remote office is currently directly connected to System B's network, and is on the 192.168.12.0/24 subnet. I want to move the office over to System A, and assign it to 172.23.10.0/24. However, I want users on this network to have full access to System B as well as System A. I also want them to have access to the old office subnet (where some workstations will remain during transition) and I would like the old office subnet to be able to access the new subnet.

What is the best way of doing this?

I was planning on creating two different local networks to stage this, but I would like to know what the best way to allow these two different networks to communicate with each other is. Can I do this all with routing and ACLs, or do I need to NAT from the 172 network to the 192 network and vice versa? Any other complications I should take into account?

Thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
sachinraja
Level 9
Level 9

‎12-23-2009 10:45 AM

Hi Murray,

Are you re-addressing your remote office from 192.168.12.0/24  t 172.23.10.0/24 ? In that case the best solution to your question- " was planning on creating two different local networks to stage this" is to create secondary addresses on the vlan interfaces which are getting transitioned.. if you have sub-interfaces configured, your transition to the new network will be zero touch, on the network side.. you just need to change the IP of the PCs/servers and you dont need to change any vlan settings on the switch side, or have issues of losing connectivity to systems or switches....

with regards to your other query - "Can I do this all with routing and ACLs, or do I need to NAT from the 172 network to the 192 network and vice versa? " - It really depends on what needs accesss to what.. when transitioning, we generally make NAT translations for the new IP addresses pointing to old IP on the outside, to make sure all systems on System B are fully transitioned.... these are basically for server connections which have hardcoded IP addresses on the clients, and till the servers/applications are fully migrated, the IP addresses will not be be able to change.. Incase the applications work on DNS, you dont have much trouble, as you are just going to point the DNS names to the new IP addresses in 172.23.10.0/24 (from the old IPs 192.168.12.0/24... Hence a combination of NAT and routing will do the trick for you...

Consider these when migrating:

1) tabulate the entire application matrix, and make sure you know which apps connect on direct IP, and which use DNS... for apps using direct IPs make sure you NAT on the remote office and restore connectivity..

2) make sure your ipsec interesting traffic points to the outside nat ip address when you do static nats on remote offices...have a clear network documentation which would ease migration

3) see for other dependencies when you NAT outside.. check if you have any firewalls, load balancers, etc on the way to make sure you have appropriate rules..

4) always have downtimes when migrating devices.. and have an implementation plan in place before the change..

Hope this helps.. all the best

Raj

View solution in original post

0 Helpful
5 Replies 5

Go to solution
sachinraja
Level 9
Level 9

‎12-23-2009 10:45 AM

Hi Murray,

Are you re-addressing your remote office from 192.168.12.0/24  t 172.23.10.0/24 ? In that case the best solution to your question- " was planning on creating two different local networks to stage this" is to create secondary addresses on the vlan interfaces which are getting transitioned.. if you have sub-interfaces configured, your transition to the new network will be zero touch, on the network side.. you just need to change the IP of the PCs/servers and you dont need to change any vlan settings on the switch side, or have issues of losing connectivity to systems or switches....

with regards to your other query - "Can I do this all with routing and ACLs, or do I need to NAT from the 172 network to the 192 network and vice versa? " - It really depends on what needs accesss to what.. when transitioning, we generally make NAT translations for the new IP addresses pointing to old IP on the outside, to make sure all systems on System B are fully transitioned.... these are basically for server connections which have hardcoded IP addresses on the clients, and till the servers/applications are fully migrated, the IP addresses will not be be able to change.. Incase the applications work on DNS, you dont have much trouble, as you are just going to point the DNS names to the new IP addresses in 172.23.10.0/24 (from the old IPs 192.168.12.0/24... Hence a combination of NAT and routing will do the trick for you...

Consider these when migrating:

1) tabulate the entire application matrix, and make sure you know which apps connect on direct IP, and which use DNS... for apps using direct IPs make sure you NAT on the remote office and restore connectivity..

2) make sure your ipsec interesting traffic points to the outside nat ip address when you do static nats on remote offices...have a clear network documentation which would ease migration

3) see for other dependencies when you NAT outside.. check if you have any firewalls, load balancers, etc on the way to make sure you have appropriate rules..

4) always have downtimes when migrating devices.. and have an implementation plan in place before the change..

Hope this helps.. all the best

Raj

0 Helpful

Go to solution
dmurray14
Level 1
Level 1
In response to sachinraja

‎12-23-2009 10:54 AM

Thanks Raj!

Where normally I would do exactly as you said (create VLANs), we're bringing new equipment in addition to the stuff they already had, so I'll just end up keeping the devices on separate switches. I have a guy on site who will be in charge of the physical client transition, so he can manually move the clients from the old switch to the new one.

What I am most concerned about is the actual routing. I want to make sure both office networks are able to access both remote systems, as well as each other. Will NAT'ing be required? Or can I simply route the traffic from one private network to the other and vice versa?

To put this in a little more context, this is a case where our company is taking over an old office with an old network and remote systems. They still connect to their old systems, and I want that capability to remain, but I also would like to bring them over to our company's network. So, once on our new network, I want them to have transparent access to the old local and remote networks and systems, as well as have the old local network have access to workstations that have been moved over to the new local network.

Thanks!

0 Helpful

Go to solution
sachinraja
Level 9
Level 9
In response to dmurray14

‎12-23-2009 11:03 AM

Hi Murray

Will NAT'ing be required? Or can I simply route the traffic from one private network to the other and vice versa?

well it really depends on your server configuration.. if you are going to bring in new servers into the network with a totally different 172.23.10.0/24 address, you wouldnt need NATing.. or if your server has dual NICs one on the 172.23.10.0/24 network and one in 192.1568.12.0/24 network, you wouldnt need NATing, since your System A & System B network will be able to see both the addresses.. In this case you can just route the private networks across the IPSEC tunnel and P2P links to have communication..

when you would need NATing is, when your legacy applications move to the new setup.. If the transition of applications takes time, you can configure NATs on the remote office, and point to the new 172.23.10.0/24 segment and change DNS entries pointing to the new IP addresses.. Even if the old servers remain with the 192.168. ip addresses, all users will start seeing the servers with the new IP.. once you do this, you can remove or move the new server to the new IP address whenver you want, and knock off NATing after migration ! but again, this is optional, and is totally dependent on your scenario.. NAT might also come into picture if you have IP address overlapping with your new office with the old/legacy stuff which you integrate.. otherwise , you can just simply finish this with layer 3 routing..

Hope this helps.. all the best..

Raj

Go to solution
dmurray14
Level 1
Level 1
In response to sachinraja

‎12-23-2009 11:05 AM

Makes sense! Thanks a lot for the help!

0 Helpful

Go to solution
sachinraja
Level 9
Level 9
In response to dmurray14

‎12-23-2009 11:09 AM

No problems Murray. Let us know if you run into problems when you implement this.. If you feel your query was answered, can you mark the post as solved, which might help others who are searching these forums?

Thanks again

Raj

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card