Hi Jon,

Thanks for your response. I'll try to clarify.

"The new site (S1) has an existing connection to the Internet using an ASA and runs site-to-site VPN's through this ASA to remote locations - these remote locations being other third parties ? "

Yes, This same ASA (being at the remote site) is also of course their access to the internet.

"And you need to connect S1 to your main HQ ?"

Yes, the connection to S1 to our main HQ will be over a leased fiber connection into a router we are installing at S1 (a new Cisco 2821).

The company we are buying out has several site-to-site VPN connections for support of servers at S1. We want to keep these VPN's up for now utilizing their ASA while also allowing these servers at S1 to access out HQ internal network. We are going to keep S1 servers on their current ip scheme for now (192.168.1.x/24) which is the ip scheme of S1. the HQ main site is on 10.x.x.x.

We want to allow these servers (at S1) access to our internal network while also allowing them to communicate over their site-to-site VPN's going out their ASA.

Hope this helps.

Thanks

Brandon

If the switch is a 3560 switch then what i would do -

note - this is assuming the servers currently have their default-gateway set to the ASA inside interface.

1) connect existing switch to 3560 or repatch servers into 3560. If you repatch servers you may as well repatch ASA into 3560 as well.

2) enable "ip routing" on the3560

3) have a routed link between the 3560 and the 2821 -

3560 end - 192.168.5.2/30

2821 end - 192.168.5.1/30

4) Create a vlan for the servers on the 3560 and also create a L3 SVI interface for this vlan using a spare IP address or the ASA internal IP address - see below

5) You can either

i) change the default-gateway of the servers using the L3 SVI ip address

OR

ii) if you migrated the ASA inside interface address to the L3 SVI on the 3560 (ie. so you don't need to update the servers IP config) then simply readdress the ASA with a new IP address from the 192.168.1.x range,

Then on the 3560 -

ip route 10.x.x.x 192.168.5.1

the above will take care of servers getting to HQ.

ip route 0.0.0.0 0.0.0.0

Only other thing is then to make sure you have routes back to 192.168.1.x network at HQ.

Sounds like a lot of work but it really isn't that much.

Jon

Hi John,

Thanks for this excellent reply.

So if I follow...

We will assume a 3560 48 port switch. The first 24 ports will be for the main site HQ, ports 25 - 48 for the S1 site.

2821 will have a "router on a stick" configuration between say port 1 on 3560 and the routers G0/0 interface. There will be a L2 trunk of course between port 1 on switch and 2821. This is for mainHQ network access subnets/vlans on 3560.

Also on 2821 create a separate L2 vlan for remote site S1 servers while also creating a L3 interface say on port fa0/25 between switch and 2821 g0/1?

Is this what you are referring to? Esentially the remote siwth will actually have a total of three (3) layer three interfaces. One for the fiber WAN conenction, one for the router-on-stick for main company networks located at the remote S1 site, and one for the current S1 network?

Am I following correctly?

Thanks

Brandon

There is no need for router-on-a-stick config. The reason i suggested using the 3560 for internal S1 routing was because i figured you would be using one of the inbuilt 10/100/1000 ethernet ports on the 2821 to terminate your WAN connection.

Because the 3560 is a L3 capable switch you could use this to route internally. So config details -

Lets assume ASA device inside interface is 192.168.1.1 and this is the default-gateway for the S1 servers.

2821

==========

int gi0/1 <--- this connects to gi0/1 on 3560

ip address 192.168.5.1 255.255.255.252

ip route 192.168.1.0 255.255.255.0 192.168.1.2

this route is so the 2821 knows how to get back to the 192.168.1.0/24 network

3560

====

int gi0/1 <-- this connects to gi0/1 on 2821

no switchport

ip address 192.168.5.2 255.255.255.252

int vlan 10

ip address 192.168.1.10 255.255.255.0

where .10 is a spare address from the 192.168.1.0/24 range. If this is in use just choose an unused address.

vlan 10 will be used for the S1 current servers. You will need to create this vlan at 2 on the 3560 switch as well ie.

3560(config)# vlan 10 name S1_servers

then connect the existing switch to the 3560 and whichever port on the 3560 it is connected to

int gi0/2

switchport access vlan 10

Now add routes on the 3560 so that the S1 servers can get to both your HQ and the ASA

ip route 10.0.0.0 255.0.0.0 192.168.5.1 <-- where 192.168.5.1 is the 2821 next-hop IP address

ip route 0.0.0.0 0.0.0.0 192.168.1.1 <-- where 192.168.1.1 is the ASA inside interface address

After that the only issues you have are

1) you need to inform your HQ of the 192.168.1.0/24 network. You have a static route on the 2821 pointing to the 3560. SO you can either add a static at HQ or if you are using a dynamic routing protcol between HQ and the 2821 you can redistribute the static into that dynamic routing protocol.

2) The servers need to have their default-gateway set to the L3 SVI interface on the 3560 ie. 192.168.1.10.

This is what i meant about migrating the ASA inside address. Assuming currently your servers in S1 are usinf that address as the default-gateway you could just reallocate that address to the L3 SVI for vlan 10 on the 3560. Then give the ASA a new IP out of the 192.168.1.x subnet. The advantage of doing this is that you do not need to modify each servers IP config but you would need to change the route on the 3560 to

ip route 0.0.0.0 0.0.0.0 192.168.1.x <--- where x is the new address assigned to the ASA.

If there are only a few servers i would just change the servers default-gateway to be honest.

Jon