01-23-2014 08:27 AM
Quick question: I am in the process of restructuring my network and I will need to change my IP's for all my devices.
Concerns: I have a VPN connecting to another site and was wondering if it would affect me getting access to the other devices once I change my local network. Do i have to change the "Protected Networks" settings in the connection profile? Or should I just be concerned with the natting..
I hope I am making sense.. basically again I just want to make sure that when i change my network subnet i can get access to all my devices accross the VPN..
attached is my current connection..
I wan to change my local network from 172.20.16.0 to 10.20.16.0
Solved! Go to Solution.
01-23-2014 08:51 AM
Hi,
If you change the LAN network then you naturally have to take this into account with the differnet configurations
If you simply change the LAN network then this would require changes to L2L VPN configurations on both VPN devices. Or you have the option to NAT your new LAN network to the current LAN network before the VPN so that the new network remains visible to the remote site withs it current IP addresses.
If you were to make the changes so that the remote site should not have to touch their configurations you would essentially have to do these things atleast
L2L VPN
Below configuration creates objects for the new and current LAN network. It then creates Static Policy NAT configurations for the LAN network so that it remains visible to the remote site with its original IP addresses. Finally it removes the current NAT0 configurations in use for the L2L VPN.
What you will have to take into account is that if the remote site connects to IP address 172.20.16.100 then ASA will forward it to 10.20.16.100. So if you want to keep the setup the same you will have to keep the last octet of the IP address the same (.100 for example) even though you change the subnet for the hosts.
object network LAN
subnet 10.20.16.0 255.255.255.0
object network LAN-NAT
subnet 172.20.16.0 255.255.255.0
nat (Inside,Outside) 1 source static LAN LAN-NAT destination static STXNET STXNET
nat (Inside,Outside) 2 source static LAN LAN-NAT destination static DHS-Internal DHS-Internal
no nat (Inside,any) source static any any destination static STXNET STXNET
no nat (Inside,any) source static any any destination static DHS-Internal DHS-Internal
VPN Client
The below configuration creates a new Split Tunnel ACL for the VPN Client connection and uses the new subnet (unless ofcourse you want to NAT the new network for the VPN users also). It then removes the old ACL from use and replaces it with the new one. Finally it removes the old ACL from the ASA.
access-list SPLIT-TUNNEL standard permit 10.20.16.0 255.255.255.0
group-policy DfltGrpPolicy attributes
no split-tunnel-network-list value Private
split-tunnel-network-list value SPLIT-TUNNEL
no access-list Private extended permit ip 172.20.16.0 255.255.255.0 any
nat (Inside,Outside) 3 source static LAN LAN destination static VPN_Assigned_IP_Addresses VPN_Assigned_IP_Addresses
no nat (any,any) source static STTNET STTNET destination static VPN_Assigned_IP_Addresses VPN_Assigned_IP_Addresses
Hope this helps
Let me know how it goes or if you want to do it some other way.
- Jouni
01-23-2014 08:51 AM
Hi,
If you change the LAN network then you naturally have to take this into account with the differnet configurations
If you simply change the LAN network then this would require changes to L2L VPN configurations on both VPN devices. Or you have the option to NAT your new LAN network to the current LAN network before the VPN so that the new network remains visible to the remote site withs it current IP addresses.
If you were to make the changes so that the remote site should not have to touch their configurations you would essentially have to do these things atleast
L2L VPN
Below configuration creates objects for the new and current LAN network. It then creates Static Policy NAT configurations for the LAN network so that it remains visible to the remote site with its original IP addresses. Finally it removes the current NAT0 configurations in use for the L2L VPN.
What you will have to take into account is that if the remote site connects to IP address 172.20.16.100 then ASA will forward it to 10.20.16.100. So if you want to keep the setup the same you will have to keep the last octet of the IP address the same (.100 for example) even though you change the subnet for the hosts.
object network LAN
subnet 10.20.16.0 255.255.255.0
object network LAN-NAT
subnet 172.20.16.0 255.255.255.0
nat (Inside,Outside) 1 source static LAN LAN-NAT destination static STXNET STXNET
nat (Inside,Outside) 2 source static LAN LAN-NAT destination static DHS-Internal DHS-Internal
no nat (Inside,any) source static any any destination static STXNET STXNET
no nat (Inside,any) source static any any destination static DHS-Internal DHS-Internal
VPN Client
The below configuration creates a new Split Tunnel ACL for the VPN Client connection and uses the new subnet (unless ofcourse you want to NAT the new network for the VPN users also). It then removes the old ACL from use and replaces it with the new one. Finally it removes the old ACL from the ASA.
access-list SPLIT-TUNNEL standard permit 10.20.16.0 255.255.255.0
group-policy DfltGrpPolicy attributes
no split-tunnel-network-list value Private
split-tunnel-network-list value SPLIT-TUNNEL
no access-list Private extended permit ip 172.20.16.0 255.255.255.0 any
nat (Inside,Outside) 3 source static LAN LAN destination static VPN_Assigned_IP_Addresses VPN_Assigned_IP_Addresses
no nat (any,any) source static STTNET STTNET destination static VPN_Assigned_IP_Addresses VPN_Assigned_IP_Addresses
Hope this helps
Let me know how it goes or if you want to do it some other way.
- Jouni
01-23-2014 08:56 AM
Also,
Naturally you will have to take the subnet changing in other configurations on your ASA like
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide