Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
650
Views
0
Helpful
2
Replies

Cisco ASA

Go to solution
Roger Richards
Level 1
Level 1

‎01-23-2014 08:27 AM

Quick question: I am in the process of restructuring my network and I will need to change my IP's for all my devices.

Concerns: I have a VPN connecting to another site and was wondering if it would affect me getting access to the other devices once I change my local network. Do i have to change the "Protected Networks" settings in the connection profile? Or should I just be concerned with the natting..

I hope I am making sense.. basically again I just want to make sure that when i change my network subnet i can get access to all my devices accross the VPN..

attached is my current connection..

I wan to change my local network from 172.20.16.0 to 10.20.16.0

Labels:
15374434-sttasa.txt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-23-2014 08:51 AM

Hi,

If you change the LAN network then you naturally have to take this into account with the differnet configurations

If you simply change the LAN network then this would require changes to L2L VPN configurations on both VPN devices. Or you have the option to NAT your new LAN network to the current LAN network before the VPN so that the new network remains visible to the remote site withs it current IP addresses.

If you were to make the changes so that the remote site should not have to touch their configurations you would essentially have to do these things atleast

L2L VPN

Below configuration creates objects for the new and current LAN network. It then creates Static Policy NAT configurations for the LAN network so that it remains visible to the remote site with its original IP addresses. Finally it removes the current NAT0 configurations in use for the L2L VPN.

What you will have to take into account is that if the remote site connects to IP address 172.20.16.100 then ASA will forward it to 10.20.16.100. So if you want to keep the setup the same you will have to keep the last octet of the IP address the same (.100 for example) even though you change the subnet for the hosts.

object network LAN

subnet 10.20.16.0 255.255.255.0

object network LAN-NAT

subnet 172.20.16.0 255.255.255.0

nat (Inside,Outside) 1 source static LAN LAN-NAT destination static STXNET STXNET

nat (Inside,Outside) 2 source static LAN LAN-NAT destination static DHS-Internal DHS-Internal

no nat (Inside,any) source static any any destination static STXNET STXNET

no nat (Inside,any) source static any any destination static DHS-Internal DHS-Internal

VPN Client

The below configuration creates a new Split Tunnel ACL for the VPN Client connection and uses the new subnet (unless ofcourse you want to NAT the new network for the VPN users also). It then removes the old ACL from use and replaces it with the new one. Finally it removes the old ACL from the ASA.

access-list SPLIT-TUNNEL standard permit 10.20.16.0 255.255.255.0

group-policy DfltGrpPolicy attributes

no split-tunnel-network-list value Private

split-tunnel-network-list value SPLIT-TUNNEL

no access-list Private extended permit ip 172.20.16.0 255.255.255.0 any

nat (Inside,Outside) 3 source static LAN LAN destination static VPN_Assigned_IP_Addresses VPN_Assigned_IP_Addresses

no nat (any,any) source static STTNET STTNET destination static VPN_Assigned_IP_Addresses VPN_Assigned_IP_Addresses

Hope this helps

Let me know how it goes or if you want to do it some other way.

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎01-23-2014 08:51 AM

Hi,

If you change the LAN network then you naturally have to take this into account with the differnet configurations

If you simply change the LAN network then this would require changes to L2L VPN configurations on both VPN devices. Or you have the option to NAT your new LAN network to the current LAN network before the VPN so that the new network remains visible to the remote site withs it current IP addresses.

If you were to make the changes so that the remote site should not have to touch their configurations you would essentially have to do these things atleast

L2L VPN

Below configuration creates objects for the new and current LAN network. It then creates Static Policy NAT configurations for the LAN network so that it remains visible to the remote site with its original IP addresses. Finally it removes the current NAT0 configurations in use for the L2L VPN.

What you will have to take into account is that if the remote site connects to IP address 172.20.16.100 then ASA will forward it to 10.20.16.100. So if you want to keep the setup the same you will have to keep the last octet of the IP address the same (.100 for example) even though you change the subnet for the hosts.

object network LAN

subnet 10.20.16.0 255.255.255.0

object network LAN-NAT

subnet 172.20.16.0 255.255.255.0

nat (Inside,Outside) 1 source static LAN LAN-NAT destination static STXNET STXNET

nat (Inside,Outside) 2 source static LAN LAN-NAT destination static DHS-Internal DHS-Internal

no nat (Inside,any) source static any any destination static STXNET STXNET

no nat (Inside,any) source static any any destination static DHS-Internal DHS-Internal

VPN Client

The below configuration creates a new Split Tunnel ACL for the VPN Client connection and uses the new subnet (unless ofcourse you want to NAT the new network for the VPN users also). It then removes the old ACL from use and replaces it with the new one. Finally it removes the old ACL from the ASA.

access-list SPLIT-TUNNEL standard permit 10.20.16.0 255.255.255.0

group-policy DfltGrpPolicy attributes

no split-tunnel-network-list value Private

split-tunnel-network-list value SPLIT-TUNNEL

no access-list Private extended permit ip 172.20.16.0 255.255.255.0 any

nat (Inside,Outside) 3 source static LAN LAN destination static VPN_Assigned_IP_Addresses VPN_Assigned_IP_Addresses

no nat (any,any) source static STTNET STTNET destination static VPN_Assigned_IP_Addresses VPN_Assigned_IP_Addresses

Hope this helps

Let me know how it goes or if you want to do it some other way.

- Jouni

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎01-23-2014 08:56 AM

Also,

Naturally you will have to take the subnet changing in other configurations on your ASA like

  • Management configurations (http,telnet)
  • Static routes gateway IP
  • Logging configurations Syslog server IP
  • Possible ACL changes

- Jouni

0 Helpful
Customers Also Viewed These Support Documents