Solved: Ok thanks, I don't have

eddie.sardinha · ‎02-05-2015

Cisco support community,

I have a question about subnets and networks, I am a newbie at this so bear with me. I am using MPLS to connect all of our sites, I have two offices each of which have a cisco asa, both on different subnets. Subnet 1 : 192.168.2.x and 192.168.10.x.

I am in the office on network .2, if i want to test a server etc. on network .10 but not in that office, how can I connect a new test firewall on that network while being in the .2 network?

Is this possible and what would I need for this?

Thanks

APPIREDDY · ‎02-08-2015

Hi,

If you are planning to have a server on 192.168.10.0 network while you are in site with network 192.168.2.0, you could do this, but this network should be completely dis-connected from all other production networks to avoid any discrepancies/conflicts. In essence this network should not be routed, but exist as a VLAN with no routing enabled or restricted with VACL's, but can still be connected to ASA and can send and receive traffic from/to internet.

View solution in original post

David paull · ‎02-05-2015

Can you further define "connect" in "how can I connect a new test firewall on that network..."

It will be a while before I'm back to read the answer for this question but I think if you can broaden the context, the scope may become more clear. I have read this at least 10 times and still do not understand what you are wanting to do.

eddie.sardinha · ‎02-05-2015

Sure I want to connect a server and act like I am in the remote office whose network is on a different subnet for testing purposes. If my office is on a 192.168.2 network but I want to connect like I am on the 192.168.10 network.

David paull · ‎02-05-2015

No. The way you explained it, it is not possible.

You have a few options.

1) RDP into a remote server or remote desktop on the remote network through a management tunnel and you can then generate traffic from that subnet to properly test.

2) Have a person who is residing in the remote location on a call with you that can generate traffic accordingly.

eddie.sardinha · ‎02-06-2015

Is it possible with another internet connection and a firewall and then create a site to site VPN to the remote office firewall? Then I would be on their LAN correct?

David paull · ‎02-06-2015

With a s2s VPN tunnel, your remote site basically becomes an extension of your local site (and vice versa).

Typically this is used so that, for example, your desktops that reside on 192.168.2.x can communicate with servers or whatever resources reside on 192.168.10.x through the internet, and do so securely.

This, by the way, is exactly what your MPLS already does, or should already be doing.

What you seem to be asking now is if you can belong to the same subnet as the remote devices. Theoretically, you could, but I don't think it's a good idea to do that with a production network, and I've never seen it done.

You say that your goal in the original post is to test a server. Why not just pick up the phone and have someone do it?

eddie.sardinha · ‎02-07-2015

Ok thanks, I don't have another admin in that site. I was thinking of a way to do testing before I sent a server to that site or get on a plane.

APPIREDDY · ‎02-08-2015

Hi,

If you are planning to have a server on 192.168.10.0 network while you are in site with network 192.168.2.0, you could do this, but this network should be completely dis-connected from all other production networks to avoid any discrepancies/conflicts. In essence this network should not be routed, but exist as a VLAN with no routing enabled or restricted with VACL's, but can still be connected to ASA and can send and receive traffic from/to internet.

Connecting to different network