Solved: Its not about a credit issue; - Page 2

wrightsreprints · ‎02-22-2016

I have been assigned the task of combining two separate networks into one or at least particularly. Currently one of our offsite locations are moving their servers to our location. A partial advantage is that both locations uses ASA. The servers that are moving in-house will have their own subnet range and domain controllers. We are only using our ASA.

My first concern is that of the subnet. Currently everything on our ASA is setup to the 192.168.0.x with the subnet mask of 255.255.255.248. Their range is 192.168.100.x with the subnet mask of 255.255.255.0. Will I need to make changes to our ASA subnet mask to include their range?

Second, both locations are using LDAP authentication. Will I need to create a separate VPN policy in order for them to continue to use their LDAP? I am assuming yes.

Is there any surprises or gotchas I need to be aware of? Thanks

Philip D'Ath · ‎02-29-2016

No. You'll need to obfuscate any important information. Search and replace is good for this ...

wrightsreprints · ‎02-29-2016

Attached. Hopefully I removed anything confidential information

Philip D'Ath · ‎02-29-2016

There are quite a few VPNs in that config. Which one are you using for this? WrightsVPN?

wrightsreprints · ‎02-29-2016

WrightsVPN is for our primary network (Ethernet 0/1) Licensing (LicenseStreamVPN) is the one I just added that should be talking to Ethernet 0/2. At the moment, it does not seem to be able to do so.

As a refresher. Ethernet 0/2 is the added network using the 192.168.100.x subnet range. The primary network, the original active network on Ethernet 0/1 is 192.168.0.x (actually all of the way up to 192.168.8.x, I believe). The server I am attempting to talk to has a static IP of 192.168.1.123 (255.255.255.0)

Philip D'Ath · ‎02-29-2016

Lets start by fixing the NAT. Add:

access-list inside-ls_nat0_outbound extended permit ip any 192.168.100.0 255.255.255.0
nat (inside-ls) 0 access-list inside-ls_nat0_outbound

wrightsreprints · ‎02-29-2016

That solved it. Thanks a million.

wrightsreprints · ‎03-07-2016

I am hopeful that you will see this even after marking the solution solved. I ran into a different issue but related. If I need to separate this request, so you get credit, please let me know.

I need to be able to access web sites that are connected to the Ethernet 0/2 from the internal network (Ethernet 0/1) as if they are local. Currently, if I attempt to access the web server via the DNS (external DNS), the page cannot be found. I am guessing the ASA is treating this like a loopback or something of that nature. I know the issue is not DNS as I cannot access using the IP address while internal. I can via an external source. Thoughts?

Philip D'Ath · ‎03-07-2016

Its not about a credit issue; but it would be great if you could post it as a separate issue with your current config. I remember this thread now, but it is quite long to read back over to extract out the important bits.

Combining two networks