Solved: Lawrence

lawrenceanggimyam · ‎02-23-2017

Hi,

I have an existing site with Cisco ASA IPsec tunnel to my HQ Site with Palo Alto firewall. Users at the existing site obtained their IP address via DHCP Server configured on the ASA.T he inside interface is G0/0 with 10.10.1.10/24 and outside interface is ISP public IP address. PAT translation is configured for internet access. For internal users to access the servers in HQ, it is configured with nat exemption. There is no DMZ interface. Default route goes to the ISPA next at branch site. On HQ side, default route configured to ISPB next hop.

There will be a new office setup in another location with another new Cisco ASA IPsec tunnel back to the same HQ site PA FW. The inside interface on this new firewall is also G0/0 10.10.1.10/24, PAT translation for internet and also nat exemption for users to access HQ servers.DHCP server will also be configured on the new ASA, The new office has different ISP provider.Eg ISP C and ISP D on each side.

Just wanted to ask some subnet concepts and IP addressing at the existing site and also the new site for the IPsec parallel migraton.

In order to run IPsec on both locations parallel to HQ, on existing site, Could i just change the DHCP range to be 10.10.1.1 - 10.10.1.128 on the existing branch site ASA. For new site, the DHCP range will be 10.10.1.129 - 10.10.1.254. There will be no additional tunnel interface created at the PA FW in HQ. Will this method works? The inside ASA interface on both existing and new site is still 10.10.1.10/24.

or

I need configure subnetting on the inside interface G0/0 at both new site and existing site. Old site 10.10.1.1/25 and new site 10.10.1.129/25.

On the PA FW HQ, create a new tunnel that peer to the new site. A new default route on PA FW pointing to ISPD. While at the Branch, a default route points to ISP C.

Thanks in advance

Regards

Lawrence

Richard Burts · ‎02-24-2017

Lawrence

Thank you for the additional information. However I am still puzzled about what you plan in terms of having only a single tunnel at HQ or having two tunnels at HQ during the transition. You still say this

During transition, there is only a single tunnel interface at the HQ PA FW to the existing site.

But then you ask questions that suggest that you are considering having two tunnels. I do not see how you could get it to work with a single tunnel. So I suggest that you agree that during the transition there will be two tunnels.

Of the options that you list Option 1 is flawed and would not work. Option 2 is much better. You might also consider the option that during the transition one site do address translation so that locally both sites are using 10.10.1.0 but to HQ it appears that one site is a different network (perhaps 10.10.2.0).

In either case it looks like you will need to make two sets of changes in configuration of the VPN. First set of changes moves from original site using 10.10.1.0/24 in VPN for HQ to having two sites using/sharing/splitting 10.10.1.0 and creating a second VPN tunnel at HQ. The second set of changes removes the original VPN tunnel and goes back to a single remote site using 10.10.1.0/24.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎02-25-2017

Lawrence

Yes we usually do a nat exemption when implementing a site to site VPN so that each side sees the "real" IP addresses of the other site. I am suggesting in this case that one site will not have the nat exemption but will be doing address translation for its LAN when going over the IPsec tunnel.

I believe that the confusion is that when I describe address translation you are interpreting that as the PAT to the public address. But I am suggesting a translation of 10.10.1.0 to 10.10.2.0.

HTH

Rick

HTH

Rick

View solution in original post

Richard Burts · ‎02-23-2017

Lawrence

It is not clear in your post whether the new office being set up is to be a replacement for the existing office and the existing office will cease to exist after the migration or whether the new office will continue to operate along with the existing office. Can you clarify this?

I also hope that you can clarify this that you said "There will be no additional tunnel interface created at the PA FW in HQ". Are you really saying that through this transition that you will have only a single tunnel interface on the HQ PA firewall? I do not see how you can bring up the second office and have It operate in parallel with the existing office and have a single tunnel interface at HQ.

HTH

Rick

HTH

Rick

lawrenceanggimyam · ‎02-23-2017

Hi Richard,

Thanks for the response.

At the final stage, the new office is set up as a replacement of the existing office.

However, during this transition, of about 1 month grace period, the existing office will operate along with the new office. Traffic on both locations will transverse to the HQ. After 1 month, the existing office will cease. From then, only traffic from the new office goes to HQ.During transition, there is only a single tunnel interface at the HQ PA FW to the existing site.

If I were to configure a new tunnel at the HQ peering to the new office, my new office needs to assign a different subnets range or can i retain the same subnet range and assign different dhcp range to the old and new office.

Could you kindly advice which option is the correct one.

Option 1

Old site ASA inside interface G0/0 10.10.1.10/24

new site ASA inside interface G0/0 10.10.1.11/24

dhcp range for old site : 10.10.1.1 - 10.10.1.128

dhcp range for new site : 10.10.1.129 - 10.10.1.254

Option 2 - configure different subnet mask at the ASA inside interface G0/0

Old site ASA inside interface G0/0 10.10.1.1/25

new site ASA inside interface G0/0 10.10.1.129/25

dhcp range for old site : 10.10.1.1 - 10.10.1.128

dhcp range for new site : 10.10.1.129 - 10.10.1.254

Many thanks.

Lawrence

Richard Burts · ‎02-24-2017

Lawrence

Thank you for the additional information. However I am still puzzled about what you plan in terms of having only a single tunnel at HQ or having two tunnels at HQ during the transition. You still say this

During transition, there is only a single tunnel interface at the HQ PA FW to the existing site.

But then you ask questions that suggest that you are considering having two tunnels. I do not see how you could get it to work with a single tunnel. So I suggest that you agree that during the transition there will be two tunnels.

Of the options that you list Option 1 is flawed and would not work. Option 2 is much better. You might also consider the option that during the transition one site do address translation so that locally both sites are using 10.10.1.0 but to HQ it appears that one site is a different network (perhaps 10.10.2.0).

In either case it looks like you will need to make two sets of changes in configuration of the VPN. First set of changes moves from original site using 10.10.1.0/24 in VPN for HQ to having two sites using/sharing/splitting 10.10.1.0 and creating a second VPN tunnel at HQ. The second set of changes removes the original VPN tunnel and goes back to a single remote site using 10.10.1.0/24.

HTH

Rick

HTH

Rick

lawrenceanggimyam · ‎02-25-2017

Hi Richard,

Thank you for your advise.

I agree with you that there will be 2 tunnels during transition. One to the old site, and the other to the new site.

Just like to clarify on the statement :

You might also consider the option that during the transition one site do address translation so that locally both sites are using 10.10.1.0 but to HQ it appears that one site is a different network (perhaps 10.10.2.0).

Not sure if my understanding is correct. Do you mean that one site will do the translation but the other site will not do translation. In this case both side will be using 10.10.1.0/24 locally. On HQ side, it will see as 2 networks, one is the translated public ip and the other is 10.10.1.0/24 network?

My next question would be , if both side is using locally same 10.0.1.0/24 with different PAT public ip address since on different locations, ISP public address with be assigned differently for PAT on each site. in this case, can i still use 10.0.1.0/24 locally on both side? or do I have stick to the option 2 as mentioned above, a little bit confused.

Lawrence

lawrenceanggimyam · ‎02-25-2017

Hi Richard,

There is a also nat exemption configuration for the local site to access the server in HQ.

if i used locally 10.10.1.0/24 on both side, the traffic on both side will reach HQ. However upon return traffic, the HQ will not know where to go since both side is 10.10.1.0/24. am i correct?

Regards

Lawrence

Richard Burts · ‎02-25-2017

Lawrence

Yes we usually do a nat exemption when implementing a site to site VPN so that each side sees the "real" IP addresses of the other site. I am suggesting in this case that one site will not have the nat exemption but will be doing address translation for its LAN when going over the IPsec tunnel.

I believe that the confusion is that when I describe address translation you are interpreting that as the PAT to the public address. But I am suggesting a translation of 10.10.1.0 to 10.10.2.0.

HTH

Rick

HTH

Rick

lawrenceanggimyam · ‎02-26-2017

Hi Richard,

Thanks alot for your help and good advise.

i agree if one site is doing nat exemption and the other side not doing nat exemption, this should be ok.

I guess that i will choose option 2 where each site will have a totally different subnets.

Thanks

Lawrence

Richard Burts · ‎02-27-2017

Lawrence

I agree that option 2 where each site has a totally different subnet is clean and easy to implement. Other options such as address translation could work but would be more complex to implement. I think you have made a good choice. Good luck with implementing it.

HTH

Rick

HTH

Rick

lawrenceanggimyam · ‎03-02-2017

Hi Richard

From the above :

"I agree with you that there will be 2 tunnels during transition. One to the old site, and the other to the new site."

If i am using 2 different tunnel at the HQ Palo Alto firewall. In the new office, can i use the same public ip address at HQ (this public ip address is already connected to the old office). or I have to use different public ip address at the Palo Alto to connect the tunnel to the new office?

lawrenceanggimyam · ‎03-02-2017

Hi Richard,

if i use back the same public ip address at the Palo Alto Firewall for the new site, will it break the tunnel at the old office?

Regards

Richard Burts · ‎03-03-2017

Lawrence

Using the public IP at HQ for both VPN tunnels will not have a negative impact. In fact it is very common when a router or firewall have multiple VPN tunnels to use the same outside interface IP for each of the tunnels.

HTH

Rick

HTH

Rick

lawrenceanggimyam · ‎03-05-2017

Hi Richard,

Many thanks for your help.

Regards

Richard Burts · ‎03-05-2017

Lawrence

You are welcome. Good luck with the implementation of this. If you run into other issues feel free to post back to the forum, perhaps opening a new thread for it.

HTH

Rick

HTH

Rick

Parallel IPsec migration