Supernetting and Changing Inside Interface of ASA 5555

cmccann1985 · ‎02-17-2019

Hi All,

After reading countless posts and seeing all the wonderful feedback from everyone here, I decided that posting my own issue won’t be as scary as I first thought. I always see you guys asking for a little more information when people post questions so here is a little bit of background.

Working in a big corporate organization for the last 12 years has meant that I have worked with a network team who has made all the changes, and while I sat over the engineer's shoulder and watched them work, I’ve never had the hands-on experience to fully develop.

In my new job, I’m working in a much smaller environment. We have a working ASA 5555 that was provided by a company we work with, but the maintenance and changes all fall on me. Their network team haven’t fed any information back on my change plan, therefore I’m posting my planned works here because I need to know if the commands are going to A) Work or B) Break it

As we only have one ASA in production and no test environment, I hope you can understand why I’m nervous about running the commands as the consequences could be rather bad if it all breaks.

Reason For Change

Currently, the company is on a 192.168.1.0/24 network, and as the studio has grown and more staff have joined, we are now facing an issue where we are running out of IP address. This is now causing issues with development. I have tried to VLAN the network off, but was unsuccessful in getting routing working between the existing IP address range and the new Ranges, therefore, we have to now supernet our environment.

What's Changing

To allow us to get more IP addresses we are going to change our network Environment from 192.168.1.0/24 to 192.168.0.0/22.

Planned Works and Rollback Options

Stop the current DHCP Server.
Start New DHCP Server.
Release and Renew IP address of our test clients to make sure they are picking up the new ranges.
Connect to the ASA via serial connection and run the following commands

enable
configure terminal
show interface
interface gigabitEthernet 0/1
ip address 192.168.0.1 255.255.252.0
exit
object network inside-network_22
subnet 192.168.0.0 255.255.252.0
access-list inside_access_in extended permit ip 192.168.0.0 255.255.252.0 any

Test to see if the test clients (192.168.0.100 / 192.168.1.100 192.168.2.100 / 192.168.3.100) can access the internet.

I can include an edited version of our config if it helps.

But if anyone can spare 5 minutes to look over the above commands and give feedback that would be amazing.

Many thanks.

Chris

balaji.bandi · ‎02-17-2019

I do not see any reason why this not going to work. you are doing righ direction.

some tips :

1. take the back of the ASA config, incase you have any issue you can restore to old backup ( even though you changing only IP address)

2. make sure you clear the ARP entries on witch side where the gigabitEthernet 0/1 connected. ( to make quicker, or else you need to wait for MAC to expiry depends con config)

3. clear x-late table on ASA also for safer side.

4. make sure new DHCP Server excluded the new IP address of ASA, and user should get new IP address from DHCP with new Gateway Address.

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

paul driver · ‎02-17-2019

Hello

apart from the dhcp scope change - is the asa performing NAT and intervlan routing or do you have another device performing this function

I would say without looking at your current configuration and topology wouldnt be so sure if it would work or not for especially as this is production environment

So to be sure can you post a topology diagram and the configuration on your asa and any L3 device you may have running so it can be reviewed

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

cmccann1985 · ‎02-17-2019

Hi @paul driver,

Thanks for replying back to me. It really does me a lot.

As you can see, from the attached topology diagram. I have a 2 Netgear m4300 12x12f core switches set up in a spine and leaf topology. My first attempt at solving the IP Address shortage was to set up the VLANs to break the network up more. I was able to get this working in my test environment but when I introduced the ASA it all stopped working. With time constraints and not with not able to test changes on the ASA without the possibility of breaking it further, supernetting became my next option.

Below is an edited version of the ASA Config. I have removed our Site to Site VPN's that we have configured.

!
interface GigabitEthernet0/0
description Used for public facing IP ranges
nameif outside
security-level 100
ip address
!
interface GigabitEthernet0/1
description Used for LAN network ranges
nameif inside
security-level 0
ip address 192.168.1.1 255.255.255.0
!
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network CloseConnectionTest
host 0.0.0.0
description Using for Testing
access-list dmz_access_in extended deny ip any interface inside
access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any
access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_2
access-list outside_cryptomap_3 extended permit ip 192.168.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_3
access-list outside_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 object-group DM_INLINE_NETWORK_1
ac
pager lines 24
logging enable
logging timestamp
logging buffer-size 10240
logging buffered notifications
logging asdm informational
mtu outside 1500
mtu inside 1500
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic any interface
access-group outside_access_in_1 in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 *.*.*.* 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group14-sha1
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
vpn-tunnel-protocol ikev1
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
vpn-tunnel-protocol ikev1

!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
class class-default
user-statistics accounting
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection

Richard Burts · ‎02-18-2019

I have looked at your plan and looked briefly at the partial config that you posted and have a few comments about the config:

- you plan to add a line to access list inside_access_in which is good. That will result in the acl having two lines. You might want to remove the original line which was specific to the /24

- you have 3 lines in acl used for crypto map which specify the /24. You need to adjust them.

- you have lines to control access using http and using ssh which are specific to /24. You need to adjust them.

I also have some comments about transitioning to supenetting. I believe that the ASA will be ok with 192.168.0.0/22. But I wonder about how the DHCP server will react to that. And I wonder about hosts in the network and how they will react to a supernet of 192.168.0.0. It has been my experience that depending on the particular OS (and perhaps the version of the OS) that some hosts might not accept the assignment of a supernet address. And I believe that some hosts that might be assigned an IP of 192.168.2.26 and a gateway of 192.168.0.1 might have a problem.

HTH

Rick

HTH

Rick

cmccann1985 · ‎02-18-2019

Hi @Richard Burts

Thank you for taking the time in getting back to me. Your points really do help. Regarding your first three, I will now add the following to my change plan. Hopefully, they are correct.

- you plan to add a line to access list inside_access_in which is good. That will result in the acl having two lines. You might want to remove the original line which was specific to the /24

no access-list inside_access_in extended permit ip 192.168.1.0 255.255.255.0 any

- you have 3 lines in acl used for crypto map which specify the /24. You need to adjust them.

I am sure that these are to do with the rules for the Site to Site VPN connections that we have. When I am able to get back into the asa using ASDM I will be making these changes in here (Still finding my feet with the cmds so don't want to push y luck too soon ;-) )

- you have lines to control access using http and using ssh which are specific to /24. You need to adjust them.

http 192.168.0.0 255.255.252.0 inside

ssh 192.168.1.0 255.255.255.0 inside

Regarding your other point about the DHCP change. I have anoher DHCP server that I am going to start that has the new range configured. This should mean that I can roll back my changes quicker as I can just shut the new one down and then restart the old one. Before I bring the new DHCP server into production, 98% of the environment will be powered down so they will just pick up the new range on boot and the statically assigned hosts will have a manual change. I have been able to test the DHCP change method in a test lab so quietly confident that part is going to work (*Has all fingers and toes crossed*)

Cheers

Chris

Richard Burts · ‎02-19-2019

Chris

The config changes that I mention on ASA are pretty straightforward and you should have no issue with them. It is good to know that you have had a chance to test the new DHCP scope. (Did that test include a host being assigned an IP in 192.168.2.x and a gateway of 192.168.0.1, and making sure that the host was ok with that?)

HTH

Rick

HTH

Rick

cmccann1985 · ‎02-19-2019

Hi @Richard Burts,

Yep I made sure that the tests hosts worked across all the ranges. I set up reservations on them so had the following IPs:

192.168.0.100

192.168.1.100

192.168.2.100

192.168.3.100

Hopefully, after this work has been completed and some other backlog of work has been finished I will be able to reinvestigate VLANS.

Many thanks for your time and for all those who have replied.

Cheers

Chris

balaji.bandi · ‎02-19-2019

Good to hear all going in right direction. keep us post update.

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help