01-05-2017 01:34 PM - last edited on 03-25-2019 04:41 PM by ciscomoderator
On my local network I have currently have 2 ASA's. We are switching ISP's so we currently have both of them hooked up. One internet connection is connected to an ASA 5510. Our new Internet connection is connected to an ASA 5508. We have 20+ remote offices that connect to our Corporate office via VPN.
What I want to be able to do is leave both ASA's connected and be able to slowly move our remote offices over to the 5508 and the new internet connection.
Currently if I configure a remote location to use the VPN through the 5508 I can't see any devices that use the 5510 as a gateway.
At our remote offices that are connected to the VPN through the 5510 they can't see any devices that use the 5508 as a gateway.
Any ideas on how to configure the ASA's so I can take my time with this migration?
Thanks!
01-05-2017 02:04 PM
You really need something internally that can do layer 3 routing. Do you have anything like this?
01-05-2017 02:12 PM
We do not. Just a layer 2 switch and the two ASAs.
01-05-2017 02:13 PM
A Cisco 2960-X switch by chance? What kind of layer 2 switch?
01-05-2017 02:17 PM
It's an HP V1905 Switch.
01-06-2017 09:51 PM
Hi Ryan
I would suggest you to check the routing table on both 5510 and 5508 ASAs.
If remote offices GWed to 5508 can't see LAN behind 5510, does the 5508 know it should route the traffic to 5510 ?
Assuming that routes are in place, then have you allowed the connection on your security rules from remote offices to 5510's LAN on both ASAs ?
Hafidz
01-05-2017 02:15 PM
What sort of devices are at the remote branches?
01-06-2017 01:47 PM
I would like to start by clarifying some things that are not clear to me. Am I correct in assuming that these remote offices are connected using site to site VPN (rather than using remote access VPN)? And if it is site to site VPN am I correct in assuming that when you configure a remote site to connect using the new 5508 that you have removed all references to that site on the 5510?
If those assumptions are correct then it seems to me that the solution would be as you configure a remote site to connect using the new 5508 that you configure a static route on the 5510 for the remote LAN subnet with the next hop being the inside address of the 5508. You also will need to allow same security level intra interface.
HTH
Rick
01-11-2017 09:58 AM
Rick - Here is what I've done. From a PC in a remote office connected via VPN I can ping both the 5508 and the 5510. I can now ping the PC in the remote office from the 5510. But any PC or server in our main office that uses the 5510 for the gateway cannot ping the remote PC. Am I still missing something?
Thanks!
Ryan
01-12-2017 12:14 PM
Ryan
It might be an issue about traffic needing to hairpin. Have you got the statement to permit traffic with same security level intra interface?
Other than this suggestion I am not clear what you have got. Can you supply some details about how these VPNs are configured?
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide