11-06-2013 08:07 AM
Hello there,
I am moving a clients range from some old network kit to some new network kit. They have a /24 public range routed to their old firewall and this range will be moved and routed to their new ASA's outside interface. All very simple. However they have another ASA 5505 that they use for VPN connections that is IP's within this /24, i.e. the outside interface is in the network.
They have asked me to move the 5505 before the /24 is moved. Now I can't route a single /32 at the device as it would require a return path default gateway within the same network. However what I can do is introduce another network a /29, configure this with HSRP on the upstream routers and change the outside IP of the ASA to exist within this new network.
I could then route the old IP /32 to the new outside interface IP of the 5505, provising transit.
So far I feel this would work as it's only standard routed range to the firewalls outside interface.
The problem is, would the VPN that were configured still work, as I see it the traffic would reach the device but the device would reply on the new outside interface IP... I'm guessing the remote ASA would receive this traffic on the source IP and the VPN connections would fail.
Am I wrong? Please correct me and give me your two cents, (or two pennys in the uk). Any help is appreciated, how can I get this to work...
Thanks,
Solved! Go to Solution.
11-06-2013 08:20 AM
Hi,
So you are asking if you can create a new link network for the ASA5505 and route the single host IP towards the ASA with the nexthop set to the ASA interface IP address and then use that single host IP address for the incoming VPN connections?
If so then this seems impossible to me. To my understanding there is no way to allocate any other address to accept VPN connections or any connections to the ASA itself IF the IP address in question is not configured on the ASAs interface.
From what you say it seems that you are keeping the same /24 public IP address space even after migration.
Wouldnt the solution in that case be expanding the L2 segment from the device that holds the gateway for the /24 network to the new ASA equipment and directly connecting that ASA5505 to the network without any link networks (the /29)?
- Jouni
11-06-2013 08:20 AM
Hi,
So you are asking if you can create a new link network for the ASA5505 and route the single host IP towards the ASA with the nexthop set to the ASA interface IP address and then use that single host IP address for the incoming VPN connections?
If so then this seems impossible to me. To my understanding there is no way to allocate any other address to accept VPN connections or any connections to the ASA itself IF the IP address in question is not configured on the ASAs interface.
From what you say it seems that you are keeping the same /24 public IP address space even after migration.
Wouldnt the solution in that case be expanding the L2 segment from the device that holds the gateway for the /24 network to the new ASA equipment and directly connecting that ASA5505 to the network without any link networks (the /29)?
- Jouni
11-06-2013 08:42 AM
Hi Jouni,
Thanks for the reply, and it's a great answer.
I also agree that the ASA might not be able to listen on the outside interface for a routed IP for VPN's. I know this would work with other ASA functionality, i.e. passing traffic on this IP through the device however I suspected the will not attempt to build a VPN on the routed IP.
The /24 will be moving 48 hours later and being routed against a new set of 5545-x's. This will be being routed to the 5545-x outside interface so there is no layer 2 segement for the 5505 to connect to.
The overall goal is moving the single IP 5505 first and keeping the IP, I don't really have access to this device to change it. At most I would be able to re-ip the outside interface.
11-06-2013 10:11 AM
Hi,
So I imagine that you will have the new ASA5500-X series devices ready and configured on in the network with some other subnets configured on their external interfaces and the /24 subnet will be routed towards this new devices when the eventual migration is done.
Could you perhaps provide a simple topology picture of the current 2 setups and show how each setup is connected. Also how the ASA5505 is moved. Perhaps even mentioned the device models used.
I am just wondering if there could be some workaround for this.
I imagine that the current ASA5505 external IP address and the other IP addresses close to it from the /24 subnet are in use? Just wondering if you could subnet the /24 so that you could break of a segment that would contain the IP address currently in the /24 and leave the rest of the subnets where they are?
Naturally this would mean changes to the current setup also as you would have to split the existing /24 to smaller subnets. Have one connected subnet configured on the current external interface of the current firewall and route the rest of the "leftover" subnets towards that interface IP address in the current firewall.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide