03-12-2017 10:39 PM
Hi,
I have an existing site with Cisco ASA IPsec tunnel to my HQ Site with Palo Alto firewall. Users at the existing site obtained their IP
address via DHCP Server configured on the ASA.T he inside interface is G0/0 with 10.10.1.10/24 and outside interface is ISP public IP
address. PAT translation is configured for internet access. For internal users to access the servers in HQ, it is configured with nat
exemption. There is no DMZ interface. Default route goes to the ISPA next at branch site. On HQ side, default route configured to ISPB
next hop.
There will be a new office setup in another location with another new Cisco ASA IPsec tunnel back to the same HQ site PA FW. The
inside interface on this new firewall is also G0/0 10.10.1.10/24, PAT translation for internet and also nat exemption for users to access
HQ servers.DHCP server will also be configured on the new ASA, The new office has different ISP provider.Eg ISP C and ISP D on each
side.
Just wanted to ask some subnet concepts and IP addressing at the existing site and also the new site for the IPsec parallel migraton.
In order to run IPsec on both locations parallel to HQ, on existing site, Could i just change the DHCP range to be 10.10.1.1
10.10.1.128 on the existing branch site ASA. For new site, the DHCP range will be 10.10.1.129 10.10.1.254. There will be no
additional tunnel interface created at the PA FW in HQ. Will this method works? The inside ASA interface on both existing and new site is still 10.10.1.10/24.
03-13-2017 01:18 AM
If you setup on PA IKE gateways with dynamic IPs, aggresive mode IKE and some other sort of ID for phase 1 both locations would be able to establish IPSEC tunnel. But I'm not sure what would happen if they do it at same time, probably IPSEC flapping. And there is no way to distinguish which traffic to route where.
03-13-2017 12:18 AM
Not pretty but it would work. Just make sure routes on PA are correct: 10.10.1.0/25 to the first tunnel interface and 10.10.1.128/25 to the second. However for IPSEC to be established with current settings you will have to keep Proxy IDs on PA as 10.10.1.0/24 for both.
Just out of curiosity; why not just setup 2nd location with 10.10.2.0/24 network? I doubt you're running out of private classes?
03-13-2017 12:22 AM
Won't the return traffic have issues since the gateway are the same but yet the host are on 2 physically disconnected IPSEC tunnel? Would services that rely on broadcast traffic still work since it is the same broadcast domain but on 2 physical links?
03-13-2017 12:26 AM
Why would the gateway be the same? You mean for routes that point into IPSEC tunnel?
Point those routes to interace only, not specific IP.
Like:
10.10.1.0/25 next hop interface tunnel.x1
10.10.1.128/25 next hop interface tunnel.x2
03-13-2017 12:38 AM
As mentioned in the first post. There is no subnetting in place. Basically, both of the tunnel is using /24 which have the same gateway and same broadcast domain. The only thing that is different is the DHCP scope is active for the first tunnel (.1-.128) only and the 2nd tunnel we are going to set static IPs. DHCP would not be possible for the 2nd tunnel.
03-13-2017 12:44 AM
Ohh, I missed the part about 'There will be no additional tunnel interface created at the PA FW in HQ'
How will you make it work then? I don't see a way without additional IPSEC configuration (with needed tunnel interface) on PA.
03-13-2017 12:47 AM
So do you know of any method of making this work? Is this technically not possible?
03-13-2017 12:52 AM
Why not make second IPSEC tunnel on PA? Then everything would be possible (and easy).
03-13-2017 12:58 AM
Well that's not what our Manager that runs network and the firewall says. I am saying that it will not work he is inisting that it will work. So here I am asking if this is even technically feasible.
03-13-2017 01:07 AM
Hehe, i feel sorry for you 🙂
Nope, IPSEC would be flapping between both sites imo. If it would work at all (it would have to be setup with dynamic IP etc..)
03-13-2017 01:11 AM
I am sorry how would dynamic IP work???
03-13-2017 01:18 AM
If you setup on PA IKE gateways with dynamic IPs, aggresive mode IKE and some other sort of ID for phase 1 both locations would be able to establish IPSEC tunnel. But I'm not sure what would happen if they do it at same time, probably IPSEC flapping. And there is no way to distinguish which traffic to route where.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
