from the sounds of it, you should be able to do it without much of an issue. This is simply because of the NATing that you have going on.
A bit of a warning, if the servers are all have static IPs and default gateways, changing the IP of the firewall (current gateway), may make it harder to reach the servers, as they won't know how to get to 192.168.53.0/24 without the default gateway.
One way to mitigate this, is to create a static route on one server that points to 192.168.10.10 for traffic going to 192.168.53.0/24.
Another way would be to create a new NAT rule on the ASA for an individual host on the main site. Then on the ASA at the DR site, NAT this again to be on the same subnet as the servers.
Say, host 192.168.10.50 is NAT'd to 192.168.54.254, then pushed over the VPN. The DR ASA then NATs this again to change the source to 192.168.10.254. When the servers at the DR see this source IP, they'll know how to respond since it's in the same subnet.
Hope this helps as I had the same issue and this corrected the problem.
568750 - False Duplicate IP detection on Logix Ethernet modules when used with Cisco switches
Access Level: Everyone
Date Created: 10/22/2013 10:54 AM
Last Updated: 08/27/2014 10:33 AM
Problem
When Logix Ethernet modules are connected to a subnet containing Cisco switches with "ip device tracking" (IPDT) enabled, the modules may go into a duplicate IP address state after a restart/reset.
Environment
Any layer two networks that contain both Logix Ethernet modules and Cisco switches running IPDT. IPDT is much more likely to be implemented on Cisco switches as of August, 2013 because of a behavior change which enables this command if any feature which requires it is enabled. This behavior change also removes the ability to turn off IPDT without first turning off any features which require IPDT.
The Stratix line of switches will not have “ip device tracking” enabled by default until a permanent solution is in place.
Cause
The IPDT feature sends probe ARP packets with a source IP address of 0.0.0.0., the source MAC ID of the switch, and the target IP and MAC ID for the device being probed to check that it is still connected and responsive.
When a device becomes disconnected, and then is reconnected within the configurable IPDT timeout period, probe ARP packets may be received by a Logix Ethernet module at the same time as it is in its Address Conflict Detection mechanism. If this happens, the Logix Ethernet module will immediately go into a duplicate IP state, and stop communicating.
IPDT when activated on a Cisco switch will try to probe for every ip connected on the subnet, regardless of whether it is connected to that switch or not. Testing has shown that this affects the majority of Ethernet modules sold by Rockwell Automation.
Workaround
Several workarounds to this issue exist. They all make suggestions using Cisco IOS command-line interface commands.
Workaround 1
Architect manufacturing zone subnets such that:
1. IPDT is explicitly disabled on every trunk port with the following command:
Hostname (config-if)# ip device tracking maximum 0
2. IPDT probe delay is manually configured on any access port connected to a Rockwell Automation Ethernet module with the following command:
Hostname (config)# ip device tracking probe delay 10
Workaround 2
If the switch in question has an administration IP (SVI) configured on the subnet/VLAN in question the Cisco CLI command:
Hostname (config)# ip device tracking probe use-svi
will insert the administration IP into the source IP in the IPDT packet. This packet will not impact Address Conflict Detection operation.
Workaround 3
Disable IPDT on any Cisco switch ports with IPDT enabled that subsequently connect to a Rockwell Automation Ethernet module with the following command:
Hostname (config-if)# ip device tracking maximum 0
Solution
The permanent solution is under consideration.
Comments (1)
jbrodsky
06/04/2014 08:13 AM
This command does not work in all Cisco switch firmwares.
The command that worked for me was
Hostname (config-if) # nmsp attach suppress
and I later confirmed that it worked by issuing the following command
Hostname # show ip device tracking all
and the device should NOT show up in the list of enabled devices.
The alternative command that others have used to disable IP device tracking is
Hostname (config-if) # no ip device tracking max
But that had no effect for me using a 3850 stack with version 3.02.03.SE
The command was accepted but did not disable anything when I checked with showing device tracking.
Be forewarned that Cisco is having complaints about this issue and they are probably going to change the firmware yet again...
Reply | Flag as Inappropriate |
Post a Comment
Product Tree for This Answer (expand/collapse)Expand Product Tree for This Answer ID
Answers others found helpful
35072 - EtherNet/IP Duplicate Address Detection
118216 - Logix modules Duplicate IP address detection enhancement
51541 - 1756-ENBT display Duplicate IP scrolling over display
573991 - Unknown multicast traffic flooding network with 1783-ETAP with IGMP
42616 - IP addresses of Ethernet modules in a Redun
Best Answer
When companies merge, they often have this problem with overlapping addresses. Cisco has NAT Outside Source which helps to solve the problem. You can do an Internet search for "cisco ip nat outside source" to find information such as Sample Configuration Using the ip nat outside source list Command.
Note: this should really only be a temporary situation, and you should strive to resolve the conflict. This is not something you want to maintain as a long term solution.
Another possible solution is to create VLANs on the switches just for the RANCID server connections, and you can set up different IP addresses for the switches on the server VLANs. This will not affect the switches and the existing LAN addressing, it just adds new addressing specifically for the server connections.