I have a question about routed traffic across a site to site VPN between 2 Cisco ASA 5510's. We have our office side and our DR side and the question is could I have an IP conflict of gateway IP address' if I make changes on my DR side's ASA. Below is a description of our set up.
We rent a cabinet offsite for DR purposes. We have a Cisco ASA 5510 at this DR site, 5510 at the main site too, and a site to site VPN set up between them. The subnet at the DR site is the same as our server subnet (to make life easy if we need to bring up servers for an emergency) but the gateway address is different at DR than the main site. When sending any traffic between sites, we have to reach over certain subnets created in the site to site VPN and they are routable between.
So from the office to get to DR site's 10 subnet (server subnet), the site to site VPN translates: 192.168.10.0/24 to 192.168.53.0/24
From DR to the office, it translates 192.168.10.0/24 to 192.168.52.0/24.
So if you're at DR and you need to see something back at the office, you reach out to 192.168.52.1 for a server for example. From the office to get to one of our VM hosts' that are storing shut down servers at DR, 192.168.53.25. This all routes fine and it's working for us.
What I'd like to do, and I believe I should be ok to change it since all traffic between sites has to translate to those other subnets is change that 192.168.10.8 gateway address at DR (inside interface IP on my DR ASA) to 192.168.10.10 like the gateway address I have at the office. Several reasons I'd want to do so but since I'm already a pretty wordy typer, I won't bore with more details. Let's just say it will make it a heck of a lot easier in case of an emergency but I don't want to shut one site down or the other if making this change is a bad thing.
Does someone have experience with this and would I be ok?
Best Answer
from the sounds of it, you should be able to do it without much of an issue. This is simply because of the NATing that you have going on.
A bit of a warning, if the servers are all have static IPs and default gateways, changing the IP of the firewall (current gateway), may make it harder to reach the servers, as they won't know how to get to 192.168.53.0/24 without the default gateway.
One way to mitigate this, is to create a static route on one server that points to 192.168.10.10 for traffic going to 192.168.53.0/24.
Another way would be to create a new NAT rule on the ASA for an individual host on the main site. Then on the ASA at the DR site, NAT this again to be on the same subnet as the servers.
Say, host 192.168.10.50 is NAT'd to 192.168.54.254, then pushed over the VPN. The DR ASA then NATs this again to change the source to 192.168.10.254. When the servers at the DR see this source IP, they'll know how to respond since it's in the same subnet.