dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
13

ooSillyoo
Not The Brightest Bulb In The Pack
Premium Member
join:2004-01-13
Lawrenceville, GA

ooSillyoo

Premium Member

Re: [Config] New 5510 replacing multiple pieces of OLD equipment

I'm starting to think this is not as simple as other people in my company were thinking.
aryoba
MVM
join:2002-08-22

aryoba

MVM

said by ooSillyoo:

I'm starting to think this is not as simple as other people in my company were thinking.

Tell those people that network design and engineering is never an easy job. Unfortunately a lot of people take the result of a good job for granted and make money much more than those poor undervalued engineers

TomS_
Git-r-done
MVM
join:2002-07-19
London, UK

TomS_ to ooSillyoo

MVM

to ooSillyoo
Transitioning between devices and technologies is not always easy.

And in fact I might even suggest you do this in a stepped release process, not all guns blazing in one go - something which will either work brilliantly, or fail miserably.

Start by getting the ASA installed, connected to the network and reachable, and move things not necessarily one by one, but in groups.

If you have VPN users, get them to reconfigure their client to point to the ASA. Then move some of the remote branches, etc etc.

Unfortunately some people just dont appreciate how difficult things like this can be. When you have a collection of devices spanning a decade, each doing different things, and perhaps from different vendors, it is never easy to consolidate all of them into a single box. You need to spend time to work out how to configure similar functionality on the new device and make sure that it works.

A lab would certainly be useful for you in this situation so that you can trial this without causing production outages...

ooSillyoo
Not The Brightest Bulb In The Pack
Premium Member
join:2004-01-13
Lawrenceville, GA

ooSillyoo

Premium Member

TomS - The good thing is I have a "lab" at my house I can test this with. I've done this in steps so far with getting the basic config up to connect to the internet, then I was able to create the VPN connection using an inbound Cisco VPN soft client to replace the 3000 concentrator, then I moved on to the remote VPN clients using DMVPN.

If I reconfigure the remote clients to point to the ASA how would that work when a client is using resources from another remote network? Is all that traffic going to route over the internet from the remote client to the ASA then to the other remote client or would they 881s still create a tunnel like they do using DMVPN?

I'm an RF network guy not a routing and security guy.

TomS_
Git-r-done
MVM
join:2002-07-19
London, UK

TomS_

MVM

You wouldnt be touching the configuration related to anything other than establishing a VPN to the ASA (e.g. just changing the IP address), so everything else should just continue to work as is.

I cant say Im an expert with DMVPN, although I have configured it before, but my understanding is that all traffic is passed through the hub in order to reach other spoke sites. But usually spokes are only talking to the hub as the hub is where things like intranet sites etc would live.

Spoke to spoke could be done with dedicated VPNs between them if required.

ooSillyoo
Not The Brightest Bulb In The Pack
Premium Member
join:2004-01-13
Lawrenceville, GA

ooSillyoo

Premium Member

Tom,

Based on what I've read the spokes would create a dynamic tunnel to other spokes if a client on one network needed to connect to another. This traffic wouldn't go through the hub. This is very important because we all use IP phones at our remote offices.

The DMVPN works, what I don't understand is why the static route doesn't work. I have a static route in the ASA for the 192.168.200.0 network to go to 192.168.241.2(881). I can ping devices on the 192.168.200.0 network from the 881 and ASA but not a client going through the ASA. If a do a traceroute from the ASA the next hop is the 881.