ASA 5520 migrate from T1 to DS3 (two internet routers)

Unanswered Question
Nov 12th, 2007

We need to migrate our ASA from a T1 router internet connection to a DS3 router internet connection. Both routers and the ASA are connected to a switch. The ASA is currently configured and operating with a IP range. The DS3 has a and IP range assigned to it. We don't use any special protocols.

I have read other posts which don't quite seem to address my need or contain insufficient detail for me to understand the steps and changes needed. We have web servers and internet users and cannot afford any significant interruption of service. We use static NAT for the servers and Interface PAT for the internet users.

The steps I believe I need are:

1. Setup two new outside IP ranges in the ASA.

2. Change the default gateway to one of the new ranges. (This should change over our internet users to the new router.)

3. Add new static NAT for the servers. (All servers have multiple internal IP addresses.)

4. Make DNS changes and wait for them to propogate.

5. Remove the old static NAT for the servers.

6. Remove the old IP range.

I assume this type of orderly migration is possible. I am unsure of the correct commands needed for steps 1, 2, and 6. I usually make changes in the ASDM but I am familiar with the CLI.

Thank you for your suggestions and guidance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2 (1 ratings)
JORGE RODRIGUEZ Mon, 11/12/2007 - 11:41

Frank, you should be able to do the logical migration to the new ISP from ASDM

as you will not be changing inside interface IP you can remain connected to ASDM while doing the changes.

Your process seems fairly straight forward,I have conducted couple of migrations from T1 to DS3s on PIX 515Es , I am not speaking for ASA but Im sure it is same principle.

Most of my migrations sites have external switch between PIX/ASA and ISP router, so I setup on external switch a NEW VLAN for the new ISP router, the OLD ISP T1 router sits on a different vlan on same switch, when time comes to migrate I change ASA outside interface connection to external switch to be on same VLAN the new ISP DS3 router is under. Then start your logical changes through ASDM.

I start with changing default route to new ISP router, then moved onto changing global pools, move onto changing one to one nats and let ASDM do it for you as it will also update the access lists accordingly. Pay attention to internal DNS, if your internal DNS servers that have static nat make sure you change servers DNS to their new static NAT public IP so that your user can get out to internet. I find ASDM to be very usefull specially whene there are hundreds of one-to-one NATS statements where one may miss something, so I let ASDM do the accurate job.

You may also use CLI to confirm pings.



franktclark Mon, 11/12/2007 - 14:37

Your advice seems helpful but I am afraid that I am a software engineer trying to do the work of a network administrator. I have a general understanding of what you are describing but I need some details to implement it.

First it seems that if I want to have multiple IP address ranges on the outside interface they have to be assigned to a unique VLAN id.

When my switch was configured for those new VLAN id I had to reboot the switch and my customers lost access to the network for a minute. They were very unhappy.

So, I created the two new sub-interfaces. Each has to be given a unique name. I now have three "outside" interfaces: Outside, Outside1, Outside2. I created a default route to Outside1 with a metric of 2 and changed Outside to a metric of 3 so I could change back quickly, if needed. When I saved these changes my customers lost internet access. They were very unhappy. I quickly changed the metric on Outside back to 1.

What did I do wrong and what do I need to do?

I appreciate your efforts to help.


This Discussion