Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3300
Views
0
Helpful
4
Replies

ASA 5520- ISP change proceedure

Go to solution
rayborg
Level 1
Level 1

‎10-31-2011 07:28 AM - edited ‎03-11-2019 02:44 PM

Hello,

our company is going to change its´ ISP.

The External Ips are going to obviously change too.

We have an Active/Standby Firewall and we would like to make the change with at least connectivity downfall as possible.

In our configuration we have nearly all features configured as in a normal Productive Firwall such as , NAT, Site-toSite VPN, Remote Access

Webvpn, ACLs and also routing.  I have looked up some information in this community and still I am not sure about the steps to be

made so to reach our goal.

I have read that chaging only the "names" from the old IP Range to the new Ip range would not really make the change.

The old Ip range will still be configured in the features using the external Ip adress.

Therefore we have to first delete all the information (in the runing config) connected to these Variables and then re insert them.

My biggest worry is that this could be a little bit tricky during the implementation, if some config lines or objects could be left out

during the deleting and inserting procedure.

Have someone any idea how we could make this change with a low percentage of "copy and paste failures"?

I was thinking about in changing the "names" to their new Ips and then afterwards reload the ASA. Will this workout?

Primary ASA will be changed first with the secondary shutdown. ASA Firmware 8.2.2 (12)

regards

Ray

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mvsheik123
Level 7
Level 7

‎10-31-2011 12:10 PM

Hello,

I did change the external IPs few months back on Active/stanby cluster. Please refer to below thread. If you still have queries, please post.

https://supportforums.cisco.com/message/3325539#3325539

hth

MS

View solution in original post

0 Helpful
4 Replies 4

Go to solution
mvsheik123
Level 7
Level 7

‎10-31-2011 12:10 PM

Hello,

I did change the external IPs few months back on Active/stanby cluster. Please refer to below thread. If you still have queries, please post.

https://supportforums.cisco.com/message/3325539#3325539

hth

MS

0 Helpful

Go to solution
rayborg
Level 1
Level 1
In response to mvsheik123

‎11-02-2011 06:11 AM

Hello,

thanks for your prompt answer.

Your proposal was very interesting to read maybe i  can try it out this week.

Still I have got some questions regarding the doing.

I have tried implementing the change on our Lab ASA using two different methods.

In the  first method I have made a copy off the "more system:running config"  and edited the

copied version with the new ISP Address Range.  Than I TFTPed it back to the ASA on the Startup and reloaded.

The results seemed o.k. but as I said this is our LAb ASA.  One issue could be the Pre-shared key for the IPsec

configuration.

My second method.

I have edited  the Objects involved over ASDM and applied the changes.

This methode seemed also to away to reach our goal.

Are there any hidden issues if I have to implement any one from my methods?

As I said I would like to hear some feedback from persons whom have had already experienced such a measure.

Thanks again mvsheik123

I would really appreciate it if we could discuss more about  this issue.

0 Helpful

Go to solution
mvsheik123
Level 7
Level 7
In response to rayborg

‎11-03-2011 07:46 AM

Hi Ray,

As you are not changing the Firewalls here there is no need to use any uploads. But as precautionary, keep tftp copy of current working running config from fw handy.

Now as far as the names, yes.. just changing names will not work. My preferred method (although not the best), I copy the config to text file and edit (with new IPs) wherever necessary. I keep (names, static, route, tunnel etc) old config lines with 'no' key word form and new config lines as well so that I copy/pastethe config during the maintenance window. That saves lot of time incase of any unforeseen issues and needs time to t-shoot.

Also, Within the maintenanace window I did it phase by phase. (1. Internet 2. DMZ access 3.VPN changes etc).

Make sure you clear the arp tables on external switches and Xlates on ASAs after changing the IPs.

Thx

MS

0 Helpful

Go to solution
stt
Level 1
Level 1

‎11-07-2011 02:30 PM

Hi,

I know this is already marked as "Answered", but i just wanted to air my method.

I'm not sure it the most optimal, and there sure are plenty of room for copy-paste errors. Also, the "Remote Access" part can get a bit tricky i guess, if taking too long.

However, i did this a couple of times on a couple of remote ASAs. They weren't paired though, but i can't imagine the procedure being much different.

I "simply" added another "outside" interface and duplicated access-lists, NATs and statics, VPN tunnel-groups and so on.

In these particular cases, all i had to switch was outside management, a couple of statics and the VPN tunnels terminated on the device.

In my own pace, i could move one tunnel at a time, by just adding a static route to my VPN peer out through the new outside.

When the VPN tunnels were done, new VPN profiles distributed and users notified of the changes, i changed the default route too, making the change complete.

All left to do is a lot of cleanup, but that can be done without disturbing the users too.

Of course, both ISPs have to be active at the same time to accomplish this.

--

/Sune T.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card