Failover between FWSM and ASA 5585X? (to reduce impact during migration :-))
I understand this is obvioussly not a recommended approach nor something you would want to do long-term or by choice but I'm desperately trying to find a way to migrate from an FWSM pair to a new ASA5585X pair of firewalls without disrupting open user connections. Let's just say the firewalls are in used in a healthcare environment and finding an outage window is nearly impossible.
Is it even possible to run failover between FWSM and ASA chassis?
Does anyone have any thoughts on other ways to gracefully migrate?
Re: Failover between FWSM and ASA 5585X? (to reduce impact durin
You wont be able to use 2 different hardware to run a failover pair.
I think the bottom line will be that the user/customer should expect minor outages during migration. Even on normal software updates where nothing is expected we always reserve a time window where the customer/user can expect minor outages.
Your options depends a lot on your actual environment which we dont know.
First things that come to my mind would be to setup the ASAs to the network and create a link between the current FWSM firewalls and the ASA firewalls. You could then gradually move the different LAN and DMZ networks behind the ASA while forwarding the traffic from those migrated networks through the ASA/FWSM link to the old/current network.
I would imagine you could even move the migrated networks to their own VRFs on the current core devices which house the FWSMs and in this way keep the environment so that the routing of the old and new network are completely separate.
Your FWSMs external interfaces could possibly be extended L2 to the new ASA platforms so you could allocate IP address from the same public subnets to the ASA already and also migrate the IP addresses to the new ASA platform as you move the different LAN/DMZ networks that utilize those public IP addresses as NAT IP addresses on the FWSM.
I am afraid that you probably wont be able to migrate without small outages. The key would probably be migrating in steps and planning and testing the different steps well to minimize the impact. You could for example start by migrating some less critical LAN segment behind the ASA first to get used to the steps required.
I am actually in the process migrating our local hospitals specialized hospital equipment to their own Vlans in the switch network. Though my area in the migration has more to do with making sure that all Firewall and VPN related gets migrated while a colleague handles the switch network.
I also migrated some virtualized FWSM firewalls to ASA5585-X SSP20 platforms. Though these devices mostly hosted simple virtual firewalls with smaller customer environments so they werent used 24/7 and werent critical. And I also did them during the evening/night/morning.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :