Hello all, thank you in advance for any and all suggestions
I have inherited a network with redundant 6509 "DMZ" switches with a single FWSM installed in each - routed, single context, in failover configuration. Each FWSM has multiple VLAN interfaces, including inside, outside, and approximately 10 other DMZ interfaces with varying security levels.
It is clear that the inside interface (and all related NAT, static, route, and access rules) needs to be removed from the existing VLAN 4 interface, and applied to an as yet-to-be-created VLAN 2 interface.
I am in the planning stages for this migration and am researching others' experience with this or similar activities. The configuration steps as I see them would be:
1. Take backups of existing active and standby FWSMs.
2. Create VLAN 2 in 6509 switches' IOS, share to FWSM in firewall-group
3. Shutdown standby FWSM (don't want it "taking over" once it determines that the primary inside interface is down)
4. Remove the inside ACL from the interface interface (I believe this will allow the inside_acl to remain in configuration when the inside interface is deleted)
5. issue "no interface Vlan 4" on primary (I believe all "inside" related NAT, static, and route rules will be deleted at this point).
6. create interface Vlan 2, issue "nameif inside" and assign inside IP address.
7. From backup, reconfigure NATs, statics, and inside routes.
8. Re-apply the "inside_acl" to the inside interface.
9. Clear conn, clear xlate, etc.
Next will be to bring standby FWSM back online and this is where I have some doubts.
1. Isolate standby module (shutdown trunked interfaces between switches, perhaps also remove all VLANs from firewall-group. I think I would want to isolate this FWSM to prevent any sync'ing issues between active and standby so that the standby won't overwrite any of the changes I made on the active FWSM - not sure if I am being paranoid here and whether I need to do this...)
2. Power on and session into FWSM, remove interface VLAN 4, create interface VLAN 2, nameif inside, configure IP Address, no shut.
3. Share all VLANs back to FWSM from IOS switch, failover and monitored interface configurations should re-establish active/standby relationship between FWSMs.
4. Test applications, routing, access, etc.
It seems to me that there should be an easier way to accomplish my goal of changing which interface is "inside", but I have not performed this activity before. I think my steps above should work, although I concede I might be missing some things that will crop up when I am in the middle of the change. I would appreciate any insight into this scenario.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...