Solved: Migrating to new ISP - ASA 5510.

forman102 · ‎01-05-2012

Hello everyone,

I currently have the following set up (excuse my quick drawing):

--------------Vendors VPN Router----

| ------Cisco 3000 VPN------ |

| | | |

Private Network-------ASA5510---------Pub Switch------Cisco Router 2x T1

I've been tasked with migrating to the new ISP, which provides us with Cisco ME-3400E switch and /26 public subnet. I currently have 15 static NATs and 14 L-2-L VPN tunnels configured in ASA. Is there a way to configure additional Outside int on ASA and use it to migrate the existing VPN tunnels and static NATs? I'm trying to avoid downtime and hope to do it step by step. I'm thinking about adding additional Public switch, so I can also migrate vendor's router and VPN concentrator, which need to be in parallel to ASA. Assuming that this is possible I'd would like to do the following:

1.Configure and connect additional Outside Interface on ASA - public IP address and ACLs

2.Connect it to additional "Public switch", which would be configured with public IP address and connected to new ISP's Cisco ME-3400E.

3.Migrate my VPN tunnels and static NATs.

4.Migrate vendors equipment/VPN concentrator

5.Update my global NAT pool

6.Shut down old ISP

Is this possible? Any help is greatly appreciated.

Thank you,

forman

varrao · ‎01-06-2012

The static that you have is, what you are doing here is, you are not doing the routing through the route statement but based on this static statement, it is a destination nat, whihc means all the traffic coming from inside1 interface shoudl be sent out from outside1 interface only.

Remember it is only a work around for your testing, after testing the connection, please go ahead and remove and proceed ahead with your migration as planned.

Hope that helps,

Thanks,

Varun

Please do rate halpful posts.

Thanks,
Varun Rao

View solution in original post

ajay chauhan · ‎01-05-2012

Having second outside is not an issue but you need to change the interface name -- say this one is outside another you can have outside1. Make all the configuration with new interface and IP while cutover you just need to shift the default gateway pointing to this existng ISP to new one .

Just to add with this command remote peer can configure two peer IP if one fails then initiated for 2nd.

ASA(config)#crypto map mymap 10 set peer X.X.X.X Y.Y.Y.Y

 
Thanks

forman102 · ‎01-06-2012

Ok, thank you. My goal is to avoid having the major downtime, so I'm trying to figure the way to redirect VPN tunnels and static NATs for internal servers to the new ISP or as you mentioned to the new outside1 interface on ASA. I'm in a process. Let's consider an example of static NAT:

the original statment for the old ISP

static (inside,outside) 208.28.x.11 10.1.1.144 netmask 255.255.255.255

Assuming that my new ISP terminates to outside1 (152.28.x.1)

Can I just change that static NAT to:

static (inside,outside1) 152.28.x.11 10.1.1.144 netmask 255.255.255.255

Will this work? Assuming I will update the ACL on new outside1 interface...

thanks

varrao · ‎01-06-2012

Hi Yes, this would definitely work, one thing that you can do is, to first check where all the outside interface is used in the config:

show run | in outside

then replace it with outside1 and the appropriate ip and it would work with it.

Thanks,

Varun

Thanks,
Varun Rao

forman102 · ‎01-06-2012

Thanks Varun, I will test it today.

Couple of questions from the security point of view:

1. by default all of the traffic to my new interface outside1 is denied, so I have created new outside1 ACL and applied it to int outside1 in - is that a proper way to control incoming traffic? I'm asking cause I "inherited" the ASA and that's how original outside interface was configured.

2. I don't understand how the globally NAT'ed traffic is filtered on ASA:

Consider this:

global (outside) 1 208.23.x.200

nat (inside) 1 0.0.0.0 0.0.0.0

I don't see any ACLs pertaining to this...does it mean that all the traffic is allowed to/from inside hosts to the Internet via global public of IP 208.23.x.200?

If so, is that a common practice?

On the side note: I read some of yours and Federico's posts regarding ASA and 2 ISPs set ups. Great info for a noob as myself

thanks

ajay chauhan · ‎01-06-2012

By default ASA does not allow any traffic from outside(Lower security Level to Higher) untill unless permitted in ACL.From higher security level to lower level is allowed.

global (outside) 1 208.23.x.200

nat (inside) 1 0.0.0.0 0.0.0.0

This configuration is for PAT so all the users go out and this will be the identity for them outside. ASA works statefull so keeps the track of session ,based on whatever is allowed from inside based on that return packet is also allowed and for this no ACL is required but yes it should be permitted in inside ACL.

When you have static nat configured to access those IPs from outside you will have to allow specific ports and IP in outside ACL.

Thanks

Ajay

varrao · ‎01-06-2012

Hey thanks man

Yes by default on outside1 traffic would be denied, because always remember going from lower interface to higher interface ASA would always need an ACL to permit the traffic, the best thing that you can do is:

So you would need the ACL's applied on the outside1 interface as well.

And as explained earlier, the nat that you have don't need any ACL, because now you are going from higher interface to lower interface, so firewall does not block any traffic and you don't need an ACL.

Do not remember it as inside to outside or outside to inside, remember it as lower security level to higher and vice-versa, because interface names can be anything.

Thanks,

Varun

Thanks,
Varun Rao

forman102 · ‎01-06-2012

Ok, I get it now.Thanks!

Currently I have 2 ISPs connected via 2 different outside interfaces. I changed one of the static NATs as mentioned above, but it is not working. I think, it might have to do with static routes on ASA. The default route points to original ISP, so I suppose I need to program ASA to send traffic for that NAT to new outside interface:

original outside int 208.23.x.2 -------------ISP router 208.23.x.1

new outside1 int 152.28.x.2-------------------ISP2 router 152.28.x.1

route outside 0.0.0.0 0.0.0.0 208.23.x.1

static (inside,outside1) 152.28.x.11 10.1.1.144 netmask 255.255.255.255

How can I solve this?

thank you again

varrao · ‎01-06-2012

Hi,

Yes definitely it is a problem with the setup, since on the ASA you can have only one default route. So you cannot put a default route for it on the ASA, that is not supported.

I would suggest take some downtime and change the default route on the ASA to test the new ISP migration.

route outside1 0.0.0.0 0.0.0.0 152.28.x.1

Thanks,

Varun

Thanks,
Varun Rao

forman102 · ‎01-06-2012

Ok, so there's no way of migrating "one at a time", without having the downtime? how about setting parallel "inside1" interface? Can I program ASA to send all the traffic from inside1 to outside1?

varrao · ‎01-06-2012

Its not an issue with the inside1 interface, the case is, if you try to access internet from inside1 interface, then all that firewalls knows is, all the traffic needs to be sent out of the outside interface, since it has a default route for it only. The only workaround I can think if is use this static statement:

static (outside1,inside1) 0.0.0.0 0.0.0.0

But I wont recommend this to keep it for long, because thats a hack, just keep it for testing purpose and remove it. Here's a doc for reference:

https://supportforums.cisco.com/docs/DOC-15622

Thanks,

Varun

Thanks,
Varun Rao

forman102 · ‎01-06-2012

So in my scenario I'd keep my original config:

global (outside) 1 208.23.x.200

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 208.23.x.1 1

and add the following (besides configuring additional inside1 interface) :

1. global (outside1) 2 152.28.x.200 - new ISP

nat (inside1) 2 0.0.0.0 0.0.0.0

2. route outside1 0.0.0.0 0.0.0.0 152.28.x.1 2 - default route with metric 2 to new ISP

and the statement you had mentioned:

3. static (outside1, inside1) 0.0.0.0 0.0.0.0 - what is this sup

I'm not sure if this is correct. Thank you again for taking your time to explaining this.

varrao · ‎01-06-2012

The static that you have is, what you are doing here is, you are not doing the routing through the route statement but based on this static statement, it is a destination nat, whihc means all the traffic coming from inside1 interface shoudl be sent out from outside1 interface only.

Remember it is only a work around for your testing, after testing the connection, please go ahead and remove and proceed ahead with your migration as planned.

Hope that helps,

Thanks,

Varun

Please do rate halpful posts.

Thanks,
Varun Rao

forman102 · ‎01-11-2012

Thank you very much for explaining this Varun. You know, my management insists on avoiding cutover downtime...I'm getting desperate here. Assuming, I'd add another ASA to the new ISP.. that way I could route the traffic on my core switch (in parallel to the original ASA) and avoid the downtime. What do you think?

thanks