01-05-2012 01:30 PM - edited 03-11-2019 03:10 PM
Hello everyone,
I currently have the following set up (excuse my quick drawing):
--------------Vendors VPN Router----
| ------Cisco 3000 VPN------ |
| | | |
Private Network-------ASA5510---------Pub Switch------Cisco Router 2x T1
I've been tasked with migrating to the new ISP, which provides us with Cisco ME-3400E switch and /26 public subnet. I currently have 15 static NATs and 14 L-2-L VPN tunnels configured in ASA. Is there a way to configure additional Outside int on ASA and use it to migrate the existing VPN tunnels and static NATs? I'm trying to avoid downtime and hope to do it step by step. I'm thinking about adding additional Public switch, so I can also migrate vendor's router and VPN concentrator, which need to be in parallel to ASA. Assuming that this is possible I'd would like to do the following:
1.Configure and connect additional Outside Interface on ASA - public IP address and ACLs
2.Connect it to additional "Public switch", which would be configured with public IP address and connected to new ISP's Cisco ME-3400E.
3.Migrate my VPN tunnels and static NATs.
4.Migrate vendors equipment/VPN concentrator
5.Update my global NAT pool
6.Shut down old ISP
Is this possible? Any help is greatly appreciated.
Thank you,
forman
Solved! Go to Solution.
01-06-2012 01:25 PM
The static that you have is, what you are doing here is, you are not doing the routing through the route statement but based on this static statement, it is a destination nat, whihc means all the traffic coming from inside1 interface shoudl be sent out from outside1 interface only.
Remember it is only a work around for your testing, after testing the connection, please go ahead and remove and proceed ahead with your migration as planned.
Hope that helps,
Thanks,
Varun
Please do rate halpful posts.
01-05-2012 08:51 PM
Having second outside is not an issue but you need to change the interface name -- say this one is outside another you can have outside1. Make all the configuration with new interface and IP while cutover you just need to shift the default gateway pointing to this existng ISP to new one .
Just to add with this command remote peer can configure two peer IP if one fails then initiated for 2nd.
ASA(config)#crypto map mymap 10 set peer X.X.X.X Y.Y.Y.Y
Thanks
01-06-2012 09:25 AM
Ok, thank you. My goal is to avoid having the major downtime, so I'm trying to figure the way to redirect VPN tunnels and static NATs for internal servers to the new ISP or as you mentioned to the new outside1 interface on ASA. I'm in a process. Let's consider an example of static NAT:
the original statment for the old ISP
static (inside,outside) 208.28.x.11 10.1.1.144 netmask 255.255.255.255
Assuming that my new ISP terminates to outside1 (152.28.x.1)
Can I just change that static NAT to:
static (inside,outside1) 152.28.x.11 10.1.1.144 netmask 255.255.255.255
Will this work? Assuming I will update the ACL on new outside1 interface...
thanks
01-06-2012 09:29 AM
Hi Yes, this would definitely work, one thing that you can do is, to first check where all the outside interface is used in the config:
show run | in outside
then replace it with outside1 and the appropriate ip and it would work with it.
Thanks,
Varun
01-06-2012 10:05 AM
Thanks Varun, I will test it today.
Couple of questions from the security point of view:
1. by default all of the traffic to my new interface outside1 is denied, so I have created new outside1 ACL and applied it to int outside1 in - is that a proper way to control incoming traffic? I'm asking cause I "inherited" the ASA and that's how original outside interface was configured.
2. I don't understand how the globally NAT'ed traffic is filtered on ASA:
Consider this:
global (outside) 1 208.23.x.200
nat (inside) 1 0.0.0.0 0.0.0.0
I don't see any ACLs pertaining to this...does it mean that all the traffic is allowed to/from inside hosts to the Internet via global public of IP 208.23.x.200?
If so, is that a common practice?
On the side note: I read some of yours and Federico's posts regarding ASA and 2 ISPs set ups. Great info for a noob as myself
thanks
01-06-2012 10:15 AM
By default ASA does not allow any traffic from outside(Lower security Level to Higher) untill unless permitted in ACL.From higher security level to lower level is allowed.
global (outside) 1 208.23.x.200
nat (inside) 1 0.0.0.0 0.0.0.0
This configuration is for PAT so all the users go out and this will be the identity for them outside. ASA works statefull so keeps the track of session ,based on whatever is allowed from inside based on that return packet is also allowed and for this no ACL is required but yes it should be permitted in inside ACL.
When you have static nat configured to access those IPs from outside you will have to allow specific ports and IP in outside ACL.
Thanks
Ajay
01-06-2012 10:41 AM
Hey thanks man
Yes by default on outside1 traffic would be denied, because always remember going from lower interface to higher interface ASA would always need an ACL to permit the traffic, the best thing that you can do is:
So you would need the ACL's applied on the outside1 interface as well.
And as explained earlier, the nat that you have don't need any ACL, because now you are going from higher interface to lower interface, so firewall does not block any traffic and you don't need an ACL.
Do not remember it as inside to outside or outside to inside, remember it as lower security level to higher and vice-versa, because interface names can be anything.
Thanks,
Varun
01-06-2012 11:16 AM
Ok, I get it now.Thanks!
Currently I have 2 ISPs connected via 2 different outside interfaces. I changed one of the static NATs as mentioned above, but it is not working. I think, it might have to do with static routes on ASA. The default route points to original ISP, so I suppose I need to program ASA to send traffic for that NAT to new outside interface:
original outside int 208.23.x.2 -------------ISP router 208.23.x.1
new outside1 int 152.28.x.2-------------------ISP2 router 152.28.x.1
route outside 0.0.0.0 0.0.0.0 208.23.x.1
static (inside,outside1) 152.28.x.11 10.1.1.144 netmask 255.255.255.255
How can I solve this?
thank you again
01-06-2012 11:32 AM
Hi,
Yes definitely it is a problem with the setup, since on the ASA you can have only one default route. So you cannot put a default route for it on the ASA, that is not supported.
I would suggest take some downtime and change the default route on the ASA to test the new ISP migration.
route outside1 0.0.0.0 0.0.0.0 152.28.x.1
Thanks,
Varun
01-06-2012 11:39 AM
Ok, so there's no way of migrating "one at a time", without having the downtime? how about setting parallel "inside1" interface? Can I program ASA to send all the traffic from inside1 to outside1?
01-06-2012 12:00 PM
Its not an issue with the inside1 interface, the case is, if you try to access internet from inside1 interface, then all that firewalls knows is, all the traffic needs to be sent out of the outside interface, since it has a default route for it only. The only workaround I can think if is use this static statement:
static (outside1,inside1) 0.0.0.0 0.0.0.0
But I wont recommend this to keep it for long, because thats a hack, just keep it for testing purpose and remove it. Here's a doc for reference:
https://supportforums.cisco.com/docs/DOC-15622
Thanks,
Varun
01-06-2012 01:18 PM
So in my scenario I'd keep my original config:
global (outside) 1 208.23.x.200
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 208.23.x.1 1
and add the following (besides configuring additional inside1 interface) :
1. global (outside1) 2 152.28.x.200 - new ISP
nat (inside1) 2 0.0.0.0 0.0.0.0
2. route outside1 0.0.0.0 0.0.0.0 152.28.x.1 2 - default route with metric 2 to new ISP
and the statement you had mentioned:
3. static (outside1, inside1) 0.0.0.0 0.0.0.0 - what is this sup
I'm not sure if this is correct. Thank you again for taking your time to explaining this.
01-06-2012 01:25 PM
The static that you have is, what you are doing here is, you are not doing the routing through the route statement but based on this static statement, it is a destination nat, whihc means all the traffic coming from inside1 interface shoudl be sent out from outside1 interface only.
Remember it is only a work around for your testing, after testing the connection, please go ahead and remove and proceed ahead with your migration as planned.
Hope that helps,
Thanks,
Varun
Please do rate halpful posts.
01-11-2012 12:12 PM
Thank you very much for explaining this Varun. You know, my management insists on avoiding cutover downtime...I'm getting desperate here. Assuming, I'd add another ASA to the new ISP.. that way I could route the traffic on my core switch (in parallel to the original ASA) and avoid the downtime. What do you think?
thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: