Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Migrating to new ISP - ASA 5510.

Hello everyone,

I currently have the following set up (excuse my quick drawing):

                                        --------------Vendors VPN Router----                                                           

                                        |    ------Cisco 3000 VPN------        |                                                                        

                                        |    |                                   |        |

                         Private Network-------ASA5510---------Pub Switch------Cisco Router 2x T1

                                                                                                                                                              

                                                                                         

I've been tasked with migrating to the new ISP, which provides us with Cisco ME-3400E switch and /26 public subnet. I currently have 15 static NATs and 14 L-2-L VPN tunnels configured in ASA. Is there a way to configure additional Outside int on ASA and use it to migrate the existing VPN tunnels and static NATs? I'm trying to avoid downtime and hope to do it step by step. I'm thinking about adding additional Public switch, so I can also migrate vendor's router and VPN concentrator, which need to be in parallel to ASA. Assuming that this is possible I'd would like to do the following:

1.Configure and connect additional Outside Interface on ASA - public IP address and ACLs

2.Connect it to additional "Public switch", which would be configured with public IP address and connected to new ISP's Cisco ME-3400E.

3.Migrate my VPN tunnels and static NATs.

4.Migrate vendors equipment/VPN concentrator

5.Update my global NAT pool

6.Shut down old ISP

Is this possible? Any help is greatly appreciated.

Thank you,

forman     

  • Firewalling
1 ACCEPTED SOLUTION

Accepted Solutions
Red

Migrating to new ISP - ASA 5510.

The static that you have is, what you are doing here is, you are not doing the routing through the route statement but based on this static statement, it is a destination nat, whihc means all the traffic coming from inside1 interface shoudl be sent out from outside1 interface only.

Remember it is only a work around for your testing, after testing the connection, please go ahead and remove and proceed ahead with your migration as planned.

Hope that helps,

Thanks,

Varun

Please do rate halpful posts.

Thanks, Varun Rao Security Team, Cisco TAC
13 REPLIES

Re: Migrating to new ISP - ASA 5510.

Having second outside is not an issue but you need to change the interface name -- say this one is outside another you can have outside1. Make all the configuration with new interface and IP while cutover you just need to shift the default gateway pointing to this existng ISP to new one .

Just to add with this command remote peer can configure two peer IP if one fails then initiated for 2nd.

ASA(config)#crypto map mymap 10 set peer X.X.X.X Y.Y.Y.Y


Thanks
New Member

Migrating to new ISP - ASA 5510.

Ok, thank you. My goal is to avoid having the major downtime, so I'm trying to figure the way to redirect VPN tunnels and static NATs for internal servers to the new ISP or as you mentioned to the new outside1 interface on ASA. I'm in a process. Let's consider an example of static NAT:

the original statment for the old ISP

static (inside,outside) 208.28.x.11 10.1.1.144 netmask 255.255.255.255

Assuming that my new ISP terminates to outside1 (152.28.x.1)

Can I just change that static NAT to:

static (inside,outside1) 152.28.x.11 10.1.1.144 netmask 255.255.255.255

Will this work? Assuming I will update the ACL on new outside1 interface...

thanks

Red

Migrating to new ISP - ASA 5510.

Hi Yes, this would definitely work, one thing that you can do is, to first check where all the outside interface is used in the config:

show run | in outside

then replace it with outside1 and the appropriate ip and it would work with it.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
New Member

Migrating to new ISP - ASA 5510.

Thanks Varun, I will test it today.

Couple of questions from the security point of view:

1. by default all of the traffic to my new interface outside1 is denied, so I have created new outside1 ACL and applied it to int outside1 in - is that a proper way to control incoming traffic? I'm asking cause I "inherited" the ASA and that's how original outside interface was configured.

2. I don't understand how the globally NAT'ed traffic is filtered on ASA:

Consider this:

global (outside) 1 208.23.x.200

nat (inside) 1 0.0.0.0 0.0.0.0

I don't see any ACLs pertaining to this...does it mean that all the traffic is allowed to/from inside hosts to the Internet via global public of IP 208.23.x.200?

If so, is that a common practice?

On the side note: I read some of yours and Federico's posts regarding ASA and 2 ISPs set ups. Great info for a noob as myself

thanks

Migrating to new ISP - ASA 5510.

By default ASA does not allow any traffic from outside(Lower security Level to Higher)  untill unless permitted in ACL.From higher security level to lower level is allowed.

global (outside) 1 208.23.x.200

nat (inside) 1 0.0.0.0 0.0.0.0

This configuration is for PAT so all the users go out and this will be the identity for them outside. ASA works statefull so keeps the track of session ,based on whatever is allowed from inside based on that return packet is also allowed and for this no ACL is required but yes it should be permitted in inside ACL.

When you have static nat configured to access those IPs from outside you will have to allow specific ports and IP in outside ACL.

Thanks

Ajay

Red

Migrating to new ISP - ASA 5510.

Hey thanks man

Yes by default on outside1 traffic would be denied, because always remember going from lower interface to higher interface ASA would always need an ACL to permit the traffic, the best thing that you can do is:

So you would need the ACL's applied on the outside1 interface as well.

And as explained earlier, the nat that you have don't need any ACL, because now you are going from higher interface to lower interface, so firewall does not block any traffic and you don't need an ACL.

Do not remember it as inside to outside or outside to inside, remember it as lower security level to higher and vice-versa, because interface names can be anything.

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
New Member

Migrating to new ISP - ASA 5510.

Ok, I get it now.Thanks!

Currently I have 2 ISPs connected via 2 different outside interfaces. I changed one of the static NATs as mentioned above, but it is not working. I think, it might have to do with static routes on ASA. The default route points to original ISP, so I suppose I need to program ASA to send traffic for that NAT to new outside interface:

original outside int 208.23.x.2 -------------ISP router 208.23.x.1

new outside1 int 152.28.x.2-------------------ISP2 router 152.28.x.1

route outside 0.0.0.0 0.0.0.0 208.23.x.1

static (inside,outside1) 152.28.x.11 10.1.1.144 netmask 255.255.255.255

How can I solve this?

thank you again

Red

Re: Migrating to new ISP - ASA 5510.

Hi,

Yes definitely it is a problem with the setup, since on the ASA you can have only one default route. So you cannot put a default route for it on the ASA, that is not supported.

I would suggest take some downtime and change the default route on the ASA to test the new ISP migration.

route outside1 0.0.0.0 0.0.0.0 152.28.x.1

Thanks,

Varun

Thanks, Varun Rao Security Team, Cisco TAC
New Member

Re: Migrating to new ISP - ASA 5510.

Ok, so there's no way of migrating "one at a time", without having the downtime? how about setting parallel "inside1" interface? Can I program ASA to send all the traffic from inside1 to outside1?

1013
Views
0
Helpful
13
Replies
This widget could not be displayed.