I am working to transition to a new public netblock on the outside interface of an ASA 5520 HA pair. All four of my Ethernet physical interfaces are in use (as inside, outside, DMZ and Failover). The outside interface needs to transition to a new PI netblock but I would like to do it gradually rather than in one flash cutover (e.g., by simply renumbering its address) so as to not have to swing over a half dozen VPN peers and a bunch of DNS entries all in one change.
My thought is to use subinterfaces on the outside interface, leave the current IP addessing (and associated ACEs and NATs etc.) on new subninterface .1 and create a new subinterface .2. Of course I'd need to set up the upstream switch's VLANs and trunk the ports as well as the upstream routers which connect to my ISP.
One downside I see is having to rename the interface temporarily (can't have interface name Outside on Gi0/0 and Gi0/0.1 at the same time) or else use new names for the subinterfaces (like outside_old and outside_new). I'd then need to recreate all the lines that refer to "outside" to instead reference "outside_old". (There about 100 NATs and another 100 access-list entries in addition to 6 site-site VPNs.) Once I have that in place and working, I can move entries over one at whatever pace makes sense to "outside_new".
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :