topic Re: Migrating from one ISP to another ISP using PIX515e in Network Security

Migrating from one ISP to another ISP using PIX515e

JORGE RODRIGUEZ — Mon, 11 Mar 2019 10:07:11 GMT

Hi all ,

Could someone give me some insight/ideas in giving various options in this particular scenario/project ?

Today I learned we are upgrading our current T1 out to the internet with a DS3, but we are not using the same ISP but rather a completely new ISP provider, which means we must change our public IP block needless to say our current IP block is used to allow our clients to connect to our DMZ servers . I have began researching how to go about this migration, whether to implement a parallel internet edge using 2 ISPs but the end state will be to remove the old ISP.. so I don?t know what will be the best way to approach this migration with minimal impact and a fall back , if we should configure/implement a multihoming secenario or just simply a hot cutover , if multihoming was to be implemented how to go about having all internal default route using the new ISP while having the old ISP functional while the new IP block from new ISP is integrated in our firewalls new global NAT pools etc.. , how could I logically route the new ISP IP block into our PIX515s external interface on top our current ISP, and have the default route go out the new ISP .

If a hot cutover is to be implemented would like to have some examples of fallback into the old ISP in case things go wrong.

This the current edge physical/logical setup for our internet gateway .

a- EDGE-Router-to-CurrentISP-Router

Edge router running two routing protocols BGP and OSPF

EDGE-router serial interface peers with ISP ( BGP )

EDGE-router FE interface connects to external switch vlan to PIX515e (outside interface) participating in OSPF .

PIX515e v.6.3(3) currently holds 4 other FE interfaces by which all 4 FE are all utilized for DMZ purposes . PIX running two OSPF processes, one for PIX-outside interface (public side ) to EDGE-router and a second OSPF process for the PIX-inside interface OSPF inside area.

Ospf default route or gateway of last resort is injected downstream to other ospf inside neighbors throughout our LAN from the EDGE-router?s OSPF process.

New ISP is providing us with the router and DS3 link , so most likely we will do BGP peering.

Some examples in migrating ISPs or multihomming links would greatly be appreciated.

Rgds

Jorge

Re: Migrating from one ISP to another ISP using PIX515e

haithamnofal — Tue, 01 May 2007 03:36:55 GMT

Hey Jorge,

Please refer to my previous post called "2 ISP Connections" where you can find a similar case with a migration recommendation. I came across exactly a similar scenario last week and tried it and worked fine. The difference in my case is that I am not migrating but I need to have 2 ISP connections. In your case you will eventually take out the old ISP.

Anyways, just have a look at my previous post and let me know if you have any more questions.

Regards,

Haitham

Re: Migrating from one ISP to another ISP using PIX515e

JORGE RODRIGUEZ — Tue, 01 May 2007 13:41:59 GMT

Hi Haitham, thanks for your responce and greatly appretiated. I will definately look into your posting today.

Rgds

Jorge

Re: Migrating from one ISP to another ISP using PIX515e

JORGE RODRIGUEZ — Mon, 07 May 2007 21:08:52 GMT

Hi Haitham, I looked at your implementation somewhat similar to mine with only one difference, you have two ISPs coming into one internet-edge router. In my case I will have two internet edge routers each as different ISP coming into my PIX or better say my external switch then the PIX. What I am mostly looking for is how to go about cutting over a new ISP and the whole implementation process. Could you or anyone comment on this process, if I missed anything or if there is any other way or better ideas on how I should implement this ISP migration it will be greatly appreciated.

ISP migration process Sketch

Step 1 (Initial implementation process of new-ISP-router install )

A new vlan will be created on the external switch for the new-ISP router Ethernet handoff . Since PIX runs two OSPF processes one for the outside interface and one for the inside interface, the outside OSPF process will not be changed until later, so the new-ISP IP-Block will come as a static route which will be routed through the PIX outside interface ip address which will still be under the OLD-ISP IP block.

Step 2

Once new IP block is successfully routed through PIX-outside interface create new NAT pools and appropriate PAT addresses in the PIX for each of the pools associated with OLD-ISP using the new-ISP IP block. Begin to update each server hosts configured for one-to-one public NAT address associated with OLD-ISP with new-ISP public IP addresses ,once this migration has been completed successfully and tested proceed to step 3.

Step 3 (PIX outside , OLD-ISP and NEW-ISP OSPF processes and routing cutover)

Change IP addresses and routing configuration from the following devices:

PIX-Outside interface: Static routes pertaining to old-ISP Internet router

Stop PIX-OSPF Process on outside interface

Re-IP PIX outside interface with new-ISP ip block. (67.x.x.4)

PIX-Outside interface OSPF process START

Create static route on PIX-outside interface to route New-ISP-router 67.x.x.1 via PIX_outside-67.x.x.4

OLD_ISP-router = Create a static route to route old-ISP 63.x.x.0 block via PIX-outside-67.x.x.4

Kill OSPF process on OLD-ISP router

Remove static route previously enter on new-ISP router if any in reference to old-ISP IP block

Create new OSPF process on new-ISP AT&T router ( OSPF Process )

Ensure default-information originate is configured on AT&T router in order to inject default route into PIX

Start/Enable OSPF process on PIX-outside interface (establish OSPF adjacency between AT&T-router and PIX-outside int.

Thanks

Jorge

Re: Migrating from one ISP to another ISP using PIX515e

haithamnofal — Tue, 08 May 2007 08:18:44 GMT

Hi Jorge,

Ok I see your topology now.... With 2 different connections to the outside of the PIX I think you will face issues because the PIX doesn't support source-based routing.

But why don't you connect both ISPs to the same router, don't you have enough modules may be?

Regards,

Haitham

Re: Migrating from one ISP to another ISP using PIX515e

JORGE RODRIGUEZ — Tue, 08 May 2007 21:12:05 GMT

Hi Haitham, you are correct.. I called the new ISP today , I wanted to have the new ISP also carry the OLD ISP link as you suggested so that I can have both up from a single router but because the ISP is ATT and they are providing the router as well as managing they indicated they would not want another ISP in their router. So it is actually not my call, I have indicated the PMs that this will then be a hot cutover. I think we can live with re-iping about 25 servers for one-to-one public NAT addresses and update our dns records accordinly. I think I can nail this hut cutover migration, in fact this is the easiest way.

If I have any questions I will definately return with questions.

Regards

Jorge

Re: Migrating from one ISP to another ISP using PIX515e

haithamnofal — Tue, 08 May 2007 21:18:59 GMT

Good Luck, and sure dont hesitate to come back with questions.

Rgrds,

Haitham