topic Hi,If you want to migrate the in Network Security

Link Migration to New ISP and New ASAs.

Francisco Granados — Tue, 12 Mar 2019 06:42:21 GMT

All,

Thank you in advance for taking the time to read. Security is not my strength and I need to know if this is even possible.

I am migrating to a new ISP and New FWs, I setup the new link and firewalls parallel. I already have the new ISP and new FWs configured and I have internet access. I thought I could change the default route on the core switch to point to the new FWs and therefore to the new ISPs, however, when do this my servers are not responding to outside requests. Inside clients like computers can get online but my web servers are down.

My plan was to use the new ISP for outbound and slowly migrate the servers to the new ISP block by changing the external DNS and NATTING through the new FWs.

Is this scenario possible assuming the FWs are configured properly?

Topology:

NEW ISP

(IP block 209.x.x.x) ===> New ASA ==

==== core ===== clients

OLD ISP ==== switch =====and servers

(IP Block 63.x.x.x)====> OLD ASA ==

NATs to

Inside Servers

Thanks in advance.

That plan should work. You

Andre Neethling — Wed, 07 Oct 2015 09:53:02 GMT

That plan should work. You just need to be careful that you do not route any traffic from the servers out to the internet through the NEW firewall before the NAT and ACL rules have been migrated across. You may create an ASYMMETRIC routing scenario and State tables won't match, and traffic will be dropped.

Hi,If you want to migrate the

ealiev — Thu, 15 Oct 2015 13:20:02 GMT

Hi,

If you want to migrate the servers one by one I can suggest to use policy based routing (if supported) on Core switch. You can change the default route for only particular server (source based) towards the NEW firewall. Before that you have to migrate all ACLs and NAT rules off course.

Regards,

Ergin