topic Re: Remote office changing ISPs in Network Security

Remote office changing ISPs

gtvit — Tue, 14 Jan 2020 15:11:52 GMT

Hello,

We have a remote office that is changing ISP's and just wanted to confirm the steps I would need to take in changing the firewall config for this to work. We are currently running a ASA 5516 and have a site to site VPN from the remote to main office. Here's what i'm thinking needs to happen:

Change the outside interface IP address to the new IP given by the new ISP.
Change the static route gateway to the new gateway given by the new ISP.
Add a secondary peer IP address in crypto maps on the main office firewall for the site to site VPN to include the new IP.

Is there anything else I'm missing?

Thanks

Re: Remote office changing ISPs

Rob Ingram — Tue, 14 Jan 2020 15:23:10 GMT

Hi,
You will probably need to change the tunnel-group on the Main ASA as this will usually be named using the IP address of the remote site peer. Potentially the group-policy will be the same, unless using default.

HTH

HTH

Re: Remote office changing ISPs

gtvit — Tue, 14 Jan 2020 15:36:16 GMT

Thanks for the reply. When you say tunnel-group, are you just talking about the peer IP address in the connection profile? From what i read, you should just be able to add a secondary peer IP address under crypto maps and then delete the primary one once the secondary connection has been made. I was just curious if anyone has had any luck with this method.

Re: Remote office changing ISPs

Sheraz.Salim — Tue, 14 Jan 2020 20:19:27 GMT

Change the outside interface IP address to the new IP given by the new ISP. correct
Change the static route gateway to the new gateway given by the new ISP. if you have a dedicated ip address given from ISP. yes make sure define a static route "route outside 0.0.0.0 0.0.0.0 34.23.54.11" make sure you delete the old static route configuration. also if no public ip address given in that case "ip address dhcp setroute".
Add a secondary peer IP address in crypto maps on the main office firewall for the site to site VPN to include the new IP. see below

I did a similar migration. in my case i created the tunnel-group as back up. but this did not resolve the issue. than what i did was created a new tunnel. (Note, in my case. I had a out of band managment console to both boxes HQ and Branch) so i follow these config. hope it make sense to you.

existing setup was

ASA-1(config)# tunnel-group 123.123.123.123 type ipsec-l2l
ASA-1(config)# tunnel-group 123.123.123.123 ipsec-attributes
ASA-1(config-tunnel-ipsec)# remote-authentication pre-shared-key 1234567890
ASA-1(config-tunnel-ipsec)# local-authentication pre-shared-key 1234567890
ASA-1(config-tunnel-ipsec)# isakmp keepalive threshold 10 retry 2
ASA-1(config-tunnel-ipsec)# exit

ASA-1(config)# crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC 
ASA-1(config)# crypto map CRYPTO-MAP 1 set peer 123.123.123.123
ASA-1(config)# crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
ASA-1(config)# crypto map CRYPTO-MAP interface outside

I pre-config this configuration on notepad and during the change windows created a new tunnel with new public ip address

ASA-1(config)# tunnel-group 1.1.1.1 type ipsec-l2l
ASA-1(config)# tunnel-group 1.1.1.1 ipsec-attributes
ASA-1(config-tunnel-ipsec)# remote-authentication pre-shared-key 1234567890
ASA-1(config-tunnel-ipsec)# local-authentication pre-shared-key 1234567890
ASA-1(config-tunnel-ipsec)# isakmp keepalive threshold 10 retry 2
ASA(config-tunnel-ipsec)# exit

ASA-1(config)# crypto map CRYPTO-MAP 2 match address VPN-INTERESTING-TRAFFIC 
ASA-1(config)# crypto map CRYPTO-MAP 2 set peer 1.1.1.1
ASA-1(config)# crypto map CRYPTO-MAP 2 set ikev2 ipsec-proposal VPN-TRANSFORM
ASA-1(config)# crypto map CRYPTO-MAP interface outside

once new tunnel is up and running you can delete the non-used tunnel. you can also use the command clear configure tunnel-group 123.123.123.123

Re: Remote office changing ISPs

gtvit — Wed, 15 Jan 2020 15:25:51 GMT

Thanks for your response. I'm a little confused regarding your second config. You said you created a backup tunnel group but that didn't resolve the issue but isn't that what you're doing in the second config? And regarding the peer address with the new IP, can't i just add that as a secondary in the current crypto map without adding a new one?

Re: Remote office changing ISPs

Sheraz.Salim — Wed, 15 Jan 2020 17:05:23 GMT

Hi. at work change window i was trying to be over smart 🙂 and did config i this which did not work.

existing setup was

ASA-1(config)# tunnel-group 123.123.123.123 type ipsec-l2l
ASA-1(config)# tunnel-group 123.123.123.123 ipsec-attributes
ASA-1(config-tunnel-ipsec)# remote-authentication pre-shared-key 1234567890
ASA-1(config-tunnel-ipsec)# local-authentication pre-shared-key 1234567890
ASA-1(config-tunnel-ipsec)# isakmp keepalive threshold 10 retry 2
ASA-1(config-tunnel-ipsec)# exit

ASA-1(config)# crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC 
ASA-1(config)# crypto map CRYPTO-MAP 1 set peer 123.123.123.123 
ASA-1(config)# crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM
ASA-1(config)# crypto map CRYPTO-MAP interface outside

at set peer I just change the public peer ip address and expected to work which did not work. in order to make it work i have to create another tunnel-group and crypto map. Apologies for the confusion

Re: Remote office changing ISPs

gtvit — Wed, 15 Jan 2020 21:25:59 GMT

Ahhh, gotcha. Yea i was hoping i could just create a new tunnel group and change the peer IP address and be done with it.

Re: Remote office changing ISPs

Sheraz.Salim — Wed, 15 Jan 2020 21:30:30 GMT

all the best make sure you have a pre-config on notepad in case you need to speed up due to change windows. all the best.