topic ASA 5520- ISP change proceedure in Network Security

ASA 5520- ISP change proceedure

rayborg — Mon, 11 Mar 2019 21:44:30 GMT

Hello,

our company is going to change its´ ISP.

The External Ips are going to obviously change too.

We have an Active/Standby Firewall and we would like to make the change with at least connectivity downfall as possible.

In our configuration we have nearly all features configured as in a normal Productive Firwall such as , NAT, Site-toSite VPN, Remote Access

Webvpn, ACLs and also routing. I have looked up some information in this community and still I am not sure about the steps to be

made so to reach our goal.

I have read that chaging only the "names" from the old IP Range to the new Ip range would not really make the change.

The old Ip range will still be configured in the features using the external Ip adress.

Therefore we have to first delete all the information (in the runing config) connected to these Variables and then re insert them.

My biggest worry is that this could be a little bit tricky during the implementation, if some config lines or objects could be left out

during the deleting and inserting procedure.

Have someone any idea how we could make this change with a low percentage of "copy and paste failures"?

I was thinking about in changing the "names" to their new Ips and then afterwards reload the ASA. Will this workout?

Primary ASA will be changed first with the secondary shutdown. ASA Firmware 8.2.2 (12)

regards

Ray

ASA 5520- ISP change proceedure

mvsheik123 — Mon, 31 Oct 2011 19:10:08 GMT

Hello,

I did change the external IPs few months back on Active/stanby cluster. Please refer to below thread. If you still have queries, please post.

https://supportforums.cisco.com/message/3325539#3325539

hth

ASA 5520- ISP change proceedure

rayborg — Wed, 02 Nov 2011 13:11:51 GMT

Hello,

thanks for your prompt answer.

Your proposal was very interesting to read maybe i can try it out this week.

Still I have got some questions regarding the doing.

I have tried implementing the change on our Lab ASA using two different methods.

In the first method I have made a copy off the "more system:running config" and edited the

copied version with the new ISP Address Range. Than I TFTPed it back to the ASA on the Startup and reloaded.

The results seemed o.k. but as I said this is our LAb ASA. One issue could be the Pre-shared key for the IPsec

configuration.

My second method.

I have edited the Objects involved over ASDM and applied the changes.

This methode seemed also to away to reach our goal.

Are there any hidden issues if I have to implement any one from my methods?

As I said I would like to hear some feedback from persons whom have had already experienced such a measure.

Thanks again mvsheik123

I would really appreciate it if we could discuss more about this issue.

ASA 5520- ISP change proceedure

mvsheik123 — Thu, 03 Nov 2011 14:46:48 GMT

Hi Ray,

As you are not changing the Firewalls here there is no need to use any uploads. But as precautionary, keep tftp copy of current working running config from fw handy.

Now as far as the names, yes.. just changing names will not work. My preferred method (although not the best), I copy the config to text file and edit (with new IPs) wherever necessary. I keep (names, static, route, tunnel etc) old config lines with 'no' key word form and new config lines as well so that I copy/pastethe config during the maintenance window. That saves lot of time incase of any unforeseen issues and needs time to t-shoot.

Also, Within the maintenanace window I did it phase by phase. (1. Internet 2. DMZ access 3.VPN changes etc).

Make sure you clear the arp tables on external switches and Xlates on ASAs after changing the IPs.

Thx

ASA 5520- ISP change proceedure

stt — Mon, 07 Nov 2011 22:30:15 GMT

Hi,

I know this is already marked as "Answered", but i just wanted to air my method.

I'm not sure it the most optimal, and there sure are plenty of room for copy-paste errors. Also, the "Remote Access" part can get a bit tricky i guess, if taking too long.

However, i did this a couple of times on a couple of remote ASAs. They weren't paired though, but i can't imagine the procedure being much different.

I "simply" added another "outside" interface and duplicated access-lists, NATs and statics, VPN tunnel-groups and so on.

In these particular cases, all i had to switch was outside management, a couple of statics and the VPN tunnels terminated on the device.

In my own pace, i could move one tunnel at a time, by just adding a static route to my VPN peer out through the new outside.

When the VPN tunnels were done, new VPN profiles distributed and users notified of the changes, i changed the default route too, making the change complete.

All left to do is a lot of cleanup, but that can be done without disturbing the users too.

Of course, both ISPs have to be active at the same time to accomplish this.

/Sune T.