topic Re: ISP Migration - Two ISP's, one ASA 5510 in Network Security

ISP Migration - Two ISP's, one ASA 5510

mlinsemier — Mon, 11 Mar 2019 16:53:57 GMT

We are currently in the process of switching ISP's from one to another. I was hoping that I could, with the Cisco ASA 5510, run both ISP's in tandem without having to do a "hard cutover" of changing IP's of all public facing devices on a weekend.

Both of the ISP's terminate into the same router (one is NxT1 and the other is Ethernet). Initially, I created a secondary IP subnet (for the new block) on the same interface that the existing public subnet is on. Then I planned on setting up PBR on the external ISP terminating router to make sure that the traffic is routed correctly based on what was presented to it. I haven't got this to work.

In theory will this even work? I would like to look at changing the PAT address to the new ISP (it's faster) and then start migrating the other devices at my pace.

If anyone has any input, please let me know.

Matt

Re: ISP Migration - Two ISP's, one ASA 5510

Jon Marshall — Tue, 05 Jan 2010 22:33:01 GMT

mlinsemier wrote:
We are currently in the process of switching ISP's from one to another.  I was hoping that I could, with the Cisco ASA 5510, run both ISP's in tandem without having to do a "hard cutover" of changing IP's of all public facing devices on a weekend.  
Both of the ISP's terminate into the same router (one is NxT1 and the other is Ethernet).  Initially, I created a secondary IP subnet (for the new block) on the same interface that the existing public subnet is on. Then I planned on setting up PBR on the external ISP terminating router to make sure that the traffic is routed correctly based on what was presented to it.  I haven't got this to work.
In theory will this even work?  I would like to look at changing the PAT address to the new ISP (it's faster) and then start migrating the other devices at my pace.
If anyone has any input, please let me know.
Matt

Matt

 Initially, I created a secondary IP subnet (for the new block) on the same interface that the existing public subnet is on

Not sure what you mean here. Do you mean on the ASA because as far as i was aware the ASA doesn't support secondary addressing.

So you have an ASA connected to a router which has 2 ISP terminations. Are you aware that you do not need to actually have an address on an interface to use it as a PAT address on the ASA ?

Perhaps a quick topology diagram with addressing would help.

Jon

Re: ISP Migration - Two ISP's, one ASA 5510

mlinsemier — Wed, 06 Jan 2010 19:13:52 GMT

Jon,

Maybe I should take a step back. Our current topology is two ASA 5510's (in failover mode) connected to Dirty DMZ switch which connects to a Cisco 3825 connected to UUNet via 4xT1. We also have a DMZ where our public facing servers are in. So it looks like this:

Private Network ----> ASA ---> Dirty DMZ Switch ---> 3825 Router ---> UUNet

Most of our public addressable IP addresses hang off devices in the DMZ. A few are also NATed to the inside network (ACS, Syslog, etc.).

We just signed for a 20Mbps contact with ACC (AT&T) handed off to us via Ethernet. Along with this there is a new /26 subnet block for public IP addresses.

What I would like to do is connect both ISP's to the ASA's, initially move over all of the PAT traffic (our corporate users) to the new 20Mbps link, and then move over the remaining publicly addressed servers and appliances as time provides. From what I understand this would require me to be able to NAT to two different subnets. My worry is that if there is a default route to our existing provider, that when I add the new address for the PAT of the new provider I would need to change this default route, in effect breaking all of the public NATed devices (as traffic would come in and leave on a different provider).

I can terminate the new AT&T link on the existing router (via Ethernet), terminate it directly to a spare interface on the ASA, or connect it to a secondary router (I have spares), but I'm trying to see what the best way is to handle this. We currently do have IP addresses bound to ASA external interface but could change this if necessary.

Any input or ideas would be greatly apprecaited.

Matt

Re: ISP Migration - Two ISP's, one ASA 5510

abhadana — Wed, 06 Jan 2010 20:56:12 GMT

hi matt,

I am assuming you have this kind of network.

Terminating two ISPs on ASA/PIX-

ISP1------------------Internet

1.1.1.2 |

| |

1.1.1.1 |

PIX/ASA|2.2.2.1----2.2.2.2|ISP2

3.3.3.1

Internal Network

If you want to configure half traffic through the ISP1 and half traffic through ISP2, Here i would like to say that ASA is NOT a load-balancer or packet-shaper. Hence we cannot *truly* achieve this, but we may configure ASA in such a manner that traffic for some destination IP address is routed via ISP1 and some is routed via ISP2. Following would be configuration commands in this scenario-

nat (inside) 1 0 0

global (ISP1) 1 interface

global (ISP2) 1 interface

route ISP1 128.0.0.0 128.0.0.0 1.1.1.2

route ISP2 0.0.0.0 128.0.0.0 2.2.2.2

The first creates a default route that routes addresses with the first bit of 1 to 1.1.1.2 of ISP1.

The second creates a default route that routes addresses with the first bit of 0 to 2.2.2.2 of ISP2.

Note: This will do traffic routing based on *Destination* IP addresses and NOT based on traffic load. As I mentioned, ASA is NOT a packet-shaper.

Re: ISP Migration - Two ISP's, one ASA 5510

mlinsemier — Wed, 06 Jan 2010 21:56:05 GMT

I'm not interested really in load balancing or packet shaping at this time. The only thing I want to accomplish is to route my Internal private network traffic (users, proxies, etc) over the new ISP2 link and leave all of the other traffic (my DMZ servers) exiting out ISP1. Eventually, as I move public facing servers (one at a time) from ISP1 to ISP2 they will go their respective routes, then eventually I will terminate ISP1 once all of the servers are moved over.

However here is the question. ISP2 gives me two IP addresses, our CPE address and their WAN gateway. They give us an ADDITIONAL subnet which is the publicly routed network, but it's on a different subnet. Will I need a router off the the ASA interface so that it will look like the following:

ASA (12.x.x.129/26) ---- (12.x.x.130/26 - G0/0) OUR ROUTER (G0/1 - 12.248.x.86) ----- (12.248.x.85) ISP2 GATEWAY

If I apply the 12.248.x.86 to the ASA Interface for ISP2, set the route to 12.248.x.85, can I still NAT the 12.x.x.128/26 publicly routed IP's off of that interface without putting a router in between?

Does this make sense? Thanks for all your help!

Matt

Re: ISP Migration - Two ISP's, one ASA 5510

Barry Beitz — Wed, 28 Jul 2010 17:30:00 GMT

mlinsemier,

What did you finally do to resolve your ISP Migration? I've have a very similar setup as you did and my customer has several vendors in their DMZ requiring acceptance testing on the new ISP prior to any final cut-over. Thanks.

Re: ISP Migration - Two ISP's, one ASA 5510

JORGE RODRIGUEZ — Thu, 29 Jul 2010 06:20:01 GMT

Hi Matt,

Question for you... how big is your current static nat configuration for your public servers? I have been in your scenario two times, and found out that it is much easier to do a hot cutover than gradual cutover ( more headaches ) , if you are indeed actually decomisioning the old ISP a hot cutover is recommended way much easier , unless your situation with asa static translation holds hundreds of static translations I can see the justification for gradual cutover but I don't think this could be your case as from what you indicated your new ISP is providing /26 so we are not talking about over 60 public usable addresses, so the hotcut should be fairly simple and at the same time be able to fall back if issues by placing back old firewallconfig , you will prepare few things, obiously fully backup your config in clear text as well as via tftp prior migration, create a sctrip in notepad for the removal of old nat translation and creation new ones , global nat pools , your outside interface re-IP, new default route , your inbound access-list reflecting new public IPs , after you configure this in firewall , shutdown the old ISP multylink interface if that is what you have , clear xlate in your firewall, and clear internet router's arp catch , this process should not take you more than one hour two hours tops... prior hotcut over have handy your new ISP NOC to be able to troubleshoot any issues, but from experience it should be fairly easy going hotcut migration.

my 2 cents

Regards