I know this is a common thread but I'm being pressed to get this sorted ASAP.
A new interface, Outside2, to send all traffic of which the vast majority goes down a VPN to a web proxy. There are three VPNs in total.
I changed the interface the crypto map is associated with:
no crypto map Outside_map interface Outside
crypto map Outside_map interface Outside2
I changed the default (and only route):
no route Outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route Outside2 0.0.0.0 0.0.0.0 y.y.y.y 1
All the NAT rules were changed to reflect the new interface
After doing this all the VPNs came back up but there was a fraction of the traffic going to the web proxy. Is there something I've missed? Do I need to clear all the NAT translations or will that get done automatically when the NAT rules are changed?
Any help would be greatly appreciated,
Is the initial outside interface gonna be used for some purpose, or the connection will be decommissioned ? If it's gonna be removed, remove all routes and NAT statements facing that egress interface. As the routing table changes, make the ASA clear the existing sessions which are affected as a result of a route change in 30 sec (timeout floating-conn 0:0:30). If you have leftover static NAT statements towards the initial outside interface, the ASA would bypass the RIB and find the egress interface based on the NAT statement.