cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
131
Views
0
Helpful
2
Replies
Beginner

ASA 5515 ISP Migration

Hi all,

I know this is a common thread but I'm being pressed to get this sorted ASAP.

 

A new interface, Outside2, to send all traffic of which the vast majority goes down a VPN to a web proxy. There are three VPNs in total.

 

I changed the interface the crypto map is associated with:

no crypto map Outside_map interface Outside
crypto map Outside_map interface Outside2

 

I changed the default (and only route):

no route Outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route Outside2 0.0.0.0 0.0.0.0 y.y.y.y 1

 

All the NAT rules were changed to reflect the new interface

 

After doing this all the VPNs came back up but there was a fraction of the traffic going to the web proxy. Is there something I've missed? Do I need to clear all the NAT translations or will that get done automatically when the NAT rules are changed?

 

Any help would be greatly appreciated,

Regard,
Stuart

 

 

2 REPLIES 2
Highlighted
RJI Advisor
Advisor

Re: ASA 5515 ISP Migration

Hi,
You've seem to have everything covered regarding the configuration changes required. The nat connections would remain until they timeout, clear the connections should hopefully resolve the issue.

HTH
Highlighted
Rising star

Re: ASA 5515 ISP Migration

Hi,

 

    Is the initial outside interface gonna be used for some purpose, or the connection will be decommissioned ? If it's gonna be removed, remove all routes and NAT statements facing that egress interface. As the routing table changes, make the ASA clear the existing sessions which are affected as a result of a route change in 30 sec (timeout floating-conn 0:0:30). If you have leftover static NAT statements towards the initial outside interface, the ASA would bypass the RIB and find the egress interface based on the NAT statement.

 

Regards,

Cristian Matei.