Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1909
Views
0
Helpful
5
Replies

ASA 5515 ISP Migration

Go to solution
stuart_jones
Level 1
Level 1

‎03-26-2020 02:05 PM

Hi all,

I know this is a common thread but I'm being pressed to get this sorted ASAP.

 

A new interface, Outside2, to send all traffic of which the vast majority goes down a VPN to a web proxy. There are three VPNs in total.

 

I changed the interface the crypto map is associated with:

no crypto map Outside_map interface Outside
crypto map Outside_map interface Outside2

 

I changed the default (and only route):

no route Outside 0.0.0.0 0.0.0.0 x.x.x.x 1
route Outside2 0.0.0.0 0.0.0.0 y.y.y.y 1

 

All the NAT rules were changed to reflect the new interface

 

After doing this all the VPNs came back up but there was a fraction of the traffic going to the web proxy. Is there something I've missed? Do I need to clear all the NAT translations or will that get done automatically when the NAT rules are changed?

 

Any help would be greatly appreciated,

Regard,
Stuart

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎03-26-2020 02:17 PM

Hi,
You've seem to have everything covered regarding the configuration changes required. The nat connections would remain until they timeout, clear the connections should hopefully resolve the issue.

HTH

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎03-26-2020 02:17 PM

Hi,
You've seem to have everything covered regarding the configuration changes required. The nat connections would remain until they timeout, clear the connections should hopefully resolve the issue.

HTH
0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎03-27-2020 05:03 AM

Hi,

 

    Is the initial outside interface gonna be used for some purpose, or the connection will be decommissioned ? If it's gonna be removed, remove all routes and NAT statements facing that egress interface. As the routing table changes, make the ASA clear the existing sessions which are affected as a result of a route change in 30 sec (timeout floating-conn 0:0:30). If you have leftover static NAT statements towards the initial outside interface, the ASA would bypass the RIB and find the egress interface based on the NAT statement.

 

Regards,

Cristian Matei.

0 Helpful

Go to solution
stuart_jones
Level 1
Level 1
In response to Cristian Matei

‎04-01-2020 04:53 AM

Hi Crisitan,
It will dual run for a short period then be shutdown. I wasn't aware a NAT statement would cause the ASA to bypass the RIB.
There isn't a NAT rule in for the VPN to the web proxy. Am I right in thinking VPNs don't require a NAT rule given the destination traffic is configured in the remote network? In this case it is "any"?
Regards,
Stuart
0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to stuart_jones

‎04-01-2020 07:30 AM

Hi,

 

    Except fixing the routing and binding the crypto-map to the new outside interface, you would have to also fix your old NAT statements (entries that had "outside" keyword would need to have "outside2"). As for VPN and NAT, if the Internet facing interface (for which you configure NAT) is the same as the VPN gateway interface (where VPN tunnels are terminated), because NAT happens before encryption, you would have to exempt the VPN traffic from being NAT'ed, via twice NAT identity statements.

 

Regards,

Cristian Matei.

0 Helpful

Go to solution
stuart_jones
Level 1
Level 1

‎05-12-2020 05:18 AM

It turns out the above was suffice but the DNS being used on site was pointing to the old ISP which was blocking the IP address of the new ISP.

Making the above changes and changing the DNS to Google resolved the issue.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card