01-23-2024 07:40 AM
Hello
I would like to know best way to change ISP on a pair of asa ( active - standby).
Currently, there are 14 public IPs on the ASA.
By searching in the configuration txt file in :
Outside interface, VPN, network objects, NAT, static route, crypto ca trustpoint ASDM_TrustPoint7
enrollment self
subject-name etc...
Apart from the ASA, we also have these IPs in a reverse proxy, in a proxy, DNS server, and in an external WAAP.
The new ISp assigned me a pool of public IP addresses
I made a table with old IP / new IP
I communicated to the future new ISP the IP addresses that they will have to apply to the physical interfaces of their router (I will not have access to this router).
For my part, I will take the last txt backup of the ASA running-configuration, I will modify all the IPs with the new ones and on the day of the migration, I will inject the new configuration into the ASA, by running- conf
We will modify the IPs in DNS, proxy, reverse proxy and WAAP.
This requires a reboot of the ASA pair, I imagine? So I will have to do a write.
Before switching the ASAs, I will test the new operator by connecting with a laptop directly to their router, to check that I have the Internet and that the speeds are good.
And what is the right way to do it? Did I forget things?
01-23-2024 05:40 PM
For my part, I will take the last txt backup of the ASA running-configuration, I will modify all the IPs with the new ones and on the day of the migration, I will inject the new configuration into the ASA, by running- conf
This seems to be reasonable approach.
This requires a reboot of the ASA pair, I imagine? So I will have to do a write.
There is no requirement to reboot - but if your ASA running for Long then reboot will be good to clear all ay buffer issues.
Before switching the ASAs, I will test the new operator by connecting with a laptop directly to their router, to check that I have the Internet and that the speeds are good.
yes this is very good steps, since you are sure the ISP working.
Keep the role back plan also to revert to OLD IP and other stuff - if the new cutover not go as expected, so you ready for rollback to working condition.
01-24-2024 12:54 AM
The new IP change in
1- interface
2- NAT if you use NAT many to many' i.e. using pool of public IP
3- VPN ( here the new IP must change in peer not in your asa)
So from all above three point I think only first you need it in asa'
And to be sure
Show run | i x.x.x.x
This show you where old IP used.
This make task more easy
Goodluck friend
Have a nice day
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide