We ended up purchasing a

jplowick3 · ‎11-27-2012

My company (in Healthcare) is going to be changing ISPs for our internet connectivity, and with this change comes a new external IP block. So I need a scheme to migrate over all of my existing VPN tunnels and other items over to new IP addresses. We do have an external router which I plan on doing a route-map to handle which traffic the ISP should go to based on IP. My big concern is for the ASA 5510. Can I setup a second outside interface on the new IP range? Then migrate my VPN tunnels over one-by-one? A drop-dead cutover date is just not possible with all of the external companies that I have to contact to get VPN tunnels updated with. If it's not possible, we have in our budget to get another 5510 next year as a redundant unit. I may be able to get that early and just migrate from one firewall to another.

Thanks!

Joe P.

Riyasat Ali · ‎11-28-2012

Their is a way by which you can save the downtime of any vpn tunnel which is currently running .

you need to tell the external vpn customer to add one more ip in their crypto map for backup (new ip which is provided by ISP to you). so the time when you change the ip on you firewall interface their vpn will negotiate with second ip as one ip would be not reachable.

commands for backup ip in crypto map:-

cry map vpn 10 set peer 1.1.1.1 2.2.2.2

JORGE RODRIGUEZ · ‎11-28-2012

Hi Joe,

Your best bet is to get that second asa firewall and use it for your second ISP to migrate your VPN tunnels, that way you have your Primary ISP ASA running regular Ipsec tunnels traffic etc.. while you migrate your L2L tunnels one at a time to the other asa firewall . Assuming both of your ISPs are giving you Ethernet handoffs for internet place a switch in front of your TWO firewalls to cross connect your two ISP circuits to respective L2 vlans on that external switch and asa outside interfaces respectivatelty. Have both asa's firewalls running in parrallel.

As for your route maps sure... but I would use that router you have in mind inside your LAN facing inside interfaces of each firewall/respective vlans ..then you can do pbr whichever way you want from that point.

Good luck

Regards

Jorge Rodriguez

ju_mobile · ‎11-28-2012

Joe,

If your internal ip's are staying the same and the external networks that your connecting to then...

Add an additional interface to your ASA.

Add a route based on ipsla to route your destination.

When your peers are ready, change your route metric.

In theroy/practice your VPN peers need to change their configuration. You only need to change your route on the ASA for which interface. Ideally your peers will create a secondary VPN using your new address and when ready you only need to make a minor routing change.

Best Regards

Ju

Sent from Cisco Technical Support iPad App

jsharkey_elgincounty · ‎02-11-2016

I realize this is an old thread, but I am in the exact same situation you described. How did you end up switching things over?

thanks,

Jsharkey

jplowick3 · ‎02-16-2016

We ended up purchasing a second ASA and moving the config over to it along with the tunnels, one-by-one. The original ASA was then re-purposed for a different task.

geloangelo00 · ‎02-11-2016

Hi,

It would be best to purchase an X series firewall with 9.5 base version for you to use Policy Base routing. You can also add another ASA firewall for your secondary unit.

Regards,

Angelo

ISP Migration with ASA 5510 and external router?