11-27-2012 12:24 PM - edited 03-11-2019 05:28 PM
My company (in Healthcare) is going to be changing ISPs for our internet connectivity, and with this change comes a new external IP block. So I need a scheme to migrate over all of my existing VPN tunnels and other items over to new IP addresses. We do have an external router which I plan on doing a route-map to handle which traffic the ISP should go to based on IP. My big concern is for the ASA 5510. Can I setup a second outside interface on the new IP range? Then migrate my VPN tunnels over one-by-one? A drop-dead cutover date is just not possible with all of the external companies that I have to contact to get VPN tunnels updated with. If it's not possible, we have in our budget to get another 5510 next year as a redundant unit. I may be able to get that early and just migrate from one firewall to another.
Thanks!
Joe P.
11-28-2012 04:40 AM
Their is a way by which you can save the downtime of any vpn tunnel which is currently running .
you need to tell the external vpn customer to add one more ip in their crypto map for backup (new ip which is provided by ISP to you). so the time when you change the ip on you firewall interface their vpn will negotiate with second ip as one ip would be not reachable.
commands for backup ip in crypto map:-
cry map vpn 10 set peer 1.1.1.1 2.2.2.2
11-28-2012 01:35 PM
Hi Joe,
Your best bet is to get that second asa firewall and use it for your second ISP to migrate your VPN tunnels, that way you have your Primary ISP ASA running regular Ipsec tunnels traffic etc.. while you migrate your L2L tunnels one at a time to the other asa firewall . Assuming both of your ISPs are giving you Ethernet handoffs for internet place a switch in front of your TWO firewalls to cross connect your two ISP circuits to respective L2 vlans on that external switch and asa outside interfaces respectivatelty. Have both asa's firewalls running in parrallel.
As for your route maps sure... but I would use that router you have in mind inside your LAN facing inside interfaces of each firewall/respective vlans ..then you can do pbr whichever way you want from that point.
Good luck
Regards
11-28-2012 01:51 PM
Joe,
If your internal ip's are staying the same and the external networks that your connecting to then...
Add an additional interface to your ASA.
Add a route based on ipsla to route your destination.
When your peers are ready, change your route metric.
In theroy/practice your VPN peers need to change their configuration. You only need to change your route on the ASA for which interface. Ideally your peers will create a secondary VPN using your new address and when ready you only need to make a minor routing change.
Best Regards
Ju
Sent from Cisco Technical Support iPad App
02-11-2016 06:44 AM
I realize this is an old thread, but I am in the exact same situation you described. How did you end up switching things over?
thanks,
Jsharkey
02-16-2016 11:34 AM
We ended up purchasing a second ASA and moving the config over to it along with the tunnels, one-by-one. The original ASA was then re-purposed for a different task.
02-11-2016 06:20 PM
Hi,
It would be best to purchase an X series firewall with 9.5 base version for you to use Policy Base routing. You can also add another ASA firewall for your secondary unit.
Regards,
Angelo
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: