Site-to-Site VPN connection broken after adding a new outside interface
I've an ASA5506 previously configured with one outside interface. This interface is used for both internet for employees and Site-to-Site VPN for external companies...
The ISP is renewing its equipment and added a new modem/circuit before removing the old one.
I configured then a new external interface to be able to migrate all VPN connections one by one, but I am facing an issue.
My idea was to keep the 2 interfaces active and first migrate internet access to the new line and then migrate the S2S VPNs one by one, then once validated remove the old connection.
So I created a new route for the 0.0.0.0 traffic to go through the new interface but with a lower Metric "2", then I changed the "outside" Metric to "3" in order to redirect the internet traffic to the new interface.
... and it worked fine! excepted that all the VPN connected companies lost access to our internal network (oups!). I reverted back the route metric asap and didn't have time to investigate/troubleshoot the problem. Of course, now I am a bit afraid with going any further with new changes.
Re: Site-to-Site VPN connection broken after adding a new outside interface
How are your VPNs configured? Policy Based / Route Based?
Did you add static routes for each of the remote VPN endpoints and point them out your "old" Internet pipe?
From the info you have provided all Internet traffic will be going out the new Interface, including the routing of the remote VPN Public IPs. There may not be any crypto binding on this new interface etc.
ACLs, NATS are other areas you may want to look at also as part of the wider picture.
If you could share the config it might help in advising further.
HIDoes anyone know if there is an easier way than the belowQ. I check connection events for IOC's when requested and sometimes i have to check many url's which i am presently doing one url at a time and is very time consuming, is there a way to check mult...
Cisco Identity Services Engine (ISE) gives you intelligent Integrated protection through intent-based policy and compliance solution. ISE supports external MDM vendor integration to help the customers to look for compliance of a dev...
This video provides the steps to configure the Cisco Threat Response (CTR) and ESA Integration.
This is live on the portal:https://video.cisco.com/video/6159336218001
And on YouTube:https://www.youtube.com/watch?v=UCKIdx5rdFg
I need to migrate from C170 to C190 and have already match to the same Firmware Version. I have a question. Is there any method that can export and import the configuration file instead of form cluster ?