Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1548
Views
0
Helpful
7
Replies

ASA ISP Migration

807119
Level 1
Level 1

‎11-13-2018 04:31 PM

I have a remote ASA setup with multiple sites tunneled back to it. The ASA in question is a main hub for our company and they are changing ISPs. I need to avoid downtime and be able to transition the sites over to the new IPs as time allows. This is what I would like to do.

 

ISP1------(outside)ASA(outside2)------ISP2

 

1.) Configure a second outside interface (outside2) with the new ISP IP and enable it

2.) Add a default route with a higher priority using the new ISP so the old route stays active

3.) Copy all of the old ACLs and NAT rules and add in the new outside interface while leaving the old rules in place during the transition.

4.) Log into each of the remote sites individually and add a peer for the new ISP, test then remove the old tunnel group

5.) Remove the old ISP config and default route from the main ASA

 

Is this possible? I am fairly new to ASAs and the Cisco community but I will provide any information I can, thank you

Labels:
0 Helpful
7 Replies 7

Deepak Kumar
VIP Alumni
VIP Alumni

‎11-13-2018 08:44 PM

Hi,

If your VPN tunnels are configured for failover than it is possible. If you are not sure then try to shut down ISP port and check that all VPN tunnels failover is working or not. If it is working then you can go ahead. 

 

But if it is not working then check for failover configuration. Try everything in the Downtime or after office hrs.

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

807119
Level 1
Level 1
In response to Deepak Kumar

‎11-14-2018 07:49 AM

I'm not looking for failover in this case. I would like to have both ISPs active at the same time on the ASA. I've read conflicting information if this is possible. 

I need to have both connections active at the same time so I can transition the remote site's tunnels to the new IP without taking the first ISP offline.

0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni
In response to 807119

‎11-14-2018 07:51 AM

Hi,
Sorry, I am not talking about your ISP failover. I am talking about your VPN connections.
Regards,
Deepak Kumar
Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

807119
Level 1
Level 1
In response to Deepak Kumar

‎11-14-2018 09:41 AM

I think I understand what you are saying.

1.) Add a peer to the remote sites and a new tunnel group so they can fail over

2.) Configure the main ASA with the new ISP Information.

3.) Disable the old ISP interface and let all of the sites failover to the new IP

 

Is this correct?

0 Helpful

Martin Carr
Level 4
Level 4

‎11-14-2018 01:41 PM

This plan sounds reasonable, however I would add the following.

Copying the NAT rules will not work, for example the overload will be configured for the outside interface so this will need reconfiguring, you also need to consider any external access you may have.

Also the translations will be broken, it's inevitable there will be downtime, although in this case it will be minimal.

Martin

0 Helpful

807119
Level 1
Level 1
In response to Martin Carr

‎11-14-2018 02:08 PM

Thank you for the reply. Is it possible to have both sets of nat rules and the 2 outside interfaces work at the same time temporarily so the sites can be transitioned over several days?

0 Helpful

Martin Carr
Level 4
Level 4
In response to 807119

‎11-17-2018 04:09 PM

I don't believe dual active ISP's is possible, due to the fact of one active default route being present.

 

Martin

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card