cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1115
Views
0
Helpful
7
Replies

ASA ISP Migration

807119
Level 1
Level 1

I have a remote ASA setup with multiple sites tunneled back to it. The ASA in question is a main hub for our company and they are changing ISPs. I need to avoid downtime and be able to transition the sites over to the new IPs as time allows. This is what I would like to do.

 

ISP1------(outside)ASA(outside2)------ISP2

 

1.) Configure a second outside interface (outside2) with the new ISP IP and enable it

2.) Add a default route with a higher priority using the new ISP so the old route stays active

3.) Copy all of the old ACLs and NAT rules and add in the new outside interface while leaving the old rules in place during the transition.

4.) Log into each of the remote sites individually and add a peer for the new ISP, test then remove the old tunnel group

5.) Remove the old ISP config and default route from the main ASA

 

Is this possible? I am fairly new to ASAs and the Cisco community but I will provide any information I can, thank you

7 Replies 7

Deepak Kumar
VIP Alumni
VIP Alumni

Hi,

If your VPN tunnels are configured for failover than it is possible. If you are not sure then try to shut down ISP port and check that all VPN tunnels failover is working or not. If it is working then you can go ahead. 

 

But if it is not working then check for failover configuration. Try everything in the Downtime or after office hrs.

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

I'm not looking for failover in this case. I would like to have both ISPs active at the same time on the ASA. I've read conflicting information if this is possible. 

I need to have both connections active at the same time so I can transition the remote site's tunnels to the new IP without taking the first ISP offline.

Hi,
Sorry, I am not talking about your ISP failover. I am talking about your VPN connections.
Regards,
Deepak Kumar
Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!

I think I understand what you are saying.

1.) Add a peer to the remote sites and a new tunnel group so they can fail over

2.) Configure the main ASA with the new ISP Information.

3.) Disable the old ISP interface and let all of the sites failover to the new IP

 

Is this correct?

Martin Carr
Level 4
Level 4

This plan sounds reasonable, however I would add the following.

Copying the NAT rules will not work, for example the overload will be configured for the outside interface so this will need reconfiguring, you also need to consider any external access you may have.

Also the translations will be broken, it's inevitable there will be downtime, although in this case it will be minimal.

Martin

Thank you for the reply. Is it possible to have both sets of nat rules and the 2 outside interfaces work at the same time temporarily so the sites can be transitioned over several days?

I don't believe dual active ISP's is possible, due to the fact of one active default route being present.

 

Martin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: