08-19-2019 02:58 AM
Hi
We are using a HA pair of 5516X firewalls running software version 9.8
We are looking to migrate over to a new internet connection with a bigger subnet.
Currently we have few IPSEC VPNs, some natted services with inbound access, and normal outbound traffic.
I am planning to configure a second outside interface for the new circuit and then moving the default route to the new circuit which moves over our outbound traffic and also migrate the NATs over to the new IP addressing and update the DNS.
However I want to keep routing the IPSEC VPNs via the old internet and migrate these one at a time as and when the 3rd parties are available to update the IPs at their end. Maybe even keep the NATs on the old and migrate these over based on services.
My question is
Will a static route for the VPN destinations with the next hop of the old internet be enough to keep the VPNs via the old internet connection, and then remove certain static routes for VPNs as I migrate each to the new internet connection.
In regards to NATS, how do I keep the NAT on the old internet and migrate over individually to allow me to move over and test the service properly. Do the NATs require any routes or will the DNS changes be enough.
Also any other advice from you previous experiences will be really appreciated
Thanks
Solved! Go to Solution.
08-19-2019 06:59 AM - edited 08-19-2019 07:00 AM
Hello Mokhali82,
I haven't tried the proposed configuration on ASA, but if policy routing is supported you should be able to keep using existing old NAT statements by making traffic sourced by their internal private addresses to exit the old outside interface.
Hope to help
Giuseppe
08-19-2019 10:27 AM
I worked with a customer who had an ASA with site to site VPN using one outbound interface and a default route for non vpn traffic using a different outbound interface. It worked fine. Note that as you begin to use the new interface default route that you need a static route for the remote vpn peer lan as well as a static route for the remote peer peering address both using the old interface.
As you begin to migrate site to site vpns you will want to configure a new crypto map and assign that new crypto map to the new interface and activate it as well ask isakmp for the new interface. As you migrate a vpn you will configure new entries in the new map and configure new tunnels for the peer. Then shift the static routes from using old interface to new interface. After the new vpn is running you can remove the config for the old vpn for that site.
HTH
Rick
08-19-2019 04:24 AM
Hello,
>> Will a static route for the VPN destinations with the next hop of the old internet be enough to keep the VPNs via the old internet connection, and then remove certain static routes for VPNs as I migrate each to the new internet connection.
Yes because most specific routes are preferred like in routers.
About the second point:
once you move the default route on the new link you are going to exit from there and new NAT rules are needed.
However, let's wait for a more qualified answer about this.
On a router you could use PBR to force selected internal addresses to go out the old link and to use the old NAT rules.
PBR should be supported also on ASA.
Hope to help
Giuseppe
08-19-2019 06:48 AM
That makes sense Giuseppe thankyou for the advice, so for the VPNs because they terminate on the outside interface, a static route to the next hop of the existing Outside interface is fine until I get round to migrating the VPNs.
So with the NATs, I know the ASA supports policy routing, so would I be right in using policy routing to route individual IPs that have a associated NAT via the old Outside interface (from source x.x.x.x to destination any, port any then next hop = x.x.x.x) and then remove the policy route as and when I have configured the new NAT on the new IP addressing and updated the associated DNS?
08-19-2019 06:59 AM - edited 08-19-2019 07:00 AM
Hello Mokhali82,
I haven't tried the proposed configuration on ASA, but if policy routing is supported you should be able to keep using existing old NAT statements by making traffic sourced by their internal private addresses to exit the old outside interface.
Hope to help
Giuseppe
08-19-2019 10:27 AM
I worked with a customer who had an ASA with site to site VPN using one outbound interface and a default route for non vpn traffic using a different outbound interface. It worked fine. Note that as you begin to use the new interface default route that you need a static route for the remote vpn peer lan as well as a static route for the remote peer peering address both using the old interface.
As you begin to migrate site to site vpns you will want to configure a new crypto map and assign that new crypto map to the new interface and activate it as well ask isakmp for the new interface. As you migrate a vpn you will configure new entries in the new map and configure new tunnels for the peer. Then shift the static routes from using old interface to new interface. After the new vpn is running you can remove the config for the old vpn for that site.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide