Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
662
Views
10
Helpful
4
Replies

Cisco ASA - Internet Migrate VPN Routing

Go to solution
Mokhalil82
Level 4
Level 4

‎08-19-2019 02:58 AM

Hi

 

We are using a HA pair of 5516X firewalls running software version 9.8

We are looking to migrate over to a new internet connection with a bigger subnet.

Currently we have few IPSEC VPNs, some natted services with inbound access, and normal outbound traffic.

 

I am planning to configure a second outside interface for the new circuit and then moving the default route to the new circuit which moves over our outbound traffic and also migrate the NATs over to the new IP addressing and update the DNS.

 

However I want to keep routing the IPSEC VPNs via the old internet and migrate these one at a time as and when the 3rd parties are available to update the IPs at their end. Maybe even keep the NATs on the old and migrate these over based on services.

 

My question is 

Will a static route for the VPN destinations with the next hop of the old internet be enough to keep the VPNs via the old internet connection, and then remove certain static routes for VPNs as I migrate each to the new internet connection.

In regards to NATS, how do I keep the NAT on the old internet and migrate over individually to allow me to move over and test the service properly. Do the NATs require any routes or will the DNS changes be enough.

Also any other advice from you previous experiences will be really appreciated

 

Thanks

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to Mokhalil82

‎08-19-2019 06:59 AM - edited ‎08-19-2019 07:00 AM

Hello Mokhali82,

I haven't tried the proposed configuration on ASA, but if policy routing is supported you should be able to keep using existing old NAT statements by making traffic sourced by their internal private addresses to exit the old outside interface.

 

Hope to help

Giuseppe

 

View solution in original post

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Giuseppe Larosa

‎08-19-2019 10:27 AM

I worked with a customer who had an ASA with site to site VPN using one outbound interface and a default route for non vpn traffic using a different outbound interface. It worked fine. Note that as you begin to use the new interface default route that you need a static route for the remote vpn peer lan as well as a static route for the remote peer peering address both using the old interface. 

 

As you begin to migrate site to site vpns you will want to configure a new crypto map and assign that new crypto map to the new interface and activate it as well ask isakmp for the new interface. As you migrate a vpn you will configure new entries in the new map and configure new tunnels for the peer. Then shift the static routes from using old interface to new interface. After the new vpn is running you can remove the config for the old vpn for that site.

 

HTH

 

Rick

HTH

Rick

View solution in original post

4 Replies 4

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎08-19-2019 04:24 AM

Hello,

>> Will a static route for the VPN destinations with the next hop of the old internet be enough to keep the VPNs via the old internet connection, and then remove certain static routes for VPNs as I migrate each to the new internet connection.

 

Yes because most specific routes are preferred like in routers.

 

About the second point:

once you move the default route on the new link you are going to exit from there and new NAT rules are needed.

However, let's wait for a more qualified answer about this.

On a router you could use PBR to force selected internal addresses to go out the old link and to use the old NAT rules.

PBR should be supported also on ASA.

 

Hope to help

Giuseppe

 

Go to solution
Mokhalil82
Level 4
Level 4
In response to Giuseppe Larosa

‎08-19-2019 06:48 AM

That makes sense Giuseppe thankyou for the advice, so for the VPNs because they terminate on the outside interface, a static route to the next hop of the existing Outside interface is fine until I get round to migrating the VPNs. 

 

So with the NATs, I know the ASA supports policy routing, so would I be right in using policy routing to route individual IPs that have a associated NAT via the old Outside interface (from source x.x.x.x to destination any, port any then next hop = x.x.x.x) and then remove the policy route as and when I have configured the new NAT on the new IP addressing and updated the associated DNS?

 

 

0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to Mokhalil82

‎08-19-2019 06:59 AM - edited ‎08-19-2019 07:00 AM

Hello Mokhali82,

I haven't tried the proposed configuration on ASA, but if policy routing is supported you should be able to keep using existing old NAT statements by making traffic sourced by their internal private addresses to exit the old outside interface.

 

Hope to help

Giuseppe

 

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Giuseppe Larosa

‎08-19-2019 10:27 AM

I worked with a customer who had an ASA with site to site VPN using one outbound interface and a default route for non vpn traffic using a different outbound interface. It worked fine. Note that as you begin to use the new interface default route that you need a static route for the remote vpn peer lan as well as a static route for the remote peer peering address both using the old interface. 

 

As you begin to migrate site to site vpns you will want to configure a new crypto map and assign that new crypto map to the new interface and activate it as well ask isakmp for the new interface. As you migrate a vpn you will configure new entries in the new map and configure new tunnels for the peer. Then shift the static routes from using old interface to new interface. After the new vpn is running you can remove the config for the old vpn for that site.

 

HTH

 

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card