Overview & Background

This blog is focused on the Cisco ASA 5500 Series Security Appliance. I have been working with Cisco products since their routers had IOS 11.0. The intention of this blog is to share technical information, tutorials, tips and configuration examples in a simple "how to" manner.

The Cisco ASA is the descendant of the older Cisco PIX series firewall which became part of Cisco's portfolio when they acquired Network Translation in 1995. In 2005, Cisco introduced the ASA which combined functionality of the PIX, VPN Concentrator, and IPS Product lines. Through PIX OS release 7.x (codenamed finesse) the PIX and the ASA used the same software images. Beginning with PIX OS version 8.x, the operating system code diverges, with the ASA using a Linux kernel.

Friday, February 19, 2010

Changing ISPs aka Remote Move of ASA

You have a remote site that is changing ISPs perhaps it has grown and needs a bigger pipe or perhaps you are just saving money by changing carriers. Regardless of the reason there is an ASA present at that site and your users are not IT. The users can however move the Ethernet cable from provider one to provider two but you have to make changes to the ASA. The ASA however is going to need three changes in order to function with the new provider:
  1. New IP Address / Subnet Mask on the outside interface
  2. Removal of old default route
  3. Addition of new default route
Faced with this challenge I figured certainly I am not the first person with remote ASAs that need to work on a new network. Hi ho hi ho off a googling I go, found nothing, so went to wikipedia, netpro, cisco wikipedia (huge disappointment) and even spoke with some fellow engineers. Had some ideas but none of them worked, at last forced with no choice I turned to the TAC.

Bad news, there is no way to accomplish this change without being on the inside of the ASA, so sayeth the TAC!

Dear Mr. Chambers can you turn a battalion of your programmers to this task? Want to know how important it is? Come lets talk someone through the above three steps….. Thank you John! I can call you John can’t I?
Posted by at 9:48 AM

3 comments:

  1. How about setting up the new ISP on a DMZ interface with security at say, 1 or so? Then set a more specific route for your source address (surely you have more than one ip you can connect from) to go out the dmz interface. When that is up and running connect with ssh in through that interface and remove the original interface config.

    ReplyDelete

  2. I'm running into this today. Can you not add another default route with a higher admin distance. Then change the IP address on the interface? Perhaps the ASA would not consider the old default route with the lower AD because there would be no connected network that it could use to reach the old default route?

    ReplyDelete

  3. If the customer has access to both ISP's at the same time.. you can make the change in the ASA and then have him move the cable over to his new ISP. I was able to accomplish this by doing the following.

    Create a new vlan with the NEW IP address given by the new ISP.

    conf t
    int vlan 3
    ip address x.x.x.x x.x.x.x
    security-level 100
    nameif outside2

    int e0/3
    switchport access vlan 3
    no shut


    Create a new route with a higher metric.

    route outside 0.0.0.0 0.0.0.0 x.x.x.x 2

    Enable SSH.

    ssh x.x.x.x x.x.x.x outside2



    If you have an ASA with a limited license, you can tell the new vlan not to forward traffic to the old outside interface. Go under the new vlan and do a " no forward interface ?".

    Also, a "same-security-traffic permit inter-interface" may help depending on your situation.

    ReplyDelete

Subscribe to: Post Comments (Atom)