[c-nsp] ASA VPN migration

Scott Granados scott at granados-llc.net
Sat Feb 5 14:37:48 EST 2011


Just add a new static route through the migrated IP when the customer is ready to make the switch.

I did something similar migrating from smaller blocks in to a single /24 a while back.

All that was required was enabling a new device on the new network with a proper IP then as I moved each device I added a static route pointing the route back to the far end IP through the gateway on the new network.
You can simply add the correct interface to the crypto map and set up VPN sessions across more than one Interface with out much issue.  
	Once you're complete remove the static routes, renumber your original interface or some variation on that theme depending on your end goal and you should be set.  At the end of my project I just shut down the temp interface, renumbered the primary outside and Bob's your uncle.

On Feb 4, 2011, at 9:45 PM, Garry wrote:

> Hi,
> 
> I have a customer ASA which needs to migrate VPNs from one network IP to
> another. In order to keep outages down to a minimum, VPNs are to be
> migrated one by one. I was wondering if this is at all possible ... to
> start off with, I'd have to set up a second outside interface (which in
> itself works, tagging it on another VLAN, and setting up the router with
> another VLAN link). But with no PBR available, I'm not sure if the
> routing to the outside will even work correctly ... and even if that
> does work, would the ASA even be able to source VPNs from multiple IP
> addresses...
> 
> So, should I just ditch the whole idea and tell the customer to just get
> the remote sites organized so they can be migrated in a batch? (which
> would be my intent to start off with)
> 
> -gg
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/




More information about the cisco-nsp mailing list