• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 502
  • Last Modified:

ISP Migration w/Two Routers, Two ISPs, One Firewall...

Okay I'll try to keep this as uncomplicated as possible but I've over thought this to the point where I'm just thinking of silly scenarios.

Current setup:
Two ISPs
Cisco 2691 Router (running BGP)
PIX 515e FW 6.3.3 (E0 = outside, E1 = inside, E2 = DMZ)
Full Class C of IP Addresses

We're dropping one provider & will be losing our block of IP addresses.  However, the new ISP is giving us a Full Class C.  The new ISP will serve as the primary & the other existing ISP will become our backup while running BGP.  They are giving us a new 2600 router (not sure exactly what model since they initially said 1841 & decided to go w/2600 series).

Okay so the primary concern is the DNS propagation.  Our ISP that we're dropping is giving us 30 days to get everything over to the new block of addresses, but I am trying to figure out how I can seamlessly transition to the new ISP since the PIX can is already set with the set of old IP addresses.  If I could enter in the new IP addresses in the NAT tables it wouldn't be a problem but we know that the 515e does not allow that.

The PIX outside interface is set to one of the public IP addresses that is in the block that we have to surrender.  I tried to set the new ISP address as a virtual interface & then plug in all the NAT but PIX said uh uh, no way.  I have around 200 NATs & another 200 or so Access Rules that I have to enter.

My last 'brilliant' idea was to configure the new router to connect to the old router.  Configure the old router to the IP address of the new router & basically have all the traffic from our new ISP pass through the old router until the DNS propagates & then enter in the new NATs & Access rules.  But that would still require plugging in all that info after the DNS propagates  & would also require changing the initial config of the new router to point to the firewall instead of the old router.  So, I'm fairly sure that idea is pretty horrible.

Ideas/Suggestions?  I'm feeling very scared & alone.....  okay just kidding, but it is annoying as you know what...
1 Solution

considering what you are planning, I think a properly planned hot cut is not going to leave you with much issues.  Trying to maintain a 'stateful' transition is not going to be 100% possible so i think its best to arrange it in such a way as to keep the impact and downtime to a minimum.  Having done several of these before - notepad is your best friend for this!

Ensure your new connection is up and routing correctly - test using a sample ip from your new class C and if possible, test from behind a nat device (another firewall or router)
Once you are happy with this new connection, create your changes list in notepad with all the relevant statements to amend the PIX config.
Remember to work in the correct order re making changes - re global statements, statics and xlates.

no route outside
clear static
no global 10 (outside) interface
no ip address outside
ip address outside
global 10 (outside) interface
static (inside,outside) ..........
static (inside,outside) ..........
route outside
clear xlate

If you are using an outside switch , ensure you clear its arp cache and check the mac-address table so that the new ips point to the mac addresses of the PIX outside interface rather than the old ones.

Its a matter of planning it and having a testing template and a fallback.  Regardless of size, a properly planned changeover can be done in a few mins.  
wfcraven12Author Commented:
Looks good to me.  I'm thinking this still may be a Friday 6pm cutover just to be on the safe side but you definitely helped me get my thoughts on this organized.  Thanks!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now