How to migrate ASA from one ISP to another

Hello experts, I have come to this great site in search of network design advice.  I have an ASA 5510 stateful failover pair (active/standby) running in single context routed mode.  The outside interface is part of an ISP (ISP1) provided public subnet with a layer 2 connection to an ISP managed router.  All NAT takes place within the ASA.  All our external services reside on the ISP1 subnet: DNS, SMTP, HTTP, VPN, etc.

I have 2 other ISP links that we would like to utilize outside the ASA.  ISP2 will replace ISP1.  ISP3 would ideally be used exclusively for outbound requests (web browsing).

A wrench in the works is that we are 24/7 so minimizing downtime during this migration will be paramount.  I would like to avoid a hot cut if at all possible.  My first thought was to add subinterfaces on the outside interface then dot1q trunk to 3 external vlans - one for each ISP.  This would allow me to transition external services at my convenience but I wasn't sure about how to deal with the outbound routing.  I read this from the ASA CLI guide

You can define up to three equal cost default route entries per device. Defining more than one equal cost default route entry causes the traffic sent to the default route to be distributed among the specified gateways. When defining more than one default route, you must specify the same interface for each entry.

If you attempt to define more than three equal cost default routes, or if you attempt to define a default route with a different interface than a previously defined default route, you receive the following message:

"ERROR: Cannot add route entry, possible conflict with existing routes."

First of all I'm not sure if I can or would want to put default routes out different subinterfaces - has anyone done this or attempted it in a lab?  It's important that return traffic follow the same path as inbound, right?

I may opt for a single router for the ISP2 & 3 connections which would simplify the default route out of the ASA in the long term, but how would I make the transition off ISP1?

I can put a layer 3 switch outside the ASA but am running into the same mental roadblock with the outbound default route.

Any advice would be greatly appreciated regarding my design and transition plan.  Thanks!
Who is Participating?
GuruChiuConnect With a Mentor Commented:
I have done similar things many times, all with the help of an external router. The setup is using an ASA or Pix to perform all the necessary NAT. After that it is pass to an external router. The router will base on the source IP address and use policy based routing. Source IP addresses that belongs to a particular ISP will route to that ISP. This way you can take your time to migrate between ISP, as well as having multiple ISP at the same time. If adding a router is an acceptable solution, this will be your best option. If you do choose this option, you can search for PBR or policy based routing and there will be examples of how to do it, or let me know and I will post an example.

If you prefer not to use an external router, either for budget reason or downtime associated with swapping in a router, I would like to share these thoughts with you:

ASA is able to distribute traffic to up to 3 default gateways. However there is no control of which packet will go to which ISP. So you cannot do something like "ISP3 would ideally be used exclusively for outbound requests".

ASA also able to setup a failover route by define SLA, and if SLA is not meet, change the default gateway to another one. You can use this to change traffic from one ISP to another one with no down time. However it still cannot handle the case of "ISP3 would ideally be used exclusively for outbound requests".
kermit3Author Commented:
source based PBR was the key I was missing.  Thanks much.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.