Friday, August 6, 2021

Migrating from Cisco ASA5515 to 5545, Checklist? Gotchas? Lessons learned?

Will be migrating this weekend to the ASA5545 from ASA5515. Current setup is Hub/Spoke, entire organization runs to our DC for INET THROUGH the FW, which is configured as HA pair with a few IPSec tunnels, AnyConnect VPN, DMZ .

New setup will be identical. Have already pasted config file to new FW and configured appropriate interfaces.

This will be our second attempt since first one failed and we reverted. On first attempt the IPS tunnels came up immediately however there were issues accessing through AnyConnect as it was sporadic, when testers connected some could not access applications on the DMZ and when they could connect accessibility to our intranet and corp webpage was sporadic as it was to some applications. At first we thought it was a DNS issue, we use internal DNS servers, forwarding to Akamai. We changed DNS IP's to an external DNS (Google DNS) and still not working.

I cleared the arp cache of downstream switches and upstream switches, but we could not get users to reliably access DMZ applications which is strange because config is identical to whats already working.

Is there a migration checklist that doesn't detail the obvious like check that the OS is identical as before, ASDM version should match, make sure your Firepower version is the same etc? Something like a 'Gotchas' to be on the lookout for like arp cache, or anything I haven't thought of? Or if anyone has gone through this what are the 'Lessons learned' you experienced?

ISP1 ISP2

| |

| |

R1------HSRP-------R2

| |

| |

FWSwitch FWSwitch

| |

| |

FW1------HA-------FW2

| |

| |

DMZSwitch DMZSwitch



No comments:

Post a Comment