Firewall Wizards mailing list archives

RE: IP migration on "hub" VPN terminus [long]

From: "Josh Welch" <jwelch () buffalowildwings com>
Date: Wed, 24 Mar 2004 09:18:52 -0600

Robert L. Wanamaker said:


Greetings.

The challenge.  30 remote sites spread far apart enough
geographically that
site visits are not practical.  The remote sites run PIX 506's, typically
with version 5.x of the PIX OS and no 3-DES activation.  The hub is a pair
of 515-UR's, in failover mode.  Customer is switching ISP's at
the hub, and
must switch IP addresses.  Hence, the challenge: how to
effectively cutover
remote sites to the new VPN peer?

The plan.  a central admin console is capable of reaching each 506 in the
field via tunnels.  Use this capability to do the following on each remote
pix:

(1) upgrade to 6.3.x of the PIX OS
(2) use the activation key feature in the new OS to get 3-DES
capability in
place
(3) add necessary statements for Cisco Secure VPN client to
connect from any
location, and telnet into the remote pix.
(4) Use the VPN client to directly connect to each PIX, and create a
separate crypto map entry pointing to the new VPN peer
(5) Split apart the 515's at the hub; run each in standalone mode, one
connected to the old ISP network, and one connected to the new
ISP network.
(6) Cut the tie to the old ISP.  Watch all the tunnels get gracefully
rebuilt on the second 515 with little or no impact to users.
(7) Restore failover of the 515's.

Testing results.  I've tested 1, 3, 4 with good results.  My only weird
results are that Cisco's site has numerous e.g.'s of the VPN client
connecting with DES encryption; however, I can only make it work
with 3-DES.
This is certainly a good excuse for getting the client up to current rev,
but am I missing something?

Questions. Does this sound feasible?  Is there a better way to accomplish
this cutover?

Thanks, and regards,

Bob

One quick thought, rather than allowing VPN connections into the 506 pixen
and then using telnet, why not just allow ssh into those boxes and reconfig
them via ssh once the cutover to the new ISP is complete?

Josh

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

IP migration on "hub" VPN terminus [long] Robert L. Wanamaker (Mar 24)
- RE: IP migration on "hub" VPN terminus [long] Josh Welch (Mar 27)
- <Possible follow-ups>
- RE: IP migration on "hub" VPN terminus [long] Melson, Paul (Mar 28)