RE: [fw-wiz] IP migration on "hub" VPN terminus [long]

From: Josh Welch (
Date: 03/24/04

  • Next message: WEXLER, BEN A (SBCSI): "[fw-wiz] Reducing Broadcast Storms"
    To: "Robert L. Wanamaker" <>, <>
    Date: Wed, 24 Mar 2004 09:18:52 -0600

    Robert L. Wanamaker said:
    > Greetings.
    > The challenge. 30 remote sites spread far apart enough
    > geographically that
    > site visits are not practical. The remote sites run PIX 506's, typically
    > with version 5.x of the PIX OS and no 3-DES activation. The hub is a pair
    > of 515-UR's, in failover mode. Customer is switching ISP's at
    > the hub, and
    > must switch IP addresses. Hence, the challenge: how to
    > effectively cutover
    > remote sites to the new VPN peer?
    > The plan. a central admin console is capable of reaching each 506 in the
    > field via tunnels. Use this capability to do the following on each remote
    > pix:
    > (1) upgrade to 6.3.x of the PIX OS
    > (2) use the activation key feature in the new OS to get 3-DES
    > capability in
    > place
    > (3) add necessary statements for Cisco Secure VPN client to
    > connect from any
    > location, and telnet into the remote pix.
    > (4) Use the VPN client to directly connect to each PIX, and create a
    > separate crypto map entry pointing to the new VPN peer
    > (5) Split apart the 515's at the hub; run each in standalone mode, one
    > connected to the old ISP network, and one connected to the new
    > ISP network.
    > (6) Cut the tie to the old ISP. Watch all the tunnels get gracefully
    > rebuilt on the second 515 with little or no impact to users.
    > (7) Restore failover of the 515's.
    > Testing results. I've tested 1, 3, 4 with good results. My only weird
    > results are that Cisco's site has numerous e.g.'s of the VPN client
    > connecting with DES encryption; however, I can only make it work
    > with 3-DES.
    > This is certainly a good excuse for getting the client up to current rev,
    > but am I missing something?
    > Questions. Does this sound feasible? Is there a better way to accomplish
    > this cutover?
    > Thanks, and regards,
    > Bob
    One quick thought, rather than allowing VPN connections into the 506 pixen
    and then using telnet, why not just allow ssh into those boxes and reconfig
    them via ssh once the cutover to the new ISP is complete?


    firewall-wizards mailing list

  • Next message: WEXLER, BEN A (SBCSI): "[fw-wiz] Reducing Broadcast Storms"