We have an ISP (ISP1), with a router maintained by the ISP. We are bringing up a 2nd ISP (ISP2), with routers we will deploy and maintain. We'd like to gradually migrate services from ISP1 to ISP2, eventually phasing out the original ISP. We'd like the migration setup to support default routing of traffic we haven't selected to go to ISP1, to default out ISP2 during the phase out.
We currently support IPsec tunnels, AnyConnect vpn and various applications on the existing ISP1, with a public /24 provided by the ISP. Please see the attached topology image for the current setup, and concept of the state we expect during the migration. The ISP2 is providing a new /24 that all tunnels and applications will need to move to.
Unfortunately, the ASA 5510 does not support PBR (policy based routing), so I'm looking for a solution to support this setup, while maintaining connectivity to all applications on ISP1 during the migration. Specifically, I am concerned about how to manage routing outbound from our ASAs to the appropriate interface and next hop, given the topology. I believe the IPsec tunnels would be fairly straightforward, requiring just a static route to each tunnel peer out the ISP1 upstream router. As the tunnels are migrated, I'd remove the static route to allow it out ISP2.
I believe I can use Egress Interface Routing (cisco doc) to ensure application traffic is addressed and routed appropriately, but am not confident I understand the implications/requirements of this and would like feedback on whether this would work, or possible alternative solutions to handle the routing setup on the ASAs.
Thanks for any & all feedback!
No comments:
Post a Comment