Thursday, July 3, 2014

Firewall upgrade

At my day job we decided to replace our aging Cisco ASA 5510 with a Cisco ASA 5512-X.  For the most part this was just a copy paste of the old config, but I did also make some needed changes to the config.  Some of the big changes that I made was changing from individual interfaces with sub interfaces to redundant interfaces for the outside and inside, as well as a port channel lag for client sub interfaces.  This change was highly needed since the ASA is now connecting to a stacked switch.  One of the other big changes was renaming the named interfaces to a set standard so the configuration can be more consistent and easier to read.  This was fairly easily accomplished via find and replace in notepad.

During the change over itself I first racked and verified that the new firewall successfully powered on.  I then, before connecting any network cables, configured all of the switch ports that were going to be used and insured that they were all disabled.  Once I was finally ready to do the cut over I contacted our data center NOC and informed them I was going to change out our firewall and requested to have our ARP entry cleared to allow for a faster cut over.  After the NOC located the ARP entry I disabled the switch ports for the old firewall, had the NOC clear the arp entry, and then enabled the ports for the new firewall.  During all of this I had a continuous ping going to a public IP and once the ARP tables updated with the MAC address for the new firewall my continuous ping started to respond again.  I believe we were down for only around 30 seconds.

After I thanked our NOC for their assistance I worked with one of my co-workers at my office to start testing.  He verified that public facing websites that we host for ourselves and clients came back up while I worked on testing connectivity to clients inside networks, remote point to point connected networks, as well as remote VPN connected networks.  The only major issue that I had was that our office firewall required a restart to get the VPN tunnel from the office to the data center back up.  Over all I would say this upgrade was a huge success.

Some of the things that I learned from this; take the time to carefully prepare, call your NOC and request a clearing of your ARP entry, make sure that part of your preparation was creating a test plan, and don't be afraid of pulling the trigger (just know what your fall back plan is).


Migrating SSL certificates on the ASA can be as easy as crypto ca export/import.  And when copy pasting the config do it in stages so you can find any areas where the syntax may have changed between versions.

No comments:

Post a Comment