Switching ISP

Tech Savvy

Tech Savvy

Active Member
Reaction score
211
Location
New Jersey
Hi all, I have a school that is changing ISPs. They are given a block of static ips for various resources such as their web server.

They want minimal downtime. I seem to think that we can make this changeover without any downtime or at most just the downtime it takes to swap ips.

Does anyone have any insight to how we can do this?

Here is my idea, assign two ips to the inside servers. Hook up the connection to the new ISP and set up NAT for the new isp under the new server. When the DNS records are updated then we can remove the old isp connection and cancel. This would be zero downtime?

Now maybe there is a better idea for the web server to just add a Record for some type of redirect from the old to new isp ips?


Sent from my iPhone using Tapatalk
 
Well...first you want to study the existing firewall, and see what port forwarding and other settings are on there.
I'd also want to have access to their public DNS control panel, so you can look at what a-records and cnames are pointing to the current IPs...

I dunno about sticking public IPs right on the "2 inside servers"...I never assign public IPs to any servers...I hide everything behind NAT, I only do port forwarding. Sticking a server on a public IP..even if just for 30 seconds..I'd want to format it...clean off the bots that got hacked into it.

Perhaps their current firewall has the ability to handle multiple WAN connections....you can configure an interface to a second WAN connection...and then move things at your leisure, without interruption or loss of service. Moving a single WAN connection to a new IP will have some downtime..as DNS takes some time to propagate.
 
Sorry I should have clarified, the private ips are on the servers. I wanted to add another private up to each of the 5 devices that require public access. So in total there will be 10 private ips and 5 public ips with optimum (new isp) and 5 public ips with Verizon (old isp) this way we can still NAT 1public to 1 private but the device itself would have two local ips each ip corresponding to an isp (one new and one old)

If that makes sense? This is how I envision it though. I'm curious if there is a better solution.

And to answer your question I can set up a second wan on the firewall


Sent from my iPhone using Tapatalk
 
Cisco ASA (same we were talking about before that I haven't seen in a while) I'm not sure on the exact model yet. I'll post tomorrow when I find out.


Sent from my iPhone using Tapatalk
 
From what I see their acl only allows specific ports, but the NAT is done one to one.

I'll pm you the running config


Sent from my iPhone using Tapatalk
 
I wouldn't be adding public ip's to the servers for an isp switch. You might cause other internal name resolution issues depending on what services are bound to those private ip's.

If you can set up dual WAN then you can update the DNS and pix configuration one IP at a time with minimal downtime.

If you opt to avoid dual WAN then I would reduce the ttl on all affected DNS records a week or two in advance. Reduce to five minutes if you can. Then when you make the change to public DNS it will propagate quickly.

I would dump the Cisco configuration to text file as a backup, make a copy then edit to search and replace the IP addresses old for new. At the switchover there will be fifteen minutes downtime while you apply the pix Config and redo the DNS.
 
TurricanII said:
If you can set up dual WAN then you can update the DNS and pix configuration one IP at a time with minimal downtime.
Click to expand...

Wont updating the DNS still need time to propagate?

The thing I was wondering is if I hook up both WANs, There is no longer the one to one relationship for NAT, instead I have two IPs pointing to one server (for each of the servers) in which I dont think that is allowed because then the server wont know which path to take to respond. So to solve this, I was going to have the server have two private IPs, the original one and a new one. This way the original will still have a one to one from the old isp and the new one will have a one to one with the old isp, but you brought up an excellent point, if there are any internal services that rely on the old private IP, when I go to take it offline, there may be some name resolution problems.

Any ideas on how to work around this?

Also, just to confirm youre saying :
-change TTL time to something small
-Hook up new ISP to secondary WAN
- wait a week or two
- Update public IPs one at a time in network object config
- Remove Old ISP
 
Dual WAN firewalls I have used allow you to forward the same port on each wan connection to one internal IP. The firewall knows which wan port was used and handles the connections via its nat table , the server simply has one default gateway of the firewall lan ip. Exactly how to configure this on a Cisco asa is another matter.

Because, in a dual wan config, both public ip's are live at the same time, you can change the DNS to the new IP at leisure. No rush, no need to reduce the ttl. Just make sure all DNS changes have propagated before you turn off the old isp.

If you are not going to try the dual WAN method, do reduce ttl.
 
Tech Savvy said:
if I hook up both WANs, There is no longer the one to one relationship for NAT, instead I have two IPs pointing to one server (for each of the servers) in which I dont think that is allowed because then the server wont know which path to take to respond.
Click to expand...

That's only a problem on very old dumb basic "stateless" firewalls - anything you're likely to be running now is going to be a "stateful" firewall which will track connections and route data back properly out the path that the connection was opened on. That's not going to apply for UDP connections, but most likely you don't have any publicly-accessible UDP services running anyway.

You may also be able to assign a weight or cost to the connections to cause it to favor the "cheaper" connection, then switch those values around to actually go live. Connections coming on the old addresses would still work, they'd just be coming in on the now-secondary connection. Once you're pretty sure those have stopped, you can unplug the old connection.
 
Just drop the TTL to less than an hour on the DNS records like 1-2 weeks in advance. Schedule the cutover for late night or weekend and update the router with the new public WAN IP addresses, updating any necessary ACLs & port forward rules. Then go into the DNS records and update the IP addresses to the new one. Then once everything is working smoothly, update the TTL records back to a default setting like 1 day. Should be a fairly quick cut over.
 
Also make sure you change the default route on your firewall to point to the new public IP assigned to the outside interface whether it be the existing WAN port with the new IP or the second WAN port with the new IP.
 
You must log in or register to reply here.

Similar threads

mmerry
Ubiquiti issue
Replies
16
Views
3K
NETWizz
NETWizz
mmerry
ISP Rant
Replies
4
Views
951
mmerry
mmerry
johnrobert
New Outlook
Replies
3
Views
771
johnrobert
johnrobert
johnrobert
Mac Mail
Replies
6
Views
1K
timeshifter
timeshifter
HCHTech
Narrowing down a internet issue
Replies
5
Views
1K
YeOldeStonecat
YeOldeStonecat
Back
Top