How do I configure my VPNs on my new firewall without taking out the old one?

Question

I have a colocation facility with my main firewall in it. It has a bunch of site-to-site VPN tunnels built from the main firewall to the firewalls that are in the remote facilities.

I want to replace that main firewall with a Cisco ASA but I want to reduce downtime. I want to put the ASA in and configure VPN tunnels to the new firewalls in the remote facilities without taking down the VPN tunnels that are already created on the old firewall.

I was thinking that I would split a switch into two VLANs and hook the uplink and the outside interfaces of both firewalls to one VLAN and then the inside interfaces of both firewalls to the other VLAN. But then it hit me that I need a public IP address to set up a VPN and both firewalls can't have the same public IP address on their outside interfaces...

So what's a guy to do? How can I put a second firewall in the heart of my network and still keep the original up and running?

Answer 1

If your current firewall is acting as VPN endpoint, remote firewalls will be configured to contact its public IP address, and of course only one firewall can have that address at the same time (unless you are working with some sort of clustered setup, which is not your case).

There might be ways to have both firewalls up and running at the same time, but you would need at least another public IP address and to reconfigure all remote firewalls to connect to the second IP if they can't reach the first one; I don't know how many tunnels are we talking about and how much downtime you can afford, but what I would do is preconfiguring the new firewall with proper settings to replace the existing one and then just swap them; if something doesn't work, you can swap them back and troubleshoot it.

Any other solution would need much, much more work.