?
Solved

Cisco Pix 506e firewall need to change the IP

Posted on 2007-08-01
8
Medium Priority
?
361 Views
Last Modified: 2010-04-09
I have a client who has a Cisco Pix 506e firewall which was configured by SBC awhile back. Their static IP address has been changed because of a new ISP. How do I go about just changing the IP address in the ISO without messing up the opened ports? Should I just have them call AT&T?  
0
Comment
Question by:avatech
  • 4
  • 4
8 Comments
 
LVL 7

Expert Comment

by:Gladys Kerns
ID: 19612078
can you login to the pix via telnet and get enable permissions?

If so you can modify the "interface" parameters

telnet x.x.x.x
*password for telnet* (if there is one)
en
*password for enable* (if there is one)
config term
show config

then copy/paste the running config so we can see what you're working with... and tell us what the new IP address is.
0
 
LVL 4

Author Comment

by:avatech
ID: 19612422
The new outside IP is 75.55.59.33

Show Config as follows:

Written by p825979 at 02:42:19.376 UTC Fri Jan 1 1993
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password 2KFQnbNIdI.2KYOU encrypted
passwd ja_pix_112233445 encrypted
hostname pixfirewall
domain-name ciscopix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
name 192.168.1.253 sbsserver
name 68.79.124.41 SBSSERVER_PUBLIC
access-list outside_access_in permit tcp any host SBSSERVER_PUBLIC eq smtp
access-list outside_access_in permit tcp any host SBSSERVER_PUBLIC eq ftp
access-list outside_access_in permit tcp any host SBSSERVER_PUBLIC eq www
access-list outside_access_in permit udp any host SBSSERVER_PUBLIC eq ntp
access-list outside_access_in permit tcp any host SBSSERVER_PUBLIC eq imap4
access-list outside_access_in permit tcp any host SBSSERVER_PUBLIC eq 220
access-list outside_access_in permit tcp any host SBSSERVER_PUBLIC eq https
access-list outside_access_in permit tcp any host SBSSERVER_PUBLIC eq 444
access-list outside_access_in permit tcp any host SBSSERVER_PUBLIC eq 500
access-list outside_access_in permit tcp any host SBSSERVER_PUBLIC eq 1701
access-list outside_access_in permit tcp any host SBSSERVER_PUBLIC eq pptp
access-list outside_access_in permit tcp any host SBSSERVER_PUBLIC eq 3389
access-list outside_access_in permit tcp any host SBSSERVER_PUBLIC eq 4125
access-list outside_access_in permit tcp any host SBSSERVER_PUBLIC eq 4500
access-list outside_access_in permit gre any host SBSSERVER_PUBLIC
pager lines 24
logging console debugging
mtu outside 1500
mtu inside 1500
ip address outside 68.79.124.42 255.255.255.248
ip address inside 192.168.1.251 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location sbsserver 255.255.255.255 inside
pdm location 68.40.28.222 255.255.255.255 outside
pdm location 216.93.54.116 255.255.255.255 outside
pdm history enable
arp timeout 14400
global (outside) 1 68.79.124.43-68.79.124.44 netmask 255.255.255.248
global (outside) 1 68.79.124.45
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) SBSSERVER_PUBLIC sbsserver netmask 255.255.255.255 0 0
norandomseq
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 68.79.124.46 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 0.0.0.0 0.0.0.0 outside
telnet 216.93.54.116 255.255.255.255 outside
telnet 68.40.28.222 255.255.255.255 outside
telnet timeout 5
ssh timeout 5
console timeout 0
username p825979 password x32s0KbefvxtCKYV encrypted privilege 15
terminal width 80
Cryptochecksum:450a686b135c61b6393a65caa22a7537

0
 
LVL 7

Accepted Solution

by:
Gladys Kerns earned 2000 total points
ID: 19612553
oh alright... you've got a bit more going on there than just straight-forward NAT'ing for all your clients... looks like your old ISP gave you a small pool of static IPs to use at your disposal one of which you had assigned to your "SBSServer" which is probably your Exchange server as well, right?

So you'll need to acquire an extra static IP for at least that server or just port-forward 25 and 80 to it... since I don't see any other access-lists for any other devices or any other "static" remarks, you'll probably just need that one...

Then you'll also need to know what the next "hop" upstream gateway address is from your new ISP for the "route outside" statement along with the metric for that gateway (which is probably just 1).

For the SBSServer - if it's an exchange server you'll also need to modify your DNS MX Record on whichever DNS Server hosts your primary domain name and the "A" machine record if you're using OWA at all or any kind of outside service to synchronize with your mail.  I'm guessing that SBSServer is at least an exchange server by all the ports you have opened in the access lists.... It's not providing Microsoft VPN services is it?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 4

Author Comment

by:avatech
ID: 19612810
Yes, you are correct about exchange. This is a Small Business Server 2003 with 2 nics, so the server is handling NAT with RRAS. I have changed the MX dns records. Email is working fine at the moment. I have a different firewall of mine on the unit right now, but the client wants to use their Cisco....also the server is no longer called sbsserver, but I don't think that matters, because it was working fine.

LOL..I just called the client and found out something funny...they are still using AT&T, so they didn't change ISP's. They fell for the sales call of "I can save you some money" from AT&T and lost their static IP. They now have a static IP again, but it's different. They were told that they could not get back their old static IP...I have the PIX here with me at my office...so, everything is the same except for the static IP change.
0
 
LVL 7

Expert Comment

by:Gladys Kerns
ID: 19613014
ok - that makes all kinds of sense then... how funny.

I'm about to leave my office but I'll write this up for you at home tonight if not tomorrow morning when I have time.  It's easy stuff, you just have to have worked with a Pix before and I just happen to have my own Pix 506 right here in my office that I play with all the time.  ;)

If you want you could try to do it through pdm (which I usually don't do)... https:// to the local IP of the Pix
0
 
LVL 4

Author Comment

by:avatech
ID: 19613179
OK, no problem. I will wait. I'm off tomorrow, but I will take the PIX with me home and do it at home tomorrow.
Also, I have the cable and I can get into the console. I've worked on some 2600s in the past, so I'm a little familiar with ISO. I'm just not confident enough with the PIX, that I know works except for the IP.

Thanks
0
 
LVL 7

Expert Comment

by:Gladys Kerns
ID: 19614127
pix language is a lot like 2600 or 1700 router commands... there's just a few extra commands...
0
 
LVL 4

Author Comment

by:avatech
ID: 19645232
OK, I'm back to work. What commands do I need to do to just change the IP address.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month14 days, 12 hours left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question