Change Cisco PIX Public IP remotely

I need help on how to change Cisco PIX firewall public IP address (Interface IP) remotely. I will appreciate it if i can get a step-by-step approach on how this can be done. I am working from another location and presently i can connect to it with no problem through SSH. I want to be able to connect back to the site afterwards using the NEW IP address. Thanks.
gman14Asked:
Who is Participating?
 
Galtar99Commented:
Any updates?
0
 
Galtar99Commented:
Unless you have some kind of out-of-band communication (i.e. modem, or another dial in device) You will lose connection several times as you try to do this.  The PIX will need its interface changed, address translation rules, ACL's, and routing statements.  Then you'd handle the router.  Assuming you do everything correct, then you'd be able to get in again, but if something goes awry, then you'll have to drive in.  Best to have a backup plan with some sort of out-of-band communication already setup and tested prior to attempting something like this.
0
 
lrmooreCommented:
Agree with Galtar99. It "should" be easy enough to do, but the second you hit enter after changing the address you will lose the connection. The hard part may be if you also have to change the default gateway. If that is the case, then you can't do it remotely. You can't change the gateway first, and if you change the interface first, the gateway will be wrong and you can't get back into it.
A  dial-in modem connected to the console port is the only way to go. Use Hyperterm on the pc to dial into the modem and its just like you connected to the console port.

0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
Galtar99Commented:
Let us know what you decide and how it goes.
0
 
gman14Author Commented:
Ok Thanks. But what are the step by step approach that i can use to change the Public IP in the first place. How do i change it and what else do i need to change too for me to change the public IP address. I am just getting hold of how to configure a router. so pls i will need your advise here. Thanks
0
 
gman14Author Commented:
I plan to have someone on site to do it manually from there. But I may have to walk the person through on how to do that. He will need to connect to the router directly. So any advice on how to do that too will be well appreciated. Thanks.
0
 
Galtar99Commented:
If you're on site, the order is not that important.  Change the interface IP address, subnet mask, default gateway, ACL's, and IP routing table as needed.
0
 
gman14Author Commented:
so in the PIX in order to change the settings to NEW one, should I just type
-no ip address 10.x.x.x 255.x.x.x
and type in the New IP address?
Because i just tried to do that and it didn't work
pls be exact when replying back on how to do the change. Thanks.
 
0
 
Galtar99Commented:
I think it's slightly different than IOS in 6.x.  You just type the new IP address out with the interface name:
ip address interface_name ip_address netmask

If you get stuck, there's an online guide:
http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/bafwcfg.html

If you get still get stuck, post what you were trying to do and the error you got.  The more detail the better.
0
 
Galtar99Commented:
Just remembered:  You have to do that from enabled (privileged mode), and you have to be in configuration mode too.

enable
config t
no ip address interface_name 10.x.x.x 255.x.x.x
ip address interface_name <new ip address> <new subnet mask>
0
 
lrmooreCommented:
pix#config t
pix(config)#sho run | include route
 route outside 0.0.0.0 0.0.0.0 66.77.88.99 1
pix(config)#ip address outside 24.34.56.7 255.255.255.248
pix(config)#no  route outside 0.0.0.0 0.0.0.0 66.77.88.99 1
pix(config)#route outside 0.0.0.0 0.0.0.0 24.34.56.1 1
pix(config)#exit
pix#write mem

Your acls, if you have any, "should" already reference "interface", like this:
 access-list ouside_access_in permit tcp any interface outside eq smtp

And your statics "should" already reference "interface", like this:
 static (inside,outside) tcp interface smtp 1921.68.1.100 smtp netmask 255.255.255.255

As long as the acls and statics reference "interface" they do not have to change.
You will have to make the determination yourself if anything else in the config references the outside public IP address specifically, and change it accordingly.

0
 
Galtar99Commented:
Yes, default route and ACL's are important too.

Let us know if everything work out ok and if not what errors (if any) you received.
0
 
gman14Author Commented:
Ok thanks for all your inputs. I will give it a try and let you know how it goes. Thanks.
0
 
Galtar99Commented:
We'll wait for an update.
0
 
gman14Author Commented:
I will plan to try it next week as this is the planned date for our cut-over. Pls. be patient with me. Thanks.
0
 
Galtar99Commented:
Have you switched it over yet?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.