[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 864
  • Last Modified:

Change Cisco PIX Public IP remotely

I need help on how to change Cisco PIX firewall public IP address (Interface IP) remotely. I will appreciate it if i can get a step-by-step approach on how this can be done. I am working from another location and presently i can connect to it with no problem through SSH. I want to be able to connect back to the site afterwards using the NEW IP address. Thanks.
0
gman14
Asked:
gman14
  • 9
  • 5
  • 2
1 Solution
 
Galtar99Commented:
Unless you have some kind of out-of-band communication (i.e. modem, or another dial in device) You will lose connection several times as you try to do this.  The PIX will need its interface changed, address translation rules, ACL's, and routing statements.  Then you'd handle the router.  Assuming you do everything correct, then you'd be able to get in again, but if something goes awry, then you'll have to drive in.  Best to have a backup plan with some sort of out-of-band communication already setup and tested prior to attempting something like this.
0
 
lrmooreCommented:
Agree with Galtar99. It "should" be easy enough to do, but the second you hit enter after changing the address you will lose the connection. The hard part may be if you also have to change the default gateway. If that is the case, then you can't do it remotely. You can't change the gateway first, and if you change the interface first, the gateway will be wrong and you can't get back into it.
A  dial-in modem connected to the console port is the only way to go. Use Hyperterm on the pc to dial into the modem and its just like you connected to the console port.

0
 
Galtar99Commented:
Let us know what you decide and how it goes.
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

 
gman14Author Commented:
Ok Thanks. But what are the step by step approach that i can use to change the Public IP in the first place. How do i change it and what else do i need to change too for me to change the public IP address. I am just getting hold of how to configure a router. so pls i will need your advise here. Thanks
0
 
gman14Author Commented:
I plan to have someone on site to do it manually from there. But I may have to walk the person through on how to do that. He will need to connect to the router directly. So any advice on how to do that too will be well appreciated. Thanks.
0
 
Galtar99Commented:
If you're on site, the order is not that important.  Change the interface IP address, subnet mask, default gateway, ACL's, and IP routing table as needed.
0
 
gman14Author Commented:
so in the PIX in order to change the settings to NEW one, should I just type
-no ip address 10.x.x.x 255.x.x.x
and type in the New IP address?
Because i just tried to do that and it didn't work
pls be exact when replying back on how to do the change. Thanks.
 
0
 
Galtar99Commented:
I think it's slightly different than IOS in 6.x.  You just type the new IP address out with the interface name:
ip address interface_name ip_address netmask

If you get stuck, there's an online guide:
http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/bafwcfg.html

If you get still get stuck, post what you were trying to do and the error you got.  The more detail the better.
0
 
Galtar99Commented:
Just remembered:  You have to do that from enabled (privileged mode), and you have to be in configuration mode too.

enable
config t
no ip address interface_name 10.x.x.x 255.x.x.x
ip address interface_name <new ip address> <new subnet mask>
0
 
lrmooreCommented:
pix#config t
pix(config)#sho run | include route
 route outside 0.0.0.0 0.0.0.0 66.77.88.99 1
pix(config)#ip address outside 24.34.56.7 255.255.255.248
pix(config)#no  route outside 0.0.0.0 0.0.0.0 66.77.88.99 1
pix(config)#route outside 0.0.0.0 0.0.0.0 24.34.56.1 1
pix(config)#exit
pix#write mem

Your acls, if you have any, "should" already reference "interface", like this:
 access-list ouside_access_in permit tcp any interface outside eq smtp

And your statics "should" already reference "interface", like this:
 static (inside,outside) tcp interface smtp 1921.68.1.100 smtp netmask 255.255.255.255

As long as the acls and statics reference "interface" they do not have to change.
You will have to make the determination yourself if anything else in the config references the outside public IP address specifically, and change it accordingly.

0
 
Galtar99Commented:
Yes, default route and ACL's are important too.

Let us know if everything work out ok and if not what errors (if any) you received.
0
 
gman14Author Commented:
Ok thanks for all your inputs. I will give it a try and let you know how it goes. Thanks.
0
 
Galtar99Commented:
We'll wait for an update.
0
 
Galtar99Commented:
Any updates?
0
 
gman14Author Commented:
I will plan to try it next week as this is the planned date for our cut-over. Pls. be patient with me. Thanks.
0
 
Galtar99Commented:
Have you switched it over yet?
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

  • 9
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now