Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

External IP migration

Posted on 2008-10-01
9
Medium Priority
?
277 Views
Last Modified: 2010-04-09
I am in the process of migrating our existing IP 198.66.93.64 /27 to 24.149.199.225 /27 on the Cisco Pix 515e and I am not sure what are the precautions or steps to follow to make sure the minimum down time. Both IP set are turned on from the ISP right now. If i use the web interface to go in there to change all the IP/interface would I have to reapply all the access rule? I am trying to keep all the external IP as similar to before for example TM gate way was 198.66.93.65 now will become 24.149.199.225 and so on

Huy
0
Comment
Question by:moonzappa
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 20

Assisted Solution

by:RPPreacher
RPPreacher earned 1000 total points
ID: 22616944
Any VPN tunnels in the config will require a restart of the crypo engine (or just reload/power cycle the PIX).
0
 

Author Comment

by:moonzappa
ID: 22617025
The VPN box is separate.. We have a concentrator 3005. We do not have any permanent VPN connections. Only VPN client so we just have to edit the VFC file to the new IP for the VPN box correct?
0
 
LVL 20

Assisted Solution

by:RPPreacher
RPPreacher earned 1000 total points
ID: 22617112
Yes.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:moonzappa
ID: 22617280
is there an easier way where i can just run all the command line so i wont forget or miss any place???
0
 
LVL 20

Assisted Solution

by:RPPreacher
RPPreacher earned 1000 total points
ID: 22617310
I don't understand the question.  You do want CLI or don't want CLI on the PIX 515e?
0
 

Author Comment

by:moonzappa
ID: 22617353
well i am not expert on CLI. So i would perfer web interface. But if someone help me look over the running config and tell give me some tips i can probably do the CLI. Sorry for the confusion
PIX Version 6.3(5)

name 198.66.93.65 PIX-GATEWAY
name 172.16.5.0 Workers
name 172.16.1.0 Office
name 172.16.1.9 Cisco-VPN
name 172.16.5.3 Dell-Switch-2
name 172.16.5.2 DELL-Switch-1
name 172.16.5.1 Worker-VLAN-Gateway
name 172.16.1.3 Extreme-Switch-2
name 172.16.1.2 Extreme-Switch-1
name 129.250.35.251 y.ns.verio.net
name 129.250.35.250 x.ns.verio.net
name 212.44.132.0 bitsoft.ru
name 198.66.93.78 ftp.lateraldata.com
name 172.16.1.28 ftp-inside
name 172.16.1.34 LDLCS01
name 207.46.0.0 WindowUpdate
name 172.16.1.18 SLDATAEDD05
name 172.16.1.16 LDHTS02
name 172.16.1.12 SLDATAEDD02
name 172.16.1.25 LDDEV
name 172.16.1.20 LDDC02
object-group service Normal-Web-Traffic tcp
  port-object eq www
  port-object eq https
object-group service Normal-Web-Traffic-UDP udp
  port-object eq www
object-group network Verio.Net.DNS
  network-object x.ns.verio.net 255.255.255.255
  network-object y.ns.verio.net 255.255.255.255
object-group service FTP-Traffic tcp
  port-object eq ftp-data
  port-object eq ftp
access-list inside_access_in permit ip Office 255.255.255.0 any
access-list inside_access_in deny ip any bitsoft.ru 255.255.255.0
access-list inside_access_in remark all
access-list inside_access_in deny ip Workers 255.255.255.0 any
access-list outside_in permit tcp any host 198.66.93.70 eq smtp
access-list outside_in permit tcp any host 198.66.93.70 eq www
access-list outside_in permit tcp any host 198.66.93.70 eq https
access-list outside_in permit tcp any host 198.66.93.70 eq pop3
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit udp object-group Verio.Net.DNS eq domain any eq domain
access-list outside_in permit tcp any host ftp.lateraldata.com object-group FTP-Traffic
access-list outside_in permit tcp any interface outside eq www
access-list outside_in permit tcp any host 198.66.93.70 eq imap4
access-list outside_in permit tcp any host 198.66.93.70 eq 587
access-list outside_in permit tcp any host 198.66.93.71 eq 3389
access-list outside_in permit tcp any host 198.66.93.73 eq www
access-list outside_in permit tcp any host 198.66.93.73 eq https
access-list outside_in permit tcp any host 198.66.93.71 eq https
pager lines 24
logging on
logging timestamp
logging trap warnings
logging host inside SLDATAEDD05
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 198.66.93.66 255.255.255.224
ip address inside 172.16.1.1 255.255.255.0
ip address DMZ 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location PIX-GATEWAY 255.255.255.255 outside
pdm location 172.16.0.0 255.255.0.0 inside
pdm location Workers 255.255.255.0 inside
pdm location Extreme-Switch-1 255.255.255.255 inside
pdm location Extreme-Switch-2 255.255.255.255 inside
pdm location Cisco-VPN 255.255.255.255 inside
pdm location Worker-VLAN-Gateway 255.255.255.255 inside
pdm location DELL-Switch-1 255.255.255.255 inside
pdm location Dell-Switch-2 255.255.255.255 inside
pdm location SLDATAEDD05 255.255.255.255 inside
pdm location x.ns.verio.net 255.255.255.255 outside
pdm location y.ns.verio.net 255.255.255.255 outside
pdm location bitsoft.ru 255.255.255.0 outside
pdm location ftp-inside 255.255.255.255 inside
pdm location ftp.lateraldata.com 255.255.255.255 outside
pdm location LDLCS01 255.255.255.255 inside
pdm location WindowUpdate 255.255.0.0 outside
pdm location LDDC02 255.255.255.255 inside
pdm location SLDATAEDD02 255.255.255.255 inside
pdm location LDHTS02 255.255.255.255 inside
pdm location LDDEV 255.255.255.255 inside
pdm group Verio.Net.DNS outside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 172.16.0.0 255.255.0.0 0 0
static (inside,outside) tcp interface www LDLCS01 www netmask 255.255.255.255 0 0
static (inside,outside) ftp.lateraldata.com ftp-inside netmask 255.255.255.255 0 0
static (inside,outside) 198.66.93.70 SLDATAEDD02 netmask 255.255.255.255 0 0
static (inside,outside) 198.66.93.71 LDHTS02 netmask 255.255.255.255 0 0
static (inside,outside) 198.66.93.73 LDDEV netmask 255.255.255.255 0 0
access-group outside_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 PIX-GATEWAY 1
route inside Workers 255.255.255.0 Extreme-Switch-2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
0
 
LVL 20

Accepted Solution

by:
RPPreacher earned 1000 total points
ID: 22617381
just do a NO xxxxxxxx for all the lines with your old range and re-add with new range.

To make sure you don't miss anything you can SHOW CONF | INCL 198.66.93 which will show all the config with the old range.
0
 

Author Comment

by:moonzappa
ID: 22617487
here is what i got

no name 198.66.93.65 PIX-GATEWAY
no name 198.66.93.78 ftp.lateraldata.com
no access-list outside_in permit tcp any host 198.66.93.70 eq smtp
no access-list outside_in permit tcp any host 198.66.93.70 eq www
no access-list outside_in permit tcp any host 198.66.93.70 eq https
no access-list outside_in permit tcp any host 198.66.93.70 eq pop3
access-list outside_in permit tcp any host 198.66.93.70 eq imap4
no access-list outside_in permit tcp any host 198.66.93.70 eq 587
no access-list outside_in permit tcp any host 198.66.93.71 eq 3389
no access-list outside_in permit tcp any host 198.66.93.73 eq www
no access-list outside_in permit tcp any host 198.66.93.73 eq https
no access-list outside_in permit tcp any host 198.66.93.71 eq https
no ip address outside 198.66.93.66 255.255.255.224
no static (inside,outside) 198.66.93.70 SLDATAEDD02 netmask 255.255.255.255 0 0
no static (inside,outside) 198.66.93.71 LDHTS02 netmask 255.255.255.255 0 0
no static (inside,outside) 198.66.93.73 LDDEV netmask 255.255.255.255 0 0


REPLACE WITH
name 24.149.199.225 PIX-GATEWAY
name 24.149.199.238 ftp.lateraldata.com
access-list outside_in permit tcp any host 24.149.199.230 eq smtp
access-list outside_in permit tcp any host 24.149.199.230 eq www
access-list outside_in permit tcp any host 24.149.199.230 eq https
access-list outside_in permit tcp any host 24.149.199.230 eq pop3
access-list outside_in permit tcp any host 24.149.199.230 eq imap4
access-list outside_in permit tcp any host 24.149.199.230 eq 587
access-list outside_in permit tcp any host 24.149.199.231 eq 3389
access-list outside_in permit tcp any host 24.149.199.233 eq www
access-list outside_in permit tcp any host 24.149.199.233 eq https
access-list outside_in permit tcp any host 24.149.199.231 eq https
ip address outside 24.149.199.236 255.255.255.224
static (inside,outside) 24.149.199.230 SLDATAEDD02 netmask 255.255.255.255 0 0
static (inside,outside) 24.149.199.231 LDHTS02 netmask 255.255.255.255 0 0
static (inside,outside) 24.149.199.233 LDDEV netmask 255.255.255.255 0 0

thanks
0
 

Author Comment

by:moonzappa
ID: 22626669
What about the 3005 Concentrator. Do you know where all the places that i need to update the IP?
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question