Solved

External IP migration

Posted on 2008-10-01
9
262 Views
Last Modified: 2010-04-09
I am in the process of migrating our existing IP 198.66.93.64 /27 to 24.149.199.225 /27 on the Cisco Pix 515e and I am not sure what are the precautions or steps to follow to make sure the minimum down time. Both IP set are turned on from the ISP right now. If i use the web interface to go in there to change all the IP/interface would I have to reapply all the access rule? I am trying to keep all the external IP as similar to before for example TM gate way was 198.66.93.65 now will become 24.149.199.225 and so on

Huy
0
Comment
Question by:moonzappa
  • 5
  • 4
9 Comments
 
LVL 20

Assisted Solution

by:RPPreacher
RPPreacher earned 250 total points
ID: 22616944
Any VPN tunnels in the config will require a restart of the crypo engine (or just reload/power cycle the PIX).
0
 

Author Comment

by:moonzappa
ID: 22617025
The VPN box is separate.. We have a concentrator 3005. We do not have any permanent VPN connections. Only VPN client so we just have to edit the VFC file to the new IP for the VPN box correct?
0
 
LVL 20

Assisted Solution

by:RPPreacher
RPPreacher earned 250 total points
ID: 22617112
Yes.
0
 

Author Comment

by:moonzappa
ID: 22617280
is there an easier way where i can just run all the command line so i wont forget or miss any place???
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 20

Assisted Solution

by:RPPreacher
RPPreacher earned 250 total points
ID: 22617310
I don't understand the question.  You do want CLI or don't want CLI on the PIX 515e?
0
 

Author Comment

by:moonzappa
ID: 22617353
well i am not expert on CLI. So i would perfer web interface. But if someone help me look over the running config and tell give me some tips i can probably do the CLI. Sorry for the confusion
PIX Version 6.3(5)

name 198.66.93.65 PIX-GATEWAY
name 172.16.5.0 Workers
name 172.16.1.0 Office
name 172.16.1.9 Cisco-VPN
name 172.16.5.3 Dell-Switch-2
name 172.16.5.2 DELL-Switch-1
name 172.16.5.1 Worker-VLAN-Gateway
name 172.16.1.3 Extreme-Switch-2
name 172.16.1.2 Extreme-Switch-1
name 129.250.35.251 y.ns.verio.net
name 129.250.35.250 x.ns.verio.net
name 212.44.132.0 bitsoft.ru
name 198.66.93.78 ftp.lateraldata.com
name 172.16.1.28 ftp-inside
name 172.16.1.34 LDLCS01
name 207.46.0.0 WindowUpdate
name 172.16.1.18 SLDATAEDD05
name 172.16.1.16 LDHTS02
name 172.16.1.12 SLDATAEDD02
name 172.16.1.25 LDDEV
name 172.16.1.20 LDDC02
object-group service Normal-Web-Traffic tcp
  port-object eq www
  port-object eq https
object-group service Normal-Web-Traffic-UDP udp
  port-object eq www
object-group network Verio.Net.DNS
  network-object x.ns.verio.net 255.255.255.255
  network-object y.ns.verio.net 255.255.255.255
object-group service FTP-Traffic tcp
  port-object eq ftp-data
  port-object eq ftp
access-list inside_access_in permit ip Office 255.255.255.0 any
access-list inside_access_in deny ip any bitsoft.ru 255.255.255.0
access-list inside_access_in remark all
access-list inside_access_in deny ip Workers 255.255.255.0 any
access-list outside_in permit tcp any host 198.66.93.70 eq smtp
access-list outside_in permit tcp any host 198.66.93.70 eq www
access-list outside_in permit tcp any host 198.66.93.70 eq https
access-list outside_in permit tcp any host 198.66.93.70 eq pop3
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit udp object-group Verio.Net.DNS eq domain any eq domain
access-list outside_in permit tcp any host ftp.lateraldata.com object-group FTP-Traffic
access-list outside_in permit tcp any interface outside eq www
access-list outside_in permit tcp any host 198.66.93.70 eq imap4
access-list outside_in permit tcp any host 198.66.93.70 eq 587
access-list outside_in permit tcp any host 198.66.93.71 eq 3389
access-list outside_in permit tcp any host 198.66.93.73 eq www
access-list outside_in permit tcp any host 198.66.93.73 eq https
access-list outside_in permit tcp any host 198.66.93.71 eq https
pager lines 24
logging on
logging timestamp
logging trap warnings
logging host inside SLDATAEDD05
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 198.66.93.66 255.255.255.224
ip address inside 172.16.1.1 255.255.255.0
ip address DMZ 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location PIX-GATEWAY 255.255.255.255 outside
pdm location 172.16.0.0 255.255.0.0 inside
pdm location Workers 255.255.255.0 inside
pdm location Extreme-Switch-1 255.255.255.255 inside
pdm location Extreme-Switch-2 255.255.255.255 inside
pdm location Cisco-VPN 255.255.255.255 inside
pdm location Worker-VLAN-Gateway 255.255.255.255 inside
pdm location DELL-Switch-1 255.255.255.255 inside
pdm location Dell-Switch-2 255.255.255.255 inside
pdm location SLDATAEDD05 255.255.255.255 inside
pdm location x.ns.verio.net 255.255.255.255 outside
pdm location y.ns.verio.net 255.255.255.255 outside
pdm location bitsoft.ru 255.255.255.0 outside
pdm location ftp-inside 255.255.255.255 inside
pdm location ftp.lateraldata.com 255.255.255.255 outside
pdm location LDLCS01 255.255.255.255 inside
pdm location WindowUpdate 255.255.0.0 outside
pdm location LDDC02 255.255.255.255 inside
pdm location SLDATAEDD02 255.255.255.255 inside
pdm location LDHTS02 255.255.255.255 inside
pdm location LDDEV 255.255.255.255 inside
pdm group Verio.Net.DNS outside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 172.16.0.0 255.255.0.0 0 0
static (inside,outside) tcp interface www LDLCS01 www netmask 255.255.255.255 0 0
static (inside,outside) ftp.lateraldata.com ftp-inside netmask 255.255.255.255 0 0
static (inside,outside) 198.66.93.70 SLDATAEDD02 netmask 255.255.255.255 0 0
static (inside,outside) 198.66.93.71 LDHTS02 netmask 255.255.255.255 0 0
static (inside,outside) 198.66.93.73 LDDEV netmask 255.255.255.255 0 0
access-group outside_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 PIX-GATEWAY 1
route inside Workers 255.255.255.0 Extreme-Switch-2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
0
 
LVL 20

Accepted Solution

by:
RPPreacher earned 250 total points
ID: 22617381
just do a NO xxxxxxxx for all the lines with your old range and re-add with new range.

To make sure you don't miss anything you can SHOW CONF | INCL 198.66.93 which will show all the config with the old range.
0
 

Author Comment

by:moonzappa
ID: 22617487
here is what i got

no name 198.66.93.65 PIX-GATEWAY
no name 198.66.93.78 ftp.lateraldata.com
no access-list outside_in permit tcp any host 198.66.93.70 eq smtp
no access-list outside_in permit tcp any host 198.66.93.70 eq www
no access-list outside_in permit tcp any host 198.66.93.70 eq https
no access-list outside_in permit tcp any host 198.66.93.70 eq pop3
access-list outside_in permit tcp any host 198.66.93.70 eq imap4
no access-list outside_in permit tcp any host 198.66.93.70 eq 587
no access-list outside_in permit tcp any host 198.66.93.71 eq 3389
no access-list outside_in permit tcp any host 198.66.93.73 eq www
no access-list outside_in permit tcp any host 198.66.93.73 eq https
no access-list outside_in permit tcp any host 198.66.93.71 eq https
no ip address outside 198.66.93.66 255.255.255.224
no static (inside,outside) 198.66.93.70 SLDATAEDD02 netmask 255.255.255.255 0 0
no static (inside,outside) 198.66.93.71 LDHTS02 netmask 255.255.255.255 0 0
no static (inside,outside) 198.66.93.73 LDDEV netmask 255.255.255.255 0 0


REPLACE WITH
name 24.149.199.225 PIX-GATEWAY
name 24.149.199.238 ftp.lateraldata.com
access-list outside_in permit tcp any host 24.149.199.230 eq smtp
access-list outside_in permit tcp any host 24.149.199.230 eq www
access-list outside_in permit tcp any host 24.149.199.230 eq https
access-list outside_in permit tcp any host 24.149.199.230 eq pop3
access-list outside_in permit tcp any host 24.149.199.230 eq imap4
access-list outside_in permit tcp any host 24.149.199.230 eq 587
access-list outside_in permit tcp any host 24.149.199.231 eq 3389
access-list outside_in permit tcp any host 24.149.199.233 eq www
access-list outside_in permit tcp any host 24.149.199.233 eq https
access-list outside_in permit tcp any host 24.149.199.231 eq https
ip address outside 24.149.199.236 255.255.255.224
static (inside,outside) 24.149.199.230 SLDATAEDD02 netmask 255.255.255.255 0 0
static (inside,outside) 24.149.199.231 LDHTS02 netmask 255.255.255.255 0 0
static (inside,outside) 24.149.199.233 LDDEV netmask 255.255.255.255 0 0

thanks
0
 

Author Comment

by:moonzappa
ID: 22626669
What about the 3005 Concentrator. Do you know where all the places that i need to update the IP?
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
There are many useful and sometimes not well documented or forgotten IOS or ASA/PIX commands. See IPE article here , there was also one on PacketU and on Cisco Tips & Tricks. Below are my favorites. I give also a few most often used for Cisco IPS an…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now