Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 280
  • Last Modified:

External IP migration

I am in the process of migrating our existing IP 198.66.93.64 /27 to 24.149.199.225 /27 on the Cisco Pix 515e and I am not sure what are the precautions or steps to follow to make sure the minimum down time. Both IP set are turned on from the ISP right now. If i use the web interface to go in there to change all the IP/interface would I have to reapply all the access rule? I am trying to keep all the external IP as similar to before for example TM gate way was 198.66.93.65 now will become 24.149.199.225 and so on

Huy
0
moonzappa
Asked:
moonzappa
  • 5
  • 4
4 Solutions
 
RPPreacherCommented:
Any VPN tunnels in the config will require a restart of the crypo engine (or just reload/power cycle the PIX).
0
 
moonzappaAuthor Commented:
The VPN box is separate.. We have a concentrator 3005. We do not have any permanent VPN connections. Only VPN client so we just have to edit the VFC file to the new IP for the VPN box correct?
0
 
RPPreacherCommented:
Yes.
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
moonzappaAuthor Commented:
is there an easier way where i can just run all the command line so i wont forget or miss any place???
0
 
RPPreacherCommented:
I don't understand the question.  You do want CLI or don't want CLI on the PIX 515e?
0
 
moonzappaAuthor Commented:
well i am not expert on CLI. So i would perfer web interface. But if someone help me look over the running config and tell give me some tips i can probably do the CLI. Sorry for the confusion
PIX Version 6.3(5)

name 198.66.93.65 PIX-GATEWAY
name 172.16.5.0 Workers
name 172.16.1.0 Office
name 172.16.1.9 Cisco-VPN
name 172.16.5.3 Dell-Switch-2
name 172.16.5.2 DELL-Switch-1
name 172.16.5.1 Worker-VLAN-Gateway
name 172.16.1.3 Extreme-Switch-2
name 172.16.1.2 Extreme-Switch-1
name 129.250.35.251 y.ns.verio.net
name 129.250.35.250 x.ns.verio.net
name 212.44.132.0 bitsoft.ru
name 198.66.93.78 ftp.lateraldata.com
name 172.16.1.28 ftp-inside
name 172.16.1.34 LDLCS01
name 207.46.0.0 WindowUpdate
name 172.16.1.18 SLDATAEDD05
name 172.16.1.16 LDHTS02
name 172.16.1.12 SLDATAEDD02
name 172.16.1.25 LDDEV
name 172.16.1.20 LDDC02
object-group service Normal-Web-Traffic tcp
  port-object eq www
  port-object eq https
object-group service Normal-Web-Traffic-UDP udp
  port-object eq www
object-group network Verio.Net.DNS
  network-object x.ns.verio.net 255.255.255.255
  network-object y.ns.verio.net 255.255.255.255
object-group service FTP-Traffic tcp
  port-object eq ftp-data
  port-object eq ftp
access-list inside_access_in permit ip Office 255.255.255.0 any
access-list inside_access_in deny ip any bitsoft.ru 255.255.255.0
access-list inside_access_in remark all
access-list inside_access_in deny ip Workers 255.255.255.0 any
access-list outside_in permit tcp any host 198.66.93.70 eq smtp
access-list outside_in permit tcp any host 198.66.93.70 eq www
access-list outside_in permit tcp any host 198.66.93.70 eq https
access-list outside_in permit tcp any host 198.66.93.70 eq pop3
access-list outside_in permit icmp any any echo-reply
access-list outside_in permit udp object-group Verio.Net.DNS eq domain any eq domain
access-list outside_in permit tcp any host ftp.lateraldata.com object-group FTP-Traffic
access-list outside_in permit tcp any interface outside eq www
access-list outside_in permit tcp any host 198.66.93.70 eq imap4
access-list outside_in permit tcp any host 198.66.93.70 eq 587
access-list outside_in permit tcp any host 198.66.93.71 eq 3389
access-list outside_in permit tcp any host 198.66.93.73 eq www
access-list outside_in permit tcp any host 198.66.93.73 eq https
access-list outside_in permit tcp any host 198.66.93.71 eq https
pager lines 24
logging on
logging timestamp
logging trap warnings
logging host inside SLDATAEDD05
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip address outside 198.66.93.66 255.255.255.224
ip address inside 172.16.1.1 255.255.255.0
ip address DMZ 192.168.10.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location PIX-GATEWAY 255.255.255.255 outside
pdm location 172.16.0.0 255.255.0.0 inside
pdm location Workers 255.255.255.0 inside
pdm location Extreme-Switch-1 255.255.255.255 inside
pdm location Extreme-Switch-2 255.255.255.255 inside
pdm location Cisco-VPN 255.255.255.255 inside
pdm location Worker-VLAN-Gateway 255.255.255.255 inside
pdm location DELL-Switch-1 255.255.255.255 inside
pdm location Dell-Switch-2 255.255.255.255 inside
pdm location SLDATAEDD05 255.255.255.255 inside
pdm location x.ns.verio.net 255.255.255.255 outside
pdm location y.ns.verio.net 255.255.255.255 outside
pdm location bitsoft.ru 255.255.255.0 outside
pdm location ftp-inside 255.255.255.255 inside
pdm location ftp.lateraldata.com 255.255.255.255 outside
pdm location LDLCS01 255.255.255.255 inside
pdm location WindowUpdate 255.255.0.0 outside
pdm location LDDC02 255.255.255.255 inside
pdm location SLDATAEDD02 255.255.255.255 inside
pdm location LDHTS02 255.255.255.255 inside
pdm location LDDEV 255.255.255.255 inside
pdm group Verio.Net.DNS outside
pdm logging warnings 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 172.16.0.0 255.255.0.0 0 0
static (inside,outside) tcp interface www LDLCS01 www netmask 255.255.255.255 0 0
static (inside,outside) ftp.lateraldata.com ftp-inside netmask 255.255.255.255 0 0
static (inside,outside) 198.66.93.70 SLDATAEDD02 netmask 255.255.255.255 0 0
static (inside,outside) 198.66.93.71 LDHTS02 netmask 255.255.255.255 0 0
static (inside,outside) 198.66.93.73 LDDEV netmask 255.255.255.255 0 0
access-group outside_in in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 PIX-GATEWAY 1
route inside Workers 255.255.255.0 Extreme-Switch-2 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
0
 
RPPreacherCommented:
just do a NO xxxxxxxx for all the lines with your old range and re-add with new range.

To make sure you don't miss anything you can SHOW CONF | INCL 198.66.93 which will show all the config with the old range.
0
 
moonzappaAuthor Commented:
here is what i got

no name 198.66.93.65 PIX-GATEWAY
no name 198.66.93.78 ftp.lateraldata.com
no access-list outside_in permit tcp any host 198.66.93.70 eq smtp
no access-list outside_in permit tcp any host 198.66.93.70 eq www
no access-list outside_in permit tcp any host 198.66.93.70 eq https
no access-list outside_in permit tcp any host 198.66.93.70 eq pop3
access-list outside_in permit tcp any host 198.66.93.70 eq imap4
no access-list outside_in permit tcp any host 198.66.93.70 eq 587
no access-list outside_in permit tcp any host 198.66.93.71 eq 3389
no access-list outside_in permit tcp any host 198.66.93.73 eq www
no access-list outside_in permit tcp any host 198.66.93.73 eq https
no access-list outside_in permit tcp any host 198.66.93.71 eq https
no ip address outside 198.66.93.66 255.255.255.224
no static (inside,outside) 198.66.93.70 SLDATAEDD02 netmask 255.255.255.255 0 0
no static (inside,outside) 198.66.93.71 LDHTS02 netmask 255.255.255.255 0 0
no static (inside,outside) 198.66.93.73 LDDEV netmask 255.255.255.255 0 0


REPLACE WITH
name 24.149.199.225 PIX-GATEWAY
name 24.149.199.238 ftp.lateraldata.com
access-list outside_in permit tcp any host 24.149.199.230 eq smtp
access-list outside_in permit tcp any host 24.149.199.230 eq www
access-list outside_in permit tcp any host 24.149.199.230 eq https
access-list outside_in permit tcp any host 24.149.199.230 eq pop3
access-list outside_in permit tcp any host 24.149.199.230 eq imap4
access-list outside_in permit tcp any host 24.149.199.230 eq 587
access-list outside_in permit tcp any host 24.149.199.231 eq 3389
access-list outside_in permit tcp any host 24.149.199.233 eq www
access-list outside_in permit tcp any host 24.149.199.233 eq https
access-list outside_in permit tcp any host 24.149.199.231 eq https
ip address outside 24.149.199.236 255.255.255.224
static (inside,outside) 24.149.199.230 SLDATAEDD02 netmask 255.255.255.255 0 0
static (inside,outside) 24.149.199.231 LDHTS02 netmask 255.255.255.255 0 0
static (inside,outside) 24.149.199.233 LDDEV netmask 255.255.255.255 0 0

thanks
0
 
moonzappaAuthor Commented:
What about the 3005 Concentrator. Do you know where all the places that i need to update the IP?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now