Solved

Change Static IP and Subnet Mask on ASA5505

Posted on 2010-09-07
9
1,135 Views
Last Modified: 2012-05-10
Wondering if someone can help me update my ASA5505 to point to new IP and Subnet Mask?  I have attached my current running config.  My gateway (or outside) IP changed from 75.150.224.170 to 75.149.66.206.  My Interface VLAN2 changed from 75.150.224.169 to 75.149.66.201 (note, currently, I am having https, www, and smtp traffic forwarded to 75.150.224.169.  I will need to update this as well).  And my Subnet Mask changed from 255.255.255.252 to 255.255.255.248.  I am new to this type of change.  I would very much appreciate it if someone can help me with the commands I need to run.  Thanks so much....
: Saved

:

ASA Version 8.2(1)

!

hostname ciscoasa

domain-name default.domain.invalid

enable password ** encrypted

passwd ** encrypted

names

name 192.168.1.6 HTTP_ACCESS

!

interface Vlan1

 nameif inside

 security-level 100

 ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

 nameif outside

 security-level 0

 ip address 75.150.224.169 255.255.255.252

!

interface Ethernet0/0

 switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

boot system disk0:/asa821.bin

ftp mode passive

dns server-group DefaultDNS

 domain-name default.domain.invalid

object-group service HTTP tcp

 port-object eq www

access-list cisco_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0

access-list outside-access-in extended permit tcp any host 75.150.224.169 eq https

access-list outside-access-in extended permit tcp any host 75.150.224.169 eq www

access-list outside-access-in extended permit tcp any host 75.150.224.169 eq smtp

access-list outside-access-in extended deny ip any any log

access-list INSIDE extended permit ip any any

access-list HTTP_access extended permit tcp any interface outside eq https inactive

pager lines 24

logging enable

logging monitor debugging

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool RemoteClientPool 10.10.10.100-10.10.10.110 mask 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm623.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 0.0.0.0 0.0.0.0

static (inside,outside) tcp interface www HTTP_ACCESS www netmask 255.255.255.255

static (inside,outside) tcp interface https 192.168.1.3 https netmask 255.255.255.255

static (inside,outside) tcp interface smtp 192.168.1.3 smtp netmask 255.255.255.255

access-group INSIDE in interface inside

access-group outside-access-in in interface outside

route outside 0.0.0.0 0.0.0.0 75.150.224.170 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa authentication telnet console LOCAL

aaa authentication serial console LOCAL

aaa authentication enable console LOCAL

http server enable 448

http 192.168.1.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 outside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set **

crypto ipsec transform-set **

crypto ipsec transform-set **

crypto ipsec transform-set **

crypto ipsec transform-set **

crypto ipsec transform-set **

crypto ipsec transform-set **

crypto ipsec transform-set **

crypto ipsec transform-set **

crypto ipsec transform-set **

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set **

crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map outside_map interface outside

crypto ca trustpoint localtrust

 enrollment self

 crl configure

crypto isakmp enable outside

crypto isakmp policy 10

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

dhcpd auto_config outside

!



threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl trust-point localtrust outside

webvpn

 port 500

 enable inside

 enable outside

 svc image disk0:/AnyConnect-Windows.pkg 1

 svc enable

 tunnel-group-list enable

group-policy cisco internal

group-policy cisco attributes

 dns-server value 192.168.1.2

 vpn-tunnel-protocol svc webvpn

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value cisco_splitTunnelAcl

 default-domain value techblendshost

 address-pools value RemoteClientPool

username test1 password ** encrypted privilege 15

username admin password ** encrypted privilege 15

username obautista password ** encrypted privilege 15

username obautista attributes

 vpn-group-policy cisco

tunnel-group cisco type remote-access

tunnel-group cisco general-attributes

 address-pool RemoteClientPool

 default-group-policy cisco

tunnel-group cisco ipsec-attributes

 pre-shared-key *

!

class-map global-class

 match default-inspection-traffic

!

!

policy-map global_policy

policy-map global-policy

 class global-class

  inspect ftp

!

prompt hostname context

Cryptochecksum:**

: end

ciscoasa(config-username)#

Open in new window

0
Comment
Question by:obautista
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 11

Accepted Solution

by:
crouthamela earned 168 total points
ID: 33617890
enable
conf t
int vlan 2
 ip address 75.149.66.201 255.255.255.248
 exit
no route outside 0.0.0.0 0.0.0.0 75.150.224.170 1
route outside 0.0.0.0 0.0.0.0 75.149.66.206 1
end
copy run start

That should be it. The port forwarding uses the interfaces names "inside" and "outside" so there is no need for change there.
0
 
LVL 11

Assisted Solution

by:crouthamela
crouthamela earned 168 total points
ID: 33617909
Oops, except the ACLs will need the change of IP...

no access-list outside-access-in extended permit tcp any host 75.150.224.169 eq https
no access-list outside-access-in extended permit tcp any host 75.150.224.169 eq www
no access-list outside-access-in extended permit tcp any host 75.150.224.169 eq smtp
access-list outside-access-in extended permit tcp any host 75.149.66.201eq https
access-list outside-access-in extended permit tcp any host 75.149.66.201 eq www
access-list outside-access-in extended permit tcp any host 75.149.66.201 eq smtp

0
 
LVL 4

Assisted Solution

by:mpickreign
mpickreign earned 249 total points
ID: 33617916
ciscoasa(config)# int vlan2
ciscoasa(config-int)#ip address 75.149.66.201  255.255.255.248
ciscoasa(config-int)#exit
ciscoasa(config)# no route outside 0.0.0.0 0.0.0.0 75.150.224.170 1
ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 75.149.66.206
ciscoasa(config)# no access-list outside-access-in extended permit tcp any host 75.150.224.169 eq https
ciscoasa(config)# no access-list outside-access-in extended permit tcp any host 75.150.224.169 eq www
ciscoasa(config)# no access-list outside-access-in extended permit tcp any host 75.150.224.169 eq smtp
ciscoasa(config)# no access-list outside-access-in extended deny ip any any log
ciscoasa(config)# access-list outside-access-in extended permit tcp any host 75.149.66.201 eq https
ciscoasa(config)# no access-list outside-access-in extended permit tcp any host 75.149.66.201 eq www
ciscoasa(config)# no access-list outside-access-in extended permit tcp any host 75.149.66.201 eq smtp
ciscoasa(config)# no access-list outside-access-in extended deny ip any any log
ciscoasa(config)#  access-group outside-access-in in interface outside
ciscoasa(config)#  wr mem



That should do it!
0
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 83 total points
ID: 33617951
config t

interface Vlan2
 ip address 75.149.66.201 255.255.255.248

no access-list outside-access-in extended permit tcp any host 75.150.224.169 eq https
no access-list outside-access-in extended permit tcp any host 75.150.224.169 eq www
no access-list outside-access-in extended permit tcp any host 75.150.224.169 eq smtp
no access-list outside-access-in extended deny ip any any log

access-list outside-access-in extended permit tcp any host 75.149.66.201 eq https
access-list outside-access-in extended permit tcp any host 75.149.66.201 eq www
access-list outside-access-in extended permit tcp any host 75.149.66.201 eq smtp
access-list outside-access-in extended deny ip any any log

no route outside 0.0.0.0 0.0.0.0 75.150.224.170 1
route outside 0.0.0.0 0.0.0.0 75.149.66.206 1

end

wr mem
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:obautista
ID: 33623579
Thank you all. I ran the commands and something is broken. Below is my new running config. Note, this line was in my previous working config and now not in my current config;
access-group outside-access-in in interface outside

Also, the 3 static (inside,outside) tcp interface lines (lines 65-67) are still referencing old subnet mask of 255.255.255.255. I think they should be referencing new subnet mask of: 255.255.255.248.  Not sure what else may need to change to get my connection back up. I appreciated the assistance.

ASA Version 8.2(1)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password ** encrypted
passwd ** encrypted
names
name 192.168.1.6 HTTP_ACCESS
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 75.149.66.201 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group service HTTP tcp
 port-object eq www
access-list cisco_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list outside-access-in extended permit tcp any host 75.149.66.201 eq https
access-list outside-access-in extended permit tcp any host 75.149.66.201 eq www
access-list outside-access-in extended permit tcp any host 75.149.66.201 eq smtp
access-list outside-access-in extended deny ip any any log
access-list INSIDE extended permit ip any any
access-list HTTP_access extended permit tcp any interface outside eq https inactive
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RemoteClientPool 10.10.10.100-10.10.10.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm623.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www HTTP_ACCESS www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.3 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.3 smtp netmask 255.255.255.255
access-group INSIDE in interface inside

route outside 0.0.0.0 0.0.0.0 75.149.66.206 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
http server enable 448
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set **
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint localtrust
 enrollment self
 crl configure
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust outside
webvpn
 port 500
 enable inside
 enable outside
 svc image disk0:/AnyConnect-Windows.pkg 1
 svc enable
 tunnel-group-list enable
group-policy cisco internal
group-policy cisco attributes
 dns-server value 192.168.1.2
 vpn-tunnel-protocol svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value cisco_splitTunnelAcl
 default-domain value techblendshost
 address-pools value RemoteClientPool
username test1 password ** encrypted privilege 15
username admin password ** encrypted privilege 15
username obautista password ** encrypted privilege 15
username obautista attributes
 vpn-group-policy cisco
tunnel-group cisco type remote-access
tunnel-group cisco general-attributes
 address-pool RemoteClientPool
 default-group-policy cisco
tunnel-group cisco ipsec-attributes
 pre-shared-key *
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global_policy
policy-map global-policy
 class global-class
  inspect ftp
!
prompt hostname context
Cryptochecksum:**
: end
ciscoasa#

0
 
LVL 4

Assisted Solution

by:mpickreign
mpickreign earned 249 total points
ID: 33625937
The access-group outside-access-in in interface outside line definitely needs to be added in, this is the line that binds your access-list statements to an actual interface and in effect turns them on.

The mask on the static lines is correct as 255.255.255.255 this basically tells the static "match this address and only this address".

If you add the access-group lines in, and it is still not working, I would save the config and reboot the ASA.
0
 

Author Comment

by:obautista
ID: 33626000
Thanks. Can you help by telling me the actual command I need to run that will add access-group outside-access-in in?  Also, curious why the static lines with subnet mask of 255.255.255.255 are correct - shouldnt hese lines reference my new subnet mask?  Thanks again.
0
 
LVL 4

Assisted Solution

by:mpickreign
mpickreign earned 249 total points
ID: 33626587
enable
conf t
access-group outside-access-in in interface outside
exit
wr mem


Those commands should take care of adding the access-group line.

The first and foremost thing you need to understand is that subnet mask on your outside interface and on your static commands are not related in any way.  Subnetting can get complicated quickly, but the basic (simplistic) explanation is a subnet mask tells a device how much of an IP network is local to it. In the static statement we are doing a one to one translation so we use the 255.255.255.255 mask to tell it that nothing else is to be considered other than the IP given.  On your outside interface we use the 255.255.255.248 mask because on that network we want it to see the addresses .201 through .206 as local, and anything outside that as remote. Local meaning if it is to be found it will be on the same switch, remote meaning it will have to go out through the default gateway (router) to find it.

Hope this helps!
0
 

Author Closing Comment

by:obautista
ID: 33636567
Thanks so much for the help.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now