Solved

Change Static IP and Subnet Mask on ASA5505

Posted on 2010-09-07
9
1,153 Views
Last Modified: 2012-05-10
Wondering if someone can help me update my ASA5505 to point to new IP and Subnet Mask?  I have attached my current running config.  My gateway (or outside) IP changed from 75.150.224.170 to 75.149.66.206.  My Interface VLAN2 changed from 75.150.224.169 to 75.149.66.201 (note, currently, I am having https, www, and smtp traffic forwarded to 75.150.224.169.  I will need to update this as well).  And my Subnet Mask changed from 255.255.255.252 to 255.255.255.248.  I am new to this type of change.  I would very much appreciate it if someone can help me with the commands I need to run.  Thanks so much....
: Saved
:
ASA Version 8.2(1)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password ** encrypted
passwd ** encrypted
names
name 192.168.1.6 HTTP_ACCESS
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 75.150.224.169 255.255.255.252
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group service HTTP tcp
 port-object eq www
access-list cisco_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list outside-access-in extended permit tcp any host 75.150.224.169 eq https
access-list outside-access-in extended permit tcp any host 75.150.224.169 eq www
access-list outside-access-in extended permit tcp any host 75.150.224.169 eq smtp
access-list outside-access-in extended deny ip any any log
access-list INSIDE extended permit ip any any
access-list HTTP_access extended permit tcp any interface outside eq https inactive
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RemoteClientPool 10.10.10.100-10.10.10.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm623.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www HTTP_ACCESS www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.3 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.3 smtp netmask 255.255.255.255
access-group INSIDE in interface inside
access-group outside-access-in in interface outside
route outside 0.0.0.0 0.0.0.0 75.150.224.170 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
http server enable 448
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set **
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint localtrust
 enrollment self
 crl configure
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust outside
webvpn
 port 500
 enable inside
 enable outside
 svc image disk0:/AnyConnect-Windows.pkg 1
 svc enable
 tunnel-group-list enable
group-policy cisco internal
group-policy cisco attributes
 dns-server value 192.168.1.2
 vpn-tunnel-protocol svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value cisco_splitTunnelAcl
 default-domain value techblendshost
 address-pools value RemoteClientPool
username test1 password ** encrypted privilege 15
username admin password ** encrypted privilege 15
username obautista password ** encrypted privilege 15
username obautista attributes
 vpn-group-policy cisco
tunnel-group cisco type remote-access
tunnel-group cisco general-attributes
 address-pool RemoteClientPool
 default-group-policy cisco
tunnel-group cisco ipsec-attributes
 pre-shared-key *
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global_policy
policy-map global-policy
 class global-class
  inspect ftp
!
prompt hostname context
Cryptochecksum:**
: end
ciscoasa(config-username)#

Open in new window

0
Comment
Question by:obautista
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 11

Accepted Solution

by:
crouthamela earned 168 total points
ID: 33617890
enable
conf t
int vlan 2
 ip address 75.149.66.201 255.255.255.248
 exit
no route outside 0.0.0.0 0.0.0.0 75.150.224.170 1
route outside 0.0.0.0 0.0.0.0 75.149.66.206 1
end
copy run start

That should be it. The port forwarding uses the interfaces names "inside" and "outside" so there is no need for change there.
0
 
LVL 11

Assisted Solution

by:crouthamela
crouthamela earned 168 total points
ID: 33617909
Oops, except the ACLs will need the change of IP...

no access-list outside-access-in extended permit tcp any host 75.150.224.169 eq https
no access-list outside-access-in extended permit tcp any host 75.150.224.169 eq www
no access-list outside-access-in extended permit tcp any host 75.150.224.169 eq smtp
access-list outside-access-in extended permit tcp any host 75.149.66.201eq https
access-list outside-access-in extended permit tcp any host 75.149.66.201 eq www
access-list outside-access-in extended permit tcp any host 75.149.66.201 eq smtp

0
 
LVL 4

Assisted Solution

by:mpickreign
mpickreign earned 249 total points
ID: 33617916
ciscoasa(config)# int vlan2
ciscoasa(config-int)#ip address 75.149.66.201  255.255.255.248
ciscoasa(config-int)#exit
ciscoasa(config)# no route outside 0.0.0.0 0.0.0.0 75.150.224.170 1
ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 75.149.66.206
ciscoasa(config)# no access-list outside-access-in extended permit tcp any host 75.150.224.169 eq https
ciscoasa(config)# no access-list outside-access-in extended permit tcp any host 75.150.224.169 eq www
ciscoasa(config)# no access-list outside-access-in extended permit tcp any host 75.150.224.169 eq smtp
ciscoasa(config)# no access-list outside-access-in extended deny ip any any log
ciscoasa(config)# access-list outside-access-in extended permit tcp any host 75.149.66.201 eq https
ciscoasa(config)# no access-list outside-access-in extended permit tcp any host 75.149.66.201 eq www
ciscoasa(config)# no access-list outside-access-in extended permit tcp any host 75.149.66.201 eq smtp
ciscoasa(config)# no access-list outside-access-in extended deny ip any any log
ciscoasa(config)#  access-group outside-access-in in interface outside
ciscoasa(config)#  wr mem



That should do it!
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 29

Assisted Solution

by:Jan Springer
Jan Springer earned 83 total points
ID: 33617951
config t

interface Vlan2
 ip address 75.149.66.201 255.255.255.248

no access-list outside-access-in extended permit tcp any host 75.150.224.169 eq https
no access-list outside-access-in extended permit tcp any host 75.150.224.169 eq www
no access-list outside-access-in extended permit tcp any host 75.150.224.169 eq smtp
no access-list outside-access-in extended deny ip any any log

access-list outside-access-in extended permit tcp any host 75.149.66.201 eq https
access-list outside-access-in extended permit tcp any host 75.149.66.201 eq www
access-list outside-access-in extended permit tcp any host 75.149.66.201 eq smtp
access-list outside-access-in extended deny ip any any log

no route outside 0.0.0.0 0.0.0.0 75.150.224.170 1
route outside 0.0.0.0 0.0.0.0 75.149.66.206 1

end

wr mem
0
 

Author Comment

by:obautista
ID: 33623579
Thank you all. I ran the commands and something is broken. Below is my new running config. Note, this line was in my previous working config and now not in my current config;
access-group outside-access-in in interface outside

Also, the 3 static (inside,outside) tcp interface lines (lines 65-67) are still referencing old subnet mask of 255.255.255.255. I think they should be referencing new subnet mask of: 255.255.255.248.  Not sure what else may need to change to get my connection back up. I appreciated the assistance.

ASA Version 8.2(1)
!
hostname ciscoasa
domain-name default.domain.invalid
enable password ** encrypted
passwd ** encrypted
names
name 192.168.1.6 HTTP_ACCESS
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 75.149.66.201 255.255.255.248
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa821.bin
ftp mode passive
dns server-group DefaultDNS
 domain-name default.domain.invalid
object-group service HTTP tcp
 port-object eq www
access-list cisco_splitTunnelAcl standard permit 192.168.1.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 10.10.10.0 255.255.255.0
access-list outside-access-in extended permit tcp any host 75.149.66.201 eq https
access-list outside-access-in extended permit tcp any host 75.149.66.201 eq www
access-list outside-access-in extended permit tcp any host 75.149.66.201 eq smtp
access-list outside-access-in extended deny ip any any log
access-list INSIDE extended permit ip any any
access-list HTTP_access extended permit tcp any interface outside eq https inactive
pager lines 24
logging enable
logging monitor debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool RemoteClientPool 10.10.10.100-10.10.10.110 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm623.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface www HTTP_ACCESS www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.3 https netmask 255.255.255.255
static (inside,outside) tcp interface smtp 192.168.1.3 smtp netmask 255.255.255.255
access-group INSIDE in interface inside

route outside 0.0.0.0 0.0.0.0 75.149.66.206 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
http server enable 448
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec transform-set **
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set **
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint localtrust
 enrollment self
 crl configure
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point localtrust outside
webvpn
 port 500
 enable inside
 enable outside
 svc image disk0:/AnyConnect-Windows.pkg 1
 svc enable
 tunnel-group-list enable
group-policy cisco internal
group-policy cisco attributes
 dns-server value 192.168.1.2
 vpn-tunnel-protocol svc webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value cisco_splitTunnelAcl
 default-domain value techblendshost
 address-pools value RemoteClientPool
username test1 password ** encrypted privilege 15
username admin password ** encrypted privilege 15
username obautista password ** encrypted privilege 15
username obautista attributes
 vpn-group-policy cisco
tunnel-group cisco type remote-access
tunnel-group cisco general-attributes
 address-pool RemoteClientPool
 default-group-policy cisco
tunnel-group cisco ipsec-attributes
 pre-shared-key *
!
class-map global-class
 match default-inspection-traffic
!
!
policy-map global_policy
policy-map global-policy
 class global-class
  inspect ftp
!
prompt hostname context
Cryptochecksum:**
: end
ciscoasa#

0
 
LVL 4

Assisted Solution

by:mpickreign
mpickreign earned 249 total points
ID: 33625937
The access-group outside-access-in in interface outside line definitely needs to be added in, this is the line that binds your access-list statements to an actual interface and in effect turns them on.

The mask on the static lines is correct as 255.255.255.255 this basically tells the static "match this address and only this address".

If you add the access-group lines in, and it is still not working, I would save the config and reboot the ASA.
0
 

Author Comment

by:obautista
ID: 33626000
Thanks. Can you help by telling me the actual command I need to run that will add access-group outside-access-in in?  Also, curious why the static lines with subnet mask of 255.255.255.255 are correct - shouldnt hese lines reference my new subnet mask?  Thanks again.
0
 
LVL 4

Assisted Solution

by:mpickreign
mpickreign earned 249 total points
ID: 33626587
enable
conf t
access-group outside-access-in in interface outside
exit
wr mem


Those commands should take care of adding the access-group line.

The first and foremost thing you need to understand is that subnet mask on your outside interface and on your static commands are not related in any way.  Subnetting can get complicated quickly, but the basic (simplistic) explanation is a subnet mask tells a device how much of an IP network is local to it. In the static statement we are doing a one to one translation so we use the 255.255.255.255 mask to tell it that nothing else is to be considered other than the IP given.  On your outside interface we use the 255.255.255.248 mask because on that network we want it to see the addresses .201 through .206 as local, and anything outside that as remote. Local meaning if it is to be found it will be on the same switch, remote meaning it will have to go out through the default gateway (router) to find it.

Hope this helps!
0
 

Author Closing Comment

by:obautista
ID: 33636567
Thanks so much for the help.
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month7 days, 6 hours left to enroll

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question