Solved

Pix - Change Static IP

Posted on 2011-02-23
11
497 Views
Last Modified: 2012-05-11
Hi I am a newbie to Pix, and in fact just getting used to MS TMG 2010, which is going to replace a PIX 515E.
I am about to submit a new question to Experts Exchange about NLB on TMG2010, but since time is precious, we have decided to keep the PIX just now in the new infrastructure, though would like to remove it in the next week.

Basically, I can get to the config on the PIX, but I dont know the commands to do the following.
I have attached the current config.

We have an exchange server 192.168.2.15 and OWA on 192.168.2.17, this is Exchange 2003, as you can see in the config its NAT'ed to external addresses ending xxx.xxx.253.180 and xxx.xx.253.181
We are putting in a new Exchange 2010 server.
Right now its ip is 192.168.3.21, ie on a new subnet.

We want to test it works, ie accepts outside connections and routes to new Exchange, but since we need to keep current Exchange, we would like to change the NAT ending zzz.xxx.253.178, which was originally intended for Sharepoint, as I say for test purposes.

The client has 5 exernal IP's

So what do I need to do to change xxx.xx.253.178 192.168.2.16 to now go to xxx.xx.253.178 192.168.3.21 ?

As I say this is on a new subnet 3.x, I thought it may just be a case of changing that line but I see other lines in there and route inside only seems to go to 2.x (we recently added new vlans and subnets for the new infrastructure)

All passwords and external addresses are removed from the config attached for security.

Hope someone can help :-) I am not familiar with commands.

If this works, we intend to then point the addresses to the new machines over the next few days, ie sharepoint to 178, exchange to 180, etc.

Its a new domain as well for the new excahnge, we can change the DNS, etc to map the new domain to the external address okay.

ie companyold.com goes to 178 just now, we can change this to companynew going to 178 for the test.

Later we will remove the PIX all together

Bruce



pix.txt
0
Comment
Question by:Croftkey
  • 6
  • 4
11 Comments
 
LVL 9

Expert Comment

by:meko72
Comment Utility
0
 

Author Comment

by:Croftkey
Comment Utility
Thanks but I just need what I hope are a few lines of config to move the nat for 178 to the new exchange server for testing, i am new to this and I fear messing it up

Ideally I can change those lines but have the config saved first if I need to roll back

I see other lines which I assume are ports, I wonder if I need to assign ports as well for 178 as it was not originally intended for exchange (currently sharepoint)

We do plan to add sharepoint again but for now we want to use the static 178 address for testing exchange
0
 
LVL 12

Expert Comment

by:Fidelius
Comment Utility
Hello,

Can you post sanitized config (remove passwords, and at least first two octets of all public IP's) and I will write you down exact commands you need to enter to modify your config.

Regards!
0
 

Author Comment

by:Croftkey
Comment Utility
Hi thanks I attached this in first post
0
 
LVL 12

Expert Comment

by:Fidelius
Comment Utility
Hello,

First you need to allow access from outside:
access-list outside_access_in permit tcp any host xxx.xx.253.178 eq https
access-list outside_access_in permit tcp any host xxx.xx.253.178 eq 993
access-list outside_access_in permit tcp any host xxx.xx.253.178 eq 587
access-list outside_access_in permit tcp any host xxx.xx.253.178 eq 82

Then you need to change static NAT rule:
no static (inside,outside) xxx.xx.253.178 192.168.2.16 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xx.253.178 192.168.3.21 netmask 255.255.255.255 0 0


As you have this route already, routing should not be the problem.
route inside 192.168.0.0 255.255.0.0 192.168.2.254 1


Regards!
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 12

Accepted Solution

by:
Fidelius earned 500 total points
Comment Utility
I forgot to apologize about my config request.
I overlooked that info in original post. My mistake.

Sorry!
0
 

Assisted Solution

by:Croftkey
Croftkey earned 0 total points
Comment Utility
No thats okay, thanks for your help
Based upon what you have sent, I would also need smtp as its mail so I have added these lines

Would I also need to run a command to commit these changes? Xlate or something like that?

access-list outside_access_in permit tcp any host xx.xx.178 eq https
access-list outside_access_in permit tcp any host xx.xx.253.178 eq 993
access-list outside_access_in permit tcp any host xx.xx.253.178 eq 587
access-list outside_access_in permit tcp any host xx.xx.253.178 eq 82
access-list outside_access_in permit tcp host 77.68.61.117 host xx.xx.253.178 eq smtp
access-list outside_access_in permit tcp host 77.68.61.118 host xx.xx.253.178 eq smtp
no static (inside,outside) xx.xx.253.178 192.168.2.16 netmask 255.255.255.255 0 0
static (inside,outside) xx.xx.253.178 192.168.3.21 netmask 255.255.255.255 0 0
0
 
LVL 12

Expert Comment

by:Fidelius
Comment Utility
Lines for SMTP look OK.

Changes are applied as soon as you enter them. You just need to write config, to store it.
PIX# write memory

You can also issue
PIX# clear xlate
to clear all NAT translations from memory. It will disrupt all traffic for a moment, as all active NAT translations will be removed and then created again. Maybe, you will need to execute it few times in a row, for it to take effect (known issue).



 
0
 

Author Comment

by:Croftkey
Comment Utility
Hi seems to have worked, many thanks.
If I accept that as solution will it assign points to you Fidelius?
I have had experts exchange for a year or so, but only recently started to use, I need to close a few tickets.

Thanks again
0
 

Author Comment

by:Croftkey
Comment Utility
Closing off as solved
0
 

Author Closing Comment

by:Croftkey
Comment Utility
Resolved issue as required
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now