• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 511
  • Last Modified:

Pix - Change Static IP

Hi I am a newbie to Pix, and in fact just getting used to MS TMG 2010, which is going to replace a PIX 515E.
I am about to submit a new question to Experts Exchange about NLB on TMG2010, but since time is precious, we have decided to keep the PIX just now in the new infrastructure, though would like to remove it in the next week.

Basically, I can get to the config on the PIX, but I dont know the commands to do the following.
I have attached the current config.

We have an exchange server and OWA on, this is Exchange 2003, as you can see in the config its NAT'ed to external addresses ending xxx.xxx.253.180 and xxx.xx.253.181
We are putting in a new Exchange 2010 server.
Right now its ip is, ie on a new subnet.

We want to test it works, ie accepts outside connections and routes to new Exchange, but since we need to keep current Exchange, we would like to change the NAT ending zzz.xxx.253.178, which was originally intended for Sharepoint, as I say for test purposes.

The client has 5 exernal IP's

So what do I need to do to change xxx.xx.253.178 to now go to xxx.xx.253.178 ?

As I say this is on a new subnet 3.x, I thought it may just be a case of changing that line but I see other lines in there and route inside only seems to go to 2.x (we recently added new vlans and subnets for the new infrastructure)

All passwords and external addresses are removed from the config attached for security.

Hope someone can help :-) I am not familiar with commands.

If this works, we intend to then point the addresses to the new machines over the next few days, ie sharepoint to 178, exchange to 180, etc.

Its a new domain as well for the new excahnge, we can change the DNS, etc to map the new domain to the external address okay.

ie companyold.com goes to 178 just now, we can change this to companynew going to 178 for the test.

Later we will remove the PIX all together


  • 6
  • 4
2 Solutions
CroftkeyAuthor Commented:
Thanks but I just need what I hope are a few lines of config to move the nat for 178 to the new exchange server for testing, i am new to this and I fear messing it up

Ideally I can change those lines but have the config saved first if I need to roll back

I see other lines which I assume are ports, I wonder if I need to assign ports as well for 178 as it was not originally intended for exchange (currently sharepoint)

We do plan to add sharepoint again but for now we want to use the static 178 address for testing exchange

Can you post sanitized config (remove passwords, and at least first two octets of all public IP's) and I will write you down exact commands you need to enter to modify your config.

Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

CroftkeyAuthor Commented:
Hi thanks I attached this in first post

First you need to allow access from outside:
access-list outside_access_in permit tcp any host xxx.xx.253.178 eq https
access-list outside_access_in permit tcp any host xxx.xx.253.178 eq 993
access-list outside_access_in permit tcp any host xxx.xx.253.178 eq 587
access-list outside_access_in permit tcp any host xxx.xx.253.178 eq 82

Then you need to change static NAT rule:
no static (inside,outside) xxx.xx.253.178 netmask 0 0
static (inside,outside) xxx.xx.253.178 netmask 0 0

As you have this route already, routing should not be the problem.
route inside 1

I forgot to apologize about my config request.
I overlooked that info in original post. My mistake.

CroftkeyAuthor Commented:
No thats okay, thanks for your help
Based upon what you have sent, I would also need smtp as its mail so I have added these lines

Would I also need to run a command to commit these changes? Xlate or something like that?

access-list outside_access_in permit tcp any host xx.xx.178 eq https
access-list outside_access_in permit tcp any host xx.xx.253.178 eq 993
access-list outside_access_in permit tcp any host xx.xx.253.178 eq 587
access-list outside_access_in permit tcp any host xx.xx.253.178 eq 82
access-list outside_access_in permit tcp host host xx.xx.253.178 eq smtp
access-list outside_access_in permit tcp host host xx.xx.253.178 eq smtp
no static (inside,outside) xx.xx.253.178 netmask 0 0
static (inside,outside) xx.xx.253.178 netmask 0 0
Lines for SMTP look OK.

Changes are applied as soon as you enter them. You just need to write config, to store it.
PIX# write memory

You can also issue
PIX# clear xlate
to clear all NAT translations from memory. It will disrupt all traffic for a moment, as all active NAT translations will be removed and then created again. Maybe, you will need to execute it few times in a row, for it to take effect (known issue).

CroftkeyAuthor Commented:
Hi seems to have worked, many thanks.
If I accept that as solution will it assign points to you Fidelius?
I have had experts exchange for a year or so, but only recently started to use, I need to close a few tickets.

Thanks again
CroftkeyAuthor Commented:
Closing off as solved
CroftkeyAuthor Commented:
Resolved issue as required
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now