Croftkey
asked on
Pix - Change Static IP
Hi I am a newbie to Pix, and in fact just getting used to MS TMG 2010, which is going to replace a PIX 515E.
I am about to submit a new question to Experts Exchange about NLB on TMG2010, but since time is precious, we have decided to keep the PIX just now in the new infrastructure, though would like to remove it in the next week.
Basically, I can get to the config on the PIX, but I dont know the commands to do the following.
I have attached the current config.
We have an exchange server 192.168.2.15 and OWA on 192.168.2.17, this is Exchange 2003, as you can see in the config its NAT'ed to external addresses ending xxx.xxx.253.180 and xxx.xx.253.181
We are putting in a new Exchange 2010 server.
Right now its ip is 192.168.3.21, ie on a new subnet.
We want to test it works, ie accepts outside connections and routes to new Exchange, but since we need to keep current Exchange, we would like to change the NAT ending zzz.xxx.253.178, which was originally intended for Sharepoint, as I say for test purposes.
The client has 5 exernal IP's
So what do I need to do to change xxx.xx.253.178 192.168.2.16 to now go to xxx.xx.253.178 192.168.3.21 ?
As I say this is on a new subnet 3.x, I thought it may just be a case of changing that line but I see other lines in there and route inside only seems to go to 2.x (we recently added new vlans and subnets for the new infrastructure)
All passwords and external addresses are removed from the config attached for security.
Hope someone can help :-) I am not familiar with commands.
If this works, we intend to then point the addresses to the new machines over the next few days, ie sharepoint to 178, exchange to 180, etc.
Its a new domain as well for the new excahnge, we can change the DNS, etc to map the new domain to the external address okay.
ie companyold.com goes to 178 just now, we can change this to companynew going to 178 for the test.
Later we will remove the PIX all together
Bruce
pix.txt
I am about to submit a new question to Experts Exchange about NLB on TMG2010, but since time is precious, we have decided to keep the PIX just now in the new infrastructure, though would like to remove it in the next week.
Basically, I can get to the config on the PIX, but I dont know the commands to do the following.
I have attached the current config.
We have an exchange server 192.168.2.15 and OWA on 192.168.2.17, this is Exchange 2003, as you can see in the config its NAT'ed to external addresses ending xxx.xxx.253.180 and xxx.xx.253.181
We are putting in a new Exchange 2010 server.
Right now its ip is 192.168.3.21, ie on a new subnet.
We want to test it works, ie accepts outside connections and routes to new Exchange, but since we need to keep current Exchange, we would like to change the NAT ending zzz.xxx.253.178, which was originally intended for Sharepoint, as I say for test purposes.
The client has 5 exernal IP's
So what do I need to do to change xxx.xx.253.178 192.168.2.16 to now go to xxx.xx.253.178 192.168.3.21 ?
As I say this is on a new subnet 3.x, I thought it may just be a case of changing that line but I see other lines in there and route inside only seems to go to 2.x (we recently added new vlans and subnets for the new infrastructure)
All passwords and external addresses are removed from the config attached for security.
Hope someone can help :-) I am not familiar with commands.
If this works, we intend to then point the addresses to the new machines over the next few days, ie sharepoint to 178, exchange to 180, etc.
Its a new domain as well for the new excahnge, we can change the DNS, etc to map the new domain to the external address okay.
ie companyold.com goes to 178 just now, we can change this to companynew going to 178 for the test.
Later we will remove the PIX all together
Bruce
pix.txt
ASKER
Thanks but I just need what I hope are a few lines of config to move the nat for 178 to the new exchange server for testing, i am new to this and I fear messing it up
Ideally I can change those lines but have the config saved first if I need to roll back
I see other lines which I assume are ports, I wonder if I need to assign ports as well for 178 as it was not originally intended for exchange (currently sharepoint)
We do plan to add sharepoint again but for now we want to use the static 178 address for testing exchange
Ideally I can change those lines but have the config saved first if I need to roll back
I see other lines which I assume are ports, I wonder if I need to assign ports as well for 178 as it was not originally intended for exchange (currently sharepoint)
We do plan to add sharepoint again but for now we want to use the static 178 address for testing exchange
Hello,
Can you post sanitized config (remove passwords, and at least first two octets of all public IP's) and I will write you down exact commands you need to enter to modify your config.
Regards!
Can you post sanitized config (remove passwords, and at least first two octets of all public IP's) and I will write you down exact commands you need to enter to modify your config.
Regards!
ASKER
Hi thanks I attached this in first post
Hello,
First you need to allow access from outside:
access-list outside_access_in permit tcp any host xxx.xx.253.178 eq https
access-list outside_access_in permit tcp any host xxx.xx.253.178 eq 993
access-list outside_access_in permit tcp any host xxx.xx.253.178 eq 587
access-list outside_access_in permit tcp any host xxx.xx.253.178 eq 82
Then you need to change static NAT rule:
no static (inside,outside) xxx.xx.253.178 192.168.2.16 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xx.253.178 192.168.3.21 netmask 255.255.255.255 0 0
As you have this route already, routing should not be the problem.
route inside 192.168.0.0 255.255.0.0 192.168.2.254 1
Regards!
First you need to allow access from outside:
access-list outside_access_in permit tcp any host xxx.xx.253.178 eq https
access-list outside_access_in permit tcp any host xxx.xx.253.178 eq 993
access-list outside_access_in permit tcp any host xxx.xx.253.178 eq 587
access-list outside_access_in permit tcp any host xxx.xx.253.178 eq 82
Then you need to change static NAT rule:
no static (inside,outside) xxx.xx.253.178 192.168.2.16 netmask 255.255.255.255 0 0
static (inside,outside) xxx.xx.253.178 192.168.3.21 netmask 255.255.255.255 0 0
As you have this route already, routing should not be the problem.
route inside 192.168.0.0 255.255.0.0 192.168.2.254 1
Regards!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Lines for SMTP look OK.
Changes are applied as soon as you enter them. You just need to write config, to store it.
PIX# write memory
You can also issue
PIX# clear xlate
to clear all NAT translations from memory. It will disrupt all traffic for a moment, as all active NAT translations will be removed and then created again. Maybe, you will need to execute it few times in a row, for it to take effect (known issue).
Changes are applied as soon as you enter them. You just need to write config, to store it.
PIX# write memory
You can also issue
PIX# clear xlate
to clear all NAT translations from memory. It will disrupt all traffic for a moment, as all active NAT translations will be removed and then created again. Maybe, you will need to execute it few times in a row, for it to take effect (known issue).
ASKER
Hi seems to have worked, many thanks.
If I accept that as solution will it assign points to you Fidelius?
I have had experts exchange for a year or so, but only recently started to use, I need to close a few tickets.
Thanks again
If I accept that as solution will it assign points to you Fidelius?
I have had experts exchange for a year or so, but only recently started to use, I need to close a few tickets.
Thanks again
ASKER
Closing off as solved
ASKER
Resolved issue as required
http://www.netcraftsmen.net/resources/archived-articles/369-cisco-pix-firewall-basics.html
Here is a link for Commands from Cisco.
http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/mr.html