Changing ISP and need to change settings in Cisco PIX 501

Hello experts,
The powers that be decided that it would be a good idea to change ISP's, so that will change out Public IP addresses. I need to know what changes to make to the PIX to facilitate that change.  I currently see 4 IP addresses that are setup in the config now:   route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.97 1,  XXX.XXX.XXX.98 for the PIX, and .99 and .100 for two servers.
I have attached a sanitized copy of the working config.  I am a Cisco novice and have only worked with the PDM in the past, so please consider how I can make the commands through the PDM interface.  Thanks!
Also, the new ISP has asked if we want them to perform NAT on their router.  I figured no, but thought I would clarify that.  

042011clean.txt
baggio8Asked:
Who is Participating?
 
Ernie BeekConnect With a Mentor ExpertCommented:
The following lines need to be changed:

access-list outside_access_in permit tcp any host XXX.XXX.XXX.XXX eq https
access-list outside_access_in permit tcp any host XXX.XXX.XXX.XXX object-group Service-service-group log
access-list outside_access_in permit icmp any host XXX.XXX.XXX.XXX echo-reply log
access-list outside_access_in permit tcp any host XXX.XXX.XXX.XXX eq 3389
access-list outside_access_in permit tcp any host XXX.XXX.XXX.XXX eq 4125
access-list outside_access_in permit tcp any host XXX.XXX.XXX.XXX eq 444
access-list outside_access_in permit tcp any host XXX.XXX.XXX.XXX eq www
access-list outside_access_in permit tcp any host XXX.XXX.XXX.XXX eq smtp
access-list outside_access_in permit tcp any host XXX.XXX.XXX.XXX eq pop3
access-list outside_access_in permit tcp any host XXX.XXX.XXX.XXX eq imap4
access-list outside_access_in permit tcp any host XXX.XXX.XXX.XXX eq 993

ip address outside XXX.XXX.XXX.XXX 255.255.255.248

static (inside,outside) XXX.XXX.XXX.XXX SERVER dns netmask 255.255.255.255 0 0
static (inside,outside) XXX.XXX.XXX.XXX 192.168.78.3 netmask 255.255.255.255 0 0

route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX


So for the new ISP route outside (the default gateway of the PIX) needs to point to the public IP of the new router let's say 1.1.1.1

Ip address outside will be the new public address of the pix (1.1.1.2)

The statics also get the new public addresses and the same for the accesslist (depending on what port must go to what server).

Putting that all in the PIX goes something like this:

no access-list outside_access_in

access-list outside_access_in permit tcp any host 1.1.1.3 eq https
access-list outside_access_in permit tcp any host 1.1.1.3 object-group Service-service-group log
access-list outside_access_in permit icmp any host 1.1.1.3 echo-reply log
access-list outside_access_in permit tcp any host 1.1.1.3 eq 3389
access-list outside_access_in permit tcp any host 1.1.1.3 eq 4125
access-list outside_access_in permit tcp any host 1.1.1.4 eq 444
access-list outside_access_in permit tcp any host 1.1.1.4 eq www
access-list outside_access_in permit tcp any host 1.1.1.4 eq smtp
access-list outside_access_in permit tcp any host 1.1.1.4 eq pop3
access-list outside_access_in permit tcp any host 1.1.1.4 eq imap4
access-list outside_access_in permit tcp any host 1.1.1.4 eq 993

access-group outside_access_in in interface outside

ip address outside 1.1.1.2 255.255.255.248

no static (inside,outside) XXX.XXX.XXX.XXX SERVER dns netmask 255.255.255.255 0 0
no static (inside,outside) XXX.XXX.XXX.XXX 192.168.78.3 netmask 255.255.255.255 0 0

static (inside,outside) 1.1.1.3 SERVER dns netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.4 192.168.78.3 netmask 255.255.255.255 0 0

no route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX
route outside 0.0.0.0 0.0.0.0 1.1.1.1


The list: access-list inmap permit tcp any host XXX.XXX.XXX.XXX eq 3389 is there but isn't applied anywhere.

And last: the ISP doesn't need to do nat, you do that on the pix. The only thing they need to do is to route the public subnet.
0
 
Ernie BeekExpertCommented:
Of course int the access list you need to figure out what port goes to what server. In the access list you use the public addresses of the servers.
0
 
baggio8Author Commented:
Thank you for your response.  It will probably be 5-6 days before the changeover and when I can enter theses commands.  I'll advise how it goes.
Thanks!
0
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

 
Ernie BeekExpertCommented:
I'll be here waiting for you :)
0
 
baggio8Author Commented:
Sorry for the delay.  It is still pending.  Just checking in.  Thanks,

Jon
0
 
Ernie BeekExpertCommented:
We'll just wait a little more ;)
0
 
baggio8Author Commented:
This looks right and it will be another three weeks.  Thanks!
0
 
Ernie BeekExpertCommented:
You're welcome.

Thx for the points and good luck!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.