• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 493
  • Last Modified:

Changing ISP and need to change settings in Cisco PIX 501

Hello experts,
The powers that be decided that it would be a good idea to change ISP's, so that will change out Public IP addresses. I need to know what changes to make to the PIX to facilitate that change.  I currently see 4 IP addresses that are setup in the config now:   route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.97 1,  XXX.XXX.XXX.98 for the PIX, and .99 and .100 for two servers.
I have attached a sanitized copy of the working config.  I am a Cisco novice and have only worked with the PDM in the past, so please consider how I can make the commands through the PDM interface.  Thanks!
Also, the new ISP has asked if we want them to perform NAT on their router.  I figured no, but thought I would clarify that.  

042011clean.txt
0
baggio8
Asked:
baggio8
  • 5
  • 3
1 Solution
 
Ernie BeekCommented:
The following lines need to be changed:

access-list outside_access_in permit tcp any host XXX.XXX.XXX.XXX eq https
access-list outside_access_in permit tcp any host XXX.XXX.XXX.XXX object-group Service-service-group log
access-list outside_access_in permit icmp any host XXX.XXX.XXX.XXX echo-reply log
access-list outside_access_in permit tcp any host XXX.XXX.XXX.XXX eq 3389
access-list outside_access_in permit tcp any host XXX.XXX.XXX.XXX eq 4125
access-list outside_access_in permit tcp any host XXX.XXX.XXX.XXX eq 444
access-list outside_access_in permit tcp any host XXX.XXX.XXX.XXX eq www
access-list outside_access_in permit tcp any host XXX.XXX.XXX.XXX eq smtp
access-list outside_access_in permit tcp any host XXX.XXX.XXX.XXX eq pop3
access-list outside_access_in permit tcp any host XXX.XXX.XXX.XXX eq imap4
access-list outside_access_in permit tcp any host XXX.XXX.XXX.XXX eq 993

ip address outside XXX.XXX.XXX.XXX 255.255.255.248

static (inside,outside) XXX.XXX.XXX.XXX SERVER dns netmask 255.255.255.255 0 0
static (inside,outside) XXX.XXX.XXX.XXX 192.168.78.3 netmask 255.255.255.255 0 0

route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX


So for the new ISP route outside (the default gateway of the PIX) needs to point to the public IP of the new router let's say 1.1.1.1

Ip address outside will be the new public address of the pix (1.1.1.2)

The statics also get the new public addresses and the same for the accesslist (depending on what port must go to what server).

Putting that all in the PIX goes something like this:

no access-list outside_access_in

access-list outside_access_in permit tcp any host 1.1.1.3 eq https
access-list outside_access_in permit tcp any host 1.1.1.3 object-group Service-service-group log
access-list outside_access_in permit icmp any host 1.1.1.3 echo-reply log
access-list outside_access_in permit tcp any host 1.1.1.3 eq 3389
access-list outside_access_in permit tcp any host 1.1.1.3 eq 4125
access-list outside_access_in permit tcp any host 1.1.1.4 eq 444
access-list outside_access_in permit tcp any host 1.1.1.4 eq www
access-list outside_access_in permit tcp any host 1.1.1.4 eq smtp
access-list outside_access_in permit tcp any host 1.1.1.4 eq pop3
access-list outside_access_in permit tcp any host 1.1.1.4 eq imap4
access-list outside_access_in permit tcp any host 1.1.1.4 eq 993

access-group outside_access_in in interface outside

ip address outside 1.1.1.2 255.255.255.248

no static (inside,outside) XXX.XXX.XXX.XXX SERVER dns netmask 255.255.255.255 0 0
no static (inside,outside) XXX.XXX.XXX.XXX 192.168.78.3 netmask 255.255.255.255 0 0

static (inside,outside) 1.1.1.3 SERVER dns netmask 255.255.255.255 0 0
static (inside,outside) 1.1.1.4 192.168.78.3 netmask 255.255.255.255 0 0

no route outside 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX
route outside 0.0.0.0 0.0.0.0 1.1.1.1


The list: access-list inmap permit tcp any host XXX.XXX.XXX.XXX eq 3389 is there but isn't applied anywhere.

And last: the ISP doesn't need to do nat, you do that on the pix. The only thing they need to do is to route the public subnet.
0
 
Ernie BeekCommented:
Of course int the access list you need to figure out what port goes to what server. In the access list you use the public addresses of the servers.
0
 
baggio8Author Commented:
Thank you for your response.  It will probably be 5-6 days before the changeover and when I can enter theses commands.  I'll advise how it goes.
Thanks!
0
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

 
Ernie BeekCommented:
I'll be here waiting for you :)
0
 
baggio8Author Commented:
Sorry for the delay.  It is still pending.  Just checking in.  Thanks,

Jon
0
 
Ernie BeekCommented:
We'll just wait a little more ;)
0
 
baggio8Author Commented:
This looks right and it will be another three weeks.  Thanks!
0
 
Ernie BeekCommented:
You're welcome.

Thx for the points and good luck!
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now