Link to home
Create AccountLog in
Avatar of cabland
cablandFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Cisco ASA config

Hi, I have a cisco config question.  I've given some background info (hopefully it helps)

I work for a UK subsidiary of a large Germany company.  The parent company manage the domain and we all have smpt feeds from the parent company.  My email traffic comes into a Cisco ASA 5510.  On this I have a rule that sends onto my Exchange server.

I am looking to change our network IP range from a public address (that we dont own) 200.100.10.0 (no idea why it was set up this way) to a private address 10.10.10.0.

I have looked through the config on the ASA and can see that there is only one entry for the IP address of my exchange server.

Is it simply a case of changing this IP address to my new address 10.10.10.9?  Im sure it isnt.  I'll obviously need to inform the german IT guys so that they can record the changes.

Any assistance much appreciated.
Avatar of Istvan Kalmar
Istvan Kalmar
Flag of Hungary image

Hi,

Please show the config and we provide the right answer....
Well, you need all the 200.100.10.x entries in the asa to be changed to the corresponding 10.10.10.x addresses, not just the one for exchange. As ikalmar said, post a sanitized copy of your config and we can have a look.
Avatar of cabland

ASKER

Uploaded config, I've removed names and email addressess
config.txt
Avatar of cabland

ASKER

PS, I will be making any changes using the web interface
I wouldn't consider that sanitised. From the names list I can work out who you work for. You also have your public IP there and your full company name in the banner. Ask community support ot remove the file and then sanitise it and re-post.

That file is dangerous.
Also, try to move away from using names. Personally, I find it confusing and do eveything using object groups. Nested object goups work fine.
Avatar of cabland

ASKER

Thanks, Ive requested the file be removed.

I didnt config the box, it was done by a third party.

This is going to be a big job as you need to update the configs on all the remote VPN sites as well as your local firewall. DNS will need updating, SMTP gateways and load of other stuff.

You coukld look at using NAT and DNS re-write with the VPN. This will mean you only need to change the local site, but doesn't get away from the non-private IPs on your network. Are these IP's causing you problems. How much experience do you have of ASA's? Are these IPs allocated to you from your parent or are they historic?
Avatar of cabland

ASKER

The remote site routers already have the routers for the new subnet, it is just the ASA that needs changing and also anything by our paret company.
You would need to change all IP addresses on ASA to the new ones
HI,

I had seen your ASA 5510 configuration and noticed that failover and IPsec (Site-to -Site tunneling) has been configured on ASA5510 ,you cannot change configuration otherwise the whole configuration of ASA5510 will be changed and you will face problem in configuring your ASA5510 to the present state .let me know whether the exchange server is installed on inside network of which gateway.
Are you looking to do a big bang approach to the network change or a phased migration approach. I would probably go for the phased migration approach as you can make small steps at a time and manage the risk a lot better.

Does the new subnet need to be on a new IF on the firewall, or do you have a router or server that you can enable routing on? This way, you can maintain a single internal interface, migrate services from 1 subnet to the other without having to add additional rules to the FW and only update pertinent rules on the FW as necessary. Once all services have been successfully migrated, you can move the firewall onto the new subnet, change the routing etc and decomission the old subnet.

Have you chased community support about removing the file? Your security officer may not be happy if he found out about this file being on here.
Avatar of cabland

ASKER

Hi, community support responded this morning, requesting improvise an alternative file to replace it, but I've not been in the office the last 2 days.

I'll try and answer tge questions over the weekend
Avatar of cabland

ASKER

I am hoping that I can change just the entry for my Exchange server 200.100.10.9, my site routers are already confiigured to talk to my new network range (which has been tested).  The asa firewall has also been configured to be my DG on the new subnet (ethernet interface 3).

The config file should now be changed.

Ok,

in this case you need the change tho VPN ACL, and you need to ask for the remote suppliers to change the ACL for VPN, if you want to reach from other sites.....
Avatar of cabland

ASKER

Sorry for the delays in posting back.  I have tried changing the IP address that is in the network object, and changed the IP addres on my Exchange server.  I tested the mail server but the change was unsucessful.
ASKER CERTIFIED SOLUTION
Avatar of cabland
cabland
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of cabland

ASKER

required 3rd party support