We help IT Professionals succeed at work.

Cisco ASA config

Hi, I have a cisco config question.  I've given some background info (hopefully it helps)

I work for a UK subsidiary of a large Germany company.  The parent company manage the domain and we all have smpt feeds from the parent company.  My email traffic comes into a Cisco ASA 5510.  On this I have a rule that sends onto my Exchange server.

I am looking to change our network IP range from a public address (that we dont own) 200.100.10.0 (no idea why it was set up this way) to a private address 10.10.10.0.

I have looked through the config on the ASA and can see that there is only one entry for the IP address of my exchange server.

Is it simply a case of changing this IP address to my new address 10.10.10.9?  Im sure it isnt.  I'll obviously need to inform the german IT guys so that they can record the changes.

Any assistance much appreciated.
Comment
Watch Question

Istvan KalmarHead of IT Security Division
CERTIFIED EXPERT
Top Expert 2010

Commented:
Hi,

Please show the config and we provide the right answer....
Ernie BeekSenior infrastructure engineer
CERTIFIED EXPERT
Top Expert 2012

Commented:
Well, you need all the 200.100.10.x entries in the asa to be changed to the corresponding 10.10.10.x addresses, not just the one for exchange. As ikalmar said, post a sanitized copy of your config and we can have a look.
cablandHead of IT

Author

Commented:
Uploaded config, I've removed names and email addressess
config.txt
cablandHead of IT

Author

Commented:
PS, I will be making any changes using the web interface
CERTIFIED EXPERT

Commented:
I wouldn't consider that sanitised. From the names list I can work out who you work for. You also have your public IP there and your full company name in the banner. Ask community support ot remove the file and then sanitise it and re-post.

That file is dangerous.
CERTIFIED EXPERT

Commented:
Also, try to move away from using names. Personally, I find it confusing and do eveything using object groups. Nested object goups work fine.
cablandHead of IT

Author

Commented:
Thanks, Ive requested the file be removed.

I didnt config the box, it was done by a third party.
CERTIFIED EXPERT

Commented:

This is going to be a big job as you need to update the configs on all the remote VPN sites as well as your local firewall. DNS will need updating, SMTP gateways and load of other stuff.

You coukld look at using NAT and DNS re-write with the VPN. This will mean you only need to change the local site, but doesn't get away from the non-private IPs on your network. Are these IP's causing you problems. How much experience do you have of ASA's? Are these IPs allocated to you from your parent or are they historic?
cablandHead of IT

Author

Commented:
The remote site routers already have the routers for the new subnet, it is just the ASA that needs changing and also anything by our paret company.
Top Expert 2011

Commented:
You would need to change all IP addresses on ASA to the new ones
Feroz AhmedSenior Network Security  / Senior System Engineer
CERTIFIED EXPERT

Commented:
HI,

I had seen your ASA 5510 configuration and noticed that failover and IPsec (Site-to -Site tunneling) has been configured on ASA5510 ,you cannot change configuration otherwise the whole configuration of ASA5510 will be changed and you will face problem in configuring your ASA5510 to the present state .let me know whether the exchange server is installed on inside network of which gateway.
CERTIFIED EXPERT

Commented:
Are you looking to do a big bang approach to the network change or a phased migration approach. I would probably go for the phased migration approach as you can make small steps at a time and manage the risk a lot better.

Does the new subnet need to be on a new IF on the firewall, or do you have a router or server that you can enable routing on? This way, you can maintain a single internal interface, migrate services from 1 subnet to the other without having to add additional rules to the FW and only update pertinent rules on the FW as necessary. Once all services have been successfully migrated, you can move the firewall onto the new subnet, change the routing etc and decomission the old subnet.

Have you chased community support about removing the file? Your security officer may not be happy if he found out about this file being on here.
cablandHead of IT

Author

Commented:
Hi, community support responded this morning, requesting improvise an alternative file to replace it, but I've not been in the office the last 2 days.

I'll try and answer tge questions over the weekend
cablandHead of IT

Author

Commented:
I am hoping that I can change just the entry for my Exchange server 200.100.10.9, my site routers are already confiigured to talk to my new network range (which has been tested).  The asa firewall has also been configured to be my DG on the new subnet (ethernet interface 3).

The config file should now be changed.

Istvan KalmarHead of IT Security Division
CERTIFIED EXPERT
Top Expert 2010

Commented:
Ok,

in this case you need the change tho VPN ACL, and you need to ask for the remote suppliers to change the ACL for VPN, if you want to reach from other sites.....
cablandHead of IT

Author

Commented:
Sorry for the delays in posting back.  I have tried changing the IP address that is in the network object, and changed the IP addres on my Exchange server.  I tested the mail server but the change was unsucessful.
Head of IT
Commented:
Eventually I bit the bullet and paid my network support company to make the changes - thaks all for you input.
cablandHead of IT

Author

Commented:
required 3rd party support

Explore More ContentExplore courses, solutions, and other research materials related to this topic.