Solved

Cisco PIX ASA500 Gotchas

Posted on 2014-01-21
2
408 Views
Last Modified: 2014-02-09
I have been tasked with the job of changing the IP address of the Outside interface of an PIX ASA500 series Firewall which was installed and configured by somebody else, who is not available to help. Neither will I have access to the unit to interrogate its current configuration until I am expected to change it and get it working again. Add to that the fact I have very little experience of these units and you will appreciate why I am a bit nervous.

Having read up a little I suspect the solution could be as simple as changing the IP address assigned to the interface and changing the default route accordingly - however, this being Cisco, are there any "gotchas" to look out for? Anything I need to be aware of in this potential minefield?

Thanks in anticipation.
0
Comment
Question by:SCOTT78
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 6

Expert Comment

by:Jordan Medlen
ID: 39797000
Any source NATs that are configured may stop working. Just depends on the configuration. Destination NAT statements, if you have a web server, email server, or some other server may no longer work, however that would require not only reconfiguring the NAT statement, but changing DNS, etc.
0
 
LVL 8

Accepted Solution

by:
amatson78 earned 500 total points
ID: 39797123
It all depends on if the rules and nats are assigned to the "interface" or a specific object for the IP. Unfortunatly you will not know until you get in there. As for the IP change it is as simple as going into the config and changing the IP for that vlan assigned to the outside interface

# config t
# interface Vlan1 (or whatever yours is)
# no ip address 1.1.1.1 255.255.255.0
# ip address 2.2.2.2 255.255.255.0
# wr

Open in new window


That should be it, I would then look through the access rules and NATs to see if there is any reference to the old IP, if they use "outside interface" then you should be good it should update with the IP change.

Cheers.
0

Featured Post

Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question