INTERSWAP the ASA Interfaces....

Unanswered Question
Apr 10th, 2007
User Badges:

I have the "inside" interface configured on the Management0/0 interace.


I have 1 spare GigabitEthernet0/3 interface that i would like to use as the "inside" since theres a Gigabit switch at the back end. and leave the Mgmt interface for management purpose only.


As far as the rules are concerned....


* Some security rules for internet and other DMZs (on Ge0/0, 0/1 and 0/2).


* Dynamic NATTING rule (for internet).


* Static NATTING (fpr publishing internal web servers).


i tried renaming, changing the ip scheme and disabling the previous "inside" interface as "old_inside"


And enabled, renamed the Ge0/3 interface as

"inside" with my LANs ip scheme.


when i check the security rules thay all are configured with interace name "old_inside" .


stuck badly ... need help ..

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
David White Tue, 04/10/2007 - 05:36
User Badges:
  • Cisco Employee,

Rules are tied to physical interfaces, not to names. Therefore, if you rename and interface, as you observed the rule still applies to that interface. The only thing you can do is remove all rules associated with M0/0 and move them to Ge0/3.


It isn't as bad as it sounds. If your current M0/0 interface is called "old_inside" then just do:


show run | inc old_inside


This should give you everything in the config tied to that interface. Copy it out to a text file. Then put a "no" in front of each line to remove that line of config. Next, paste that same output again, but in this second pasting, change "old_inside" to "inside" so that when you paste back in those rules, they are applied to the correct interface.


Hope it makes sense.


Sincerely,


David.

a.shaukat Wed, 04/11/2007 - 23:23
User Badges:

Hmmmmmmmm yea it does makes sence...

i had a similar thing in mind to change the Nat rules for old_inside only. but uv made it precice for me :-) ..


unfortunately il have to wait till the weekend before i can pull the ASA off the network (production environment) . . will let u know if i run into any other complication. thanks for the help , really really appreciate it. :-)


Attached is my run config after i swapped the interfaces during testing..


here is the output that u instructed in ur reply..


access-list inside_access_in extended permit tcp host 192.168.0.6 any

access-list inside_access_in extended permit udp host 192.168.0.6 any

access-list inside_access_in extended permit tcp host 192.168.0.35 any

access-list inside_access_in extended permit udp host 192.168.0.35 any

access-list inside_access_in extended permit tcp host 192.168.0.4 any

access-list inside_access_in extended permit udp host 192.168.0.4 any


access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.6.0 255.255.255.0

access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.240.0

access-list inside_access_in extended permit ip 192.168.0.0 255.255.255.0 host 129.29.XXX.XX1


access-list inside_access_in remark For direct telnet session to HO main router

access-list inside_access_in extended permit tcp 192.168.0.0 255.255.255.0 10.0.0.0 255.0.0.0


access-list inside_access_in remark To allow ping traffic to 10.0.0.0 network (HO Router)

access-list inside_access_in extended permit icmp 192.168.0.0 255.255.255.0 10.0.0.0 255.0.0.0


access-list inside_nat0_outbound extended permit ip any 192.168.0.240 255.255.255.240


access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.2.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.5.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.6.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.11.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.20.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 10.0.0.0 255.0.0.0

access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 172.16.0.0 255.255.240.0


nat (old) 0 access-list inside_nat0_outbound

nat (old) 2 192.168.0.0 255.255.255.0


static (old,outside) 129.29.XXX.XX2 192.168.0.35 netmask 255.255.255.255

static (old,outside) 129.29.XXX.XX3 192.168.0.34 netmask 255.255.255.255


access-group inside_access_in in interface old







Actions

This Discussion