Help Pasting Config

Unanswered Question
Sep 2nd, 2008

it's probably a very basic question, but i have never done it. we are changing ISP's and all of the NAT configurations have to change on my ASA 5520. So instead of going through each button and option on the ASDM GUI- i thought it would be faster to do a "find and replace" in a text file that i've copied out from the "show run" command on my 5520ASA. Just would like to know that if i intend on copying that back into the config, shoud that be as easy as it sounds? Can i simply remove lines of config that are no longer in use? Can i remove IPSEC tunnels if they are no longer in use by cutting it out of the text file? I just want to make sure that i'm doing that right thing.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
jonesm111 Tue, 09/02/2008 - 14:20

I've found the best way is to do it in sections (like commands together). Also make sure your syntax is exact and do the no statements just before. If it's just NAT statements then it should be very straight forward.



jgarcia44 Tue, 09/02/2008 - 14:27

It's not ALL NAT statments. I will have to change the ASA IP Address on the Gig0/0 interface. So in that case, do i need to actually type out the command to remove the old IP, for example:

"no ip address x.x.x.x"

"ip address x.x.x.x"

There are also ACL Statements that will need to change as the old ISP NAT'd IP will need to reflect the new ones. Will i have to also provide the "no" command, then again apply the new command with the new IP address information? How about when i go to remove the crypto-map lines (there is a tunnel that we don't use anymore that i'd like to get rid of)?

thank you for taking the time to read my post. any help is appreciated - i'm tasked with this for the weekend.


jonesm111 Tue, 09/02/2008 - 14:56

For interface config, I'm pretty certain that you can just do a new statement with the new IP/Mask...

ACL's I'll typically do a show access-list "name" and it will show the line information. With that you can add the new lines where you want. (Inserts above) This is good for a few changes. If you have many, then I would typically have a new ACL ready to paste, no out the old, paste in the new.

If you want to remove lines of config, "no" in front will remove them. Keep in mind that lines may also have dependancies but the ASA should tell you when you remove it. VPN tunnels have a few dependancies, I would start with the ACL that brings the tunnel up first, then also look for things like peer address, etc.

Another thing that I like to do is to make all the changes, test and if everything looks good, wr mem. Otherwise If you think you borked something, reload the ASA and it will revert back to the old config.



jgarcia44 Tue, 09/02/2008 - 15:06

got it. Thank you very much! i'll be constructing a new config file and be sure to include the "no" first, then the actual command. is it OK to just do a new config file that i've put together, and not go through each set of commands? i'm trying to minimize the confusion factor! it seems easier to go through it, replace the IP's, delete "old things" and reconfigure ACL's with the "No", then just paste the whole thing in....? i hope i don't bork it too bad! lol

jgarcia44 Tue, 09/02/2008 - 14:41

will i need to add the "no" command before i send the text file for commands like ACL's, default route statement, and IPSEC tunnel configurations? for example:

"no ip address x.x.x.x"

"ip address x.x.x.x" ??

how can i determine what lines will require the "no" statement first then the actual command?

jonesm111 Wed, 09/03/2008 - 07:12

The interface config will take a new statement without the no in front of it. The new IP/Mask will replace the old one.

All other lines should need a "no" in front to negate them.

Please rate if this helps..


jgarcia44 Wed, 09/03/2008 - 07:40

i've attached my current ASA config (minus sensitive data) - can you take a look at my notes and please refer me to the correct command syntax that would remove the "old" and replace the "new" data? you can just give me examples, and i'll be able to figure out the rest. i think i'm good on the ACL's, and IP address, but the Static NAT's might give me trouble... your help is really appreciated.

jonesm111 Wed, 09/03/2008 - 10:45

It looks pretty good to me, just a few notes..

1) crypto map outside_cryptomap_4 has an ACL with the same name, that can be removed also, along with a few other dependancies like the peer address, etc. but that should appear when you delete the cryptomap. You might also want to hold off and remove it after your migration to minimize changes / impact.

2) If you are just changing Public address space and the servers are staying with the same IP, you should not need to change ACL "outside_access_in" ACL's read From --> To. Your NAT statements will reflect the new public IP's

If you are changing server IP's, I would prepare and write a new ACL to replace the old one. Do a "No outside_access_in" to wipe out the old one, then copy / paste the new one with the new IP's in.



This Discussion