basic question: asa 5510 changing outside static IP/impact

Unanswered Question
Jan 6th, 2010

Morning all,

I have a fairly basic question. I'm currently in the process of swapping carriers from internet services. (I will be making changes on my asa 5510 outside)

I want to change my outside static to the new internet services static ......and just want to be clear on the ramifications.

the only things I have currently configured in my security policies are 1) allow |source "any"| to |destination "outside"| ..services are https, 3389,smtp, and pcanywhere....so these will be fine IMO with the change over to the new outside static...no big deal.

here is where i'm a little gray... I have 3 other security access rules created for static addresses tied to a domain for web access. For example: my exchange with OWA is accessed over the web. The domain is tied to an outside static (ex. mail.domain.com = 190.80.80.80) ..users can access over https.

In my asa I have that set up as: allow|source "any"| to |destination "190.80.80.80"| service http currently. 

...when I spoke to the ISP that handles my domains (this is the internet service I will be leaving, but they will still host my domains)..he mentioned that it should be no problem since i'm just changing the outside static = internet...the site should still propagate down from the outside world to through the asa b/c of the acl and nobody will even notice the change.....the only thing I would need to change is the VPN .pcl file for vpn users.

Does this sound accurate or am I overlooking something.

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
solpandor Wed, 01/06/2010 - 07:16

Hi

I will work under the assumption that your entire IP scheme has changed as you have moved providers.

On that basis, as long as you have changed the DNS record(s) (assuming you are accessing OWA via DNS) then there should be no problems changing the new static on the ASA and accessing OWA using DNS as long as you have also configured the pertinent ACL's

just remember to clear the Xlate once you have made changes to the static.

HTH

Kureli Sankar Wed, 01/06/2010 - 07:22

You mentioned you are just changing the outside interface IP but, leaving the static (i,o) IP configured for your smtp and web servers.

The question is if your new ISP will route the traffic towards your firewall for these addresses that you haven't changed.

Ask them about it.  If they say yes they will then no problem otherwise you would have to get IP blocks from them.

Change the statics then, contact the domain hosting company (previous ISP) and have then change the IPs accordingly.

-KS

meidevelopment Wed, 01/06/2010 - 07:41

Thanks for your feedback Kusankar.

Your response is more in line with what I was trying to clear up with my (soon to be old ISP). I infact did receive a stack from my new carrier, and that is what I was trying to relay to my old carrier since they host my domains also. "would I need to have you guys change the statics to those domains to 3 new statics that I have after I change the outside to the new outside to not lose my outside mail and 2 other sites"

he said no they were just web sites. lol

We are in the same ballpark, so I think I know how to handle this. I'll more than likely come in over night early AM one weekend and change/test my asa and change DNS on DC and make sure the internet side is good internally then test his theory anyway...this allows me to swap back since I currently have both up for this month.

Then following week we'll do the full change, statics and all over that weekend to make sure everything is flowing down properly before the work week.

I'll just push out the new .pcl files for the users to access the vpn that weekend.

Running a one man show here, so I just want to be careful I don't dig myself a grave here.

Kureli Sankar Wed, 01/06/2010 - 07:55

I doubt if the new ISP will route traffic for the old ISP provided address space.  You would have to change all your statics to the new IP block assigned by the new ISP.  Ask the domain hosting guys to change the old IPs to the new IPs.  They ususally say 72 hours for the DNS change info. to propagate.

Until the names resolve to the new IPs you should be able to check connectivity using IP address once you change the static to refer to the new IPs.

And yes, pls issue clear xlate or just

clear local x.x.x.x

clear local y.y.y.y

for all the static's where x.x.x.x is the internal address of exchange and y.y.y.y is the internal address of webserver etc. so, they can take the newly configured static with the new IP address.

Good luck.

-KS

meidevelopment Wed, 01/06/2010 - 08:42

thanks for second reply kusankar.

That's exactly what I thought needed to be done. Sounded way too simple initially. thanks guys

I guess my only problem would be the iphone active sync crew we have. It points to the domain name lol, so i'm sure they'll be happy when I do the swap.

over web, yeah they can go to new IP.

I'll read up on the xlate since I'm not too clear on it. Thanks again for all the help in this matter.

meidevelopment Wed, 01/06/2010 - 07:31

Thanks for you feedback solpandor...You are correct ,the entire scheme has changed.

I have the asa pointing down inside to my DC for DNS, so yes....I'll go into my DC and change the DNS to the new addresses provided when the outside changes are done also. The inside IP of the exchange box will remain the same..no changes at all.

Is is safe to assume that the current ACL is fine? (from the exchange example below)

As I told the domain carrier (old IP)...I mentioned to him it sounds like it may work, but I'm thinking once I completely cancel that service those stacks of IP's I have associated with that service go bye, bye. ...so I stated I'd probably more than likely on the domain side assign my 3 sites I let pass down through my ASA new statics from new carrier and simply change ACL to allow new static through.

He said it shouldn't matter since it's a website I'm allowing through....I disagree....I see it as a static address tied to a site i'm letting through (the way I view it)

am I wrong in my views?

P.S. thanks for the xlate information...didn't know that.

solpandor Wed, 01/06/2010 - 08:40

meidevelopment

let me get this straight -

1) is your mail (MX Record for you mail) set to the exchange server within your server room?

2)  if this is the case then, all you need to do is change the external DNS of your MXrecord for your domain (ask the people who have the zonefile of your domain) to change this to your new IP (which you will assign a static pointing to the exchange server)  e.g

       1 of your new IP will be 10.15.10.15  will have a static NAT to your exchange server whose private IP is 192.168.3.16

so you ask your domain registrar to change the DNS record for the MX to 10.15.10.15 ( your new IP)

then you will assign a static on your ASA like this

static(inside,outside) 10.15.10.15 192.168.3.16 netmask 255.255.255.255

then you will create an ACL allowing users to access OWA and have mail delivered to your exchange server like this

access-list acl_out permit tcp any host 10.15.10.15 eq 25   (for SMTP)

access-list acl_out permit tcp any host 10.15.10.15 eq 443  (for OWA)

then you would apply the acl to the outside interface of the ASA

access-group acl_out in interface outside

as you have changed ISP providers, no doubt your default gateway to go out has changed so dont forget to change the  route command BUT first negate the old route command

no route outside 0.0.0.0 0.0.0.0   your old default GW

then route outside 0.0.0.0 0.0.0.0 new default GW

then clear xlate

**** this is on the assumption that :   a) your have a block of IP's   b) your mail is hosted on your exchange server   c) your external DNS is managed by your domain registrar

HTH

meidevelopment Wed, 01/06/2010 - 09:25

thanks solpandor for second reply.

Here is how i'm set up as far as exchange, so you can get a vision.

I use a third party company (mxtoolbox) emergency mail service in case my servers go boom user can access them over the internet without my servers. 

Basically the MX records under the "mail.domain.com" dns name points to mxtoolbox....I just provide mx toolbox with the current outside static.

Yes all my domains are registered with the old carrier

So after reading what you posted.....I'm assuming I could:

- contact mx toolbox and just give them my "new" static that will be on the outside of my asa.

and

- contact old carrier (where the domain is hosted) and give them my new static.

and

- change asa information inhouse here, dns pointer records on my asa and acl to new static to point to my exchange box internally.

Actions

This Discussion