Change IP Address for Outside Interface

Unanswered Question
May 4th, 2010
User Badges:

We are going to move the ASA to a different remote location.  Therefore, we need to change the IP address of outside interface since the IP address will be different.  Do I connect to the Console port and change the IP address of the Outside interface and other NAT statements?  Please let me know if you want to see the config or have any questions.


Thanks.


Laura

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Tue, 05/04/2010 - 20:14
User Badges:
  • Green, 3000 points or more

Laura,


Since you're changing IPs and you have the option to connect to the console that's the recommendation (so you won't loose access).


Also, if you're entering the ASA via another interface, changing the outside IP will not drop you out of the ASA.

The only real advertisement here, is that don't change the outside IP while connected to the outside interface!


If you're just moving the ASA from location, make sure to change the outside IP, the default gateway and in case you need to change NAT and ACL statements as well.


Let us know if you have any questions.


Federico.

laurabolda Wed, 05/05/2010 - 08:05
User Badges:

Federico,


Thanks for your prompt response and suggestions.   You sugested " Also, if you're entering the ASA via another interface, changing the outside IP will not drop you out of the ASA.  The only real advertisement here, is that don't change the outside IP while connected to the outside interface!"


My second interface is not configured.  So, first I need to configure the second interface.  Then, SSH in to the second interface (66.102.7.11) from the Corporate office and change the IP address of the Outside interface (66.102.7.10)


interface Ethernet0/0
nameif Outside
security-level 0
ip address 66.102.7.10 255.255.255.0


interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.100.254 255.255.255.0


interface Ethernet0/2
nameif backup
security-level 0
ip address 66.102.7.11 255.255.255.0


Thanks.


Laura

Jon Marshall Wed, 05/05/2010 - 08:19
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

laurabolda wrote:


Federico,


Thanks for your prompt response and suggestions.   You sugested " Also, if you're entering the ASA via another interface, changing the outside IP will not drop you out of the ASA.  The only real advertisement here, is that don't change the outside IP while connected to the outside interface!"


My second interface is not configured.  So, first I need to configure the second interface.  Then, SSH in to the second interface (66.102.7.11) from the Corporate office and change the IP address of the Outside interface (66.102.7.10)


interface Ethernet0/0
nameif Outside
security-level 0
ip address 66.102.7.10 255.255.255.0


interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.100.254 255.255.255.0


interface Ethernet0/2
nameif backup
security-level 0
ip address 66.102.7.11 255.255.255.0


Thanks.


Laura


Laura


You won't be able to do this because you can't have 2 interfaces using IPs from the same subnet.


If there is no other way in to the ASA other than through the outside interface from where you are then i would recommend going to the site if possible and if not talking someone through it onsite otherwise you could end up locking yourself out of the firewall, leaving it non-functioning until you can get to the site.


If you had a backdoor into the site ie. not through the ASA then you could connect from inside the site to the inside interface and make your changes.


Jon

Federico Coto F... Wed, 05/05/2010 - 08:22
User Badges:
  • Green, 3000 points or more

Yes.


What I mean is that if you're connected to E0 it does not matter if you change or modify another interface (why I mean with it does not matter is that it won't kick you out of the ASA).


Federico.

Actions

This Discussion