Change IP Address for Outside Interface

Unanswered Question
May 4th, 2010

We are going to move the ASA to a different remote location.  Therefore, we need to change the IP address of outside interface since the IP address will be different.  Do I connect to the Console port and change the IP address of the Outside interface and other NAT statements?  Please let me know if you want to see the config or have any questions.

Thanks.

Laura

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Tue, 05/04/2010 - 20:14

Laura,

Since you're changing IPs and you have the option to connect to the console that's the recommendation (so you won't loose access).

Also, if you're entering the ASA via another interface, changing the outside IP will not drop you out of the ASA.

The only real advertisement here, is that don't change the outside IP while connected to the outside interface!

If you're just moving the ASA from location, make sure to change the outside IP, the default gateway and in case you need to change NAT and ACL statements as well.

Let us know if you have any questions.

Federico.

laurabolda Wed, 05/05/2010 - 08:05

Federico,

Thanks for your prompt response and suggestions.   You sugested " Also, if you're entering the ASA via another interface, changing the outside IP will not drop you out of the ASA.  The only real advertisement here, is that don't change the outside IP while connected to the outside interface!"

My second interface is not configured.  So, first I need to configure the second interface.  Then, SSH in to the second interface (66.102.7.11) from the Corporate office and change the IP address of the Outside interface (66.102.7.10)

interface Ethernet0/0
nameif Outside
security-level 0
ip address 66.102.7.10 255.255.255.0

interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.100.254 255.255.255.0


interface Ethernet0/2
nameif backup
security-level 0
ip address 66.102.7.11 255.255.255.0

Thanks.

Laura

Jon Marshall Wed, 05/05/2010 - 08:19

laurabolda wrote:

Federico,

Thanks for your prompt response and suggestions.   You sugested " Also, if you're entering the ASA via another interface, changing the outside IP will not drop you out of the ASA.  The only real advertisement here, is that don't change the outside IP while connected to the outside interface!"

My second interface is not configured.  So, first I need to configure the second interface.  Then, SSH in to the second interface (66.102.7.11) from the Corporate office and change the IP address of the Outside interface (66.102.7.10)

interface Ethernet0/0
nameif Outside
security-level 0
ip address 66.102.7.10 255.255.255.0

interface Ethernet0/1
nameif Inside
security-level 100
ip address 192.168.100.254 255.255.255.0


interface Ethernet0/2
nameif backup
security-level 0
ip address 66.102.7.11 255.255.255.0

Thanks.

Laura

Laura

You won't be able to do this because you can't have 2 interfaces using IPs from the same subnet.

If there is no other way in to the ASA other than through the outside interface from where you are then i would recommend going to the site if possible and if not talking someone through it onsite otherwise you could end up locking yourself out of the firewall, leaving it non-functioning until you can get to the site.

If you had a backdoor into the site ie. not through the ASA then you could connect from inside the site to the inside interface and make your changes.

Jon

Federico Coto F... Wed, 05/05/2010 - 08:22

Yes.

What I mean is that if you're connected to E0 it does not matter if you change or modify another interface (why I mean with it does not matter is that it won't kick you out of the ASA).

Federico.

Actions

This Discussion