07-01-2010 07:54 AM - edited 03-11-2019 11:06 AM
I have a question regarding changing the external IP address on an ASA 5505. Some background:
A client of ours has 2 locations, both with ASA 5505 firewalls and static IP addresses. A L2L VPN exists between the two locations. We can access the ISDM on both ASA 5505's remotely.
One of these locations is ready to change bandwidth providers and will need a new IP address assigned to the outside interface. We'd prefer to accomplish this remotely as this location is a good distance away.
So my questions are:
1. Is it possible to modify the IP address on the outside interface remotely (and have the client plug into the new equipment) without first removing the L2L VPN?
2. Is it possible to modify both the IP address on the outside interface and the default gateway via the Command Line Tool in ASDM?
Thanks in advance for any help with this issue.
07-01-2010 04:51 PM
Hi, if you have no other way to connect to the site other than their corrent public IP address ( That will change ) , you better have a solid plan to make the IP address of outside interface and default route changes becuase once you change it from remote you will drop the ssh connections or https for that matter, I would definately not advice to use asdm.
You could approach the changes like this:
Probably the easiest way would be to have a simple four lines script and have someone in the remote site do the changes , perhaps create a temporary user account on the asa for that person with enable priviledge and walk them through to enter the script in firewall ( Without saving the config so you have the option to reload as a fall back) , the four or more lines script would be the changes of the ourtside interface IP address , removal of the old default route, and the new default route in addition to clear apr and clear xlate
Another option you have is to do ALL these chnages remotely yourself , make a backup config of your firewall and save it in disk0 flash, make sure you have some type of access to a machine inside the LAN either through WEB VPN and load RDP or something , example:
#copy start-config disk0:asa-5505-bkp-config ( This will be your backup )
then you can load that same config from browser - example
https://firewall_inside_ip_address-of_firewall/config/asa-5505-bkp-config
then copy that config you see on the browser on a plain text editor like notepad , make the changes you need to make , and name the config file as asa-5505-new-config, all the secret keys will be in place so you do not have to change already encrypted passwords of any kind., for the l2l tunnel the other end will need to make the chnages on the tunnel group to reflect the new peer public IP address.
save the config without txt extention , then tftp that new config to asa firewall disk0: ( #copy tftp disk0: )
then from the firewall command line you can do the following after you tftp that new config file to disk0,
#copy disk0:/asa-5505-new-config startup-config ( copies the new config to startup-config )
then go into configuration mode and make the firewall boot from the new config
#config t
#(config)boot config disk0:asa-5505-new-config
exit config mode and verify config boot variable
#show boot ( its output should look like bellow)
BOOT variable = disk0:/asa822-12-k8.bin
Current BOOT variable = disk0:/asa822-12-k8.bin
CONFIG_FILE variable =
Current CONFIG_FILE variable = disk0:/asa-5505-new-config
then issue reload command , DO NOT say yes when ask to save the config chnages because running config will overwrite the startup config.
Here is some guidelines when working with boot and config files
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/b.html#wp1355786
Regards
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: