Solved: Impact of changing the IP Address on the server

mahesh18 · ‎11-12-2013

Hi Everyone,

I need to change the IP address of the server.

I need to confirm what Firewall Rules will need to change when this server’s IP Address changes for any existing services, if there are any.

I checked the firewall for existing rules.

Currently server is connected to interface x of the fw.

I did search by Source and destination IP on the ASDM of the fw.

That shows me 3 rules used by server IP say 192.168.50.1

Is there anu other way or to find where this server IP is used by firewall rules?

Regards

MAhesh

Jouni Forss · ‎11-12-2013

Hi Mahesh,

I guess it depends on the complexity of the network.

Naturally the obvious first step is to see in which configurations the current IP address is specifically mentioned by using the command

show run | inc 192.168.50.1

and possibly

show access-list | inc 192.168.50.1

The next question would be if the IP address of the server 192.168.50.1 changes to some IP address in the same network? For example some other IP address in the network 192.168.50.0/24?

If it stays in the same network range with different IP address then you most likely have less things to consider.

If it changes to a completely different address range then you probably have more configurations to go through.

Then there is naturally questions regarding NAT. You will have to make sure that the same NAT rules apply to the server even after the IP address changes.

I am not really sure if I can give many instructions. The most usual thing related to such changes in my work is simply changing the NAT configurations real source address to the new IP address while everything else stays the same.

- Jouni

View solution in original post

Jouni Forss · ‎11-13-2013

Hi Mahesh,

It would seem to me that the old/current IP address is of a server that uses SNMP to get information from the ASA.

You would have to make a new one for the new server IP address provided that this SNMP is still a relevant configuration?

If you dont know the "community" string and since its masked with the * marks then you can use this command to view it in clear text

more system:running-config | inc snmp-server host

If the ASA interface for the server changes then you naturally have to change the interface in the "snmp-server" command also. In that situation you will most likely have to change configurations on the server side also since it can only contact its own ASA interface and not the old ASA interface IF the interface changes that is.

So your server is changing to a new network. Will it also be changing to a new interface on the ASA? I guess then you will have to look at the current interface ACLs more closely than just checking for the exact old/current IP address.

What I mean is that you would then have to look through all the rules that refer to the whole old network 192.168.50.0/24 for example and see if you have to make similiar rules for the new network (or atleast for the new server) so that no important traffic will get blocked. This is because its very likely that some traffic from the server is allowed by those statements that use the whole source network.

Hope this helps

- Jouni

View solution in original post

Jouni Forss · ‎11-13-2013

Hi,

The command should be supported

This is from my ASA

ASA(config)# more system:running-config | inc snmp-server host

snmp-server host LAN 10.0.0.100 poll community test version 2c

ASA# more system:running-config | inc snmp-server host

snmp-server host LAN 10.0.0.100 poll community test version 2c

Make sure that there are no spaces between in the system:running-config section of the command

- Jouni

View solution in original post

Jouni Forss · ‎11-13-2013

Hi,

Didnt know we were talking about an ASA in Multiple Context Mode.

I checked the Command Reference and if I am reading it right it means that this cant be used inside a Security Context.

I have personally used this only in ASAs running in Single Mode

I think you would have to use a different command and in System Context.

You should probably first issue the command

show run contex admin

Then you should find the configuration line with

config-url

What does the complete configuration line that contains the above parameter say?

Naturally if you KNOW the SNMP community then here is no need to do all this. You could probably even change it in the ASA and server configurations if needed. But naturally if you want to show what it currently is on the ASA then we could go on solving it by first checking the above commands.

- Jouni

View solution in original post

jumora · ‎11-13-2013

Yeah, only through SYSTEM can you run these commands since the configuration file is read from disk or flash and none of the virtual firewall have access to these commands. The context defined as admin-context only gives you the privilege to jump from it to any of the other context or system execution space.

Value our effort and rate the assistance!

View solution in original post

jumora · ‎11-13-2013

If you jump from admin defined context to system you can run the command more system as you found out.

Value our effort and rate the assistance!

View solution in original post

Jouni Forss · ‎11-12-2013

Hi Mahesh,

I guess it depends on the complexity of the network.

Naturally the obvious first step is to see in which configurations the current IP address is specifically mentioned by using the command

show run | inc 192.168.50.1

and possibly

show access-list | inc 192.168.50.1

The next question would be if the IP address of the server 192.168.50.1 changes to some IP address in the same network? For example some other IP address in the network 192.168.50.0/24?

If it stays in the same network range with different IP address then you most likely have less things to consider.

If it changes to a completely different address range then you probably have more configurations to go through.

Then there is naturally questions regarding NAT. You will have to make sure that the same NAT rules apply to the server even after the IP address changes.

I am not really sure if I can give many instructions. The most usual thing related to such changes in my work is simply changing the NAT configurations real source address to the new IP address while everything else stays the same.

- Jouni

mahesh18 · ‎11-13-2013

Hi Jouni,

Server is changing to new subnet as compare to new one.

Your commands were very helpfull.

When i run the command show run | inc 192.168.50.1

snmp-server host x 192.168.50.1 poll community **** version 2c

So what does above command mean?

Regards

Mahesh

Jouni Forss · ‎11-13-2013

Hi Mahesh,

It would seem to me that the old/current IP address is of a server that uses SNMP to get information from the ASA.

You would have to make a new one for the new server IP address provided that this SNMP is still a relevant configuration?

If you dont know the "community" string and since its masked with the * marks then you can use this command to view it in clear text

more system:running-config | inc snmp-server host

If the ASA interface for the server changes then you naturally have to change the interface in the "snmp-server" command also. In that situation you will most likely have to change configurations on the server side also since it can only contact its own ASA interface and not the old ASA interface IF the interface changes that is.

So your server is changing to a new network. Will it also be changing to a new interface on the ASA? I guess then you will have to look at the current interface ACLs more closely than just checking for the exact old/current IP address.

What I mean is that you would then have to look through all the rules that refer to the whole old network 192.168.50.0/24 for example and see if you have to make similiar rules for the new network (or atleast for the new server) so that no important traffic will get blocked. This is because its very likely that some traffic from the server is allowed by those statements that use the whole source network.

Hope this helps

- Jouni

mahesh18 · ‎11-13-2013

Hi Jouni,

Server is chaning to new subnet but interface of ASA is same.

I check the new subnet IP that also points to same ASA interface.

i try to ran the command

more system:running-config | inc snmp-server host

from enable mode and config mode seems ASA does not support the more command.

Regards

Mahesh

Jouni Forss · ‎11-13-2013

Hi,

The command should be supported

This is from my ASA

ASA(config)# more system:running-config | inc snmp-server host

snmp-server host LAN 10.0.0.100 poll community test version 2c

ASA# more system:running-config | inc snmp-server host

snmp-server host LAN 10.0.0.100 poll community test version 2c

Make sure that there are no spaces between in the system:running-config section of the command

- Jouni

mahesh18 · ‎11-13-2013

Hi Jouni,

From admin context of ASA

admin(config)# more system:running-config | inc snmp-server host

^

ERROR: % Invalid input detected at '^' marker.

i am on ASA with admin context but when i go to system context more command is available there.

m?

memory mkdir more

Is there a way i can run the more command from system context

Regards

Mahesh

Jouni Forss · ‎11-13-2013

Hi,

Didnt know we were talking about an ASA in Multiple Context Mode.

I checked the Command Reference and if I am reading it right it means that this cant be used inside a Security Context.

I have personally used this only in ASAs running in Single Mode

I think you would have to use a different command and in System Context.

You should probably first issue the command

show run contex admin

Then you should find the configuration line with

config-url

What does the complete configuration line that contains the above parameter say?

Naturally if you KNOW the SNMP community then here is no need to do all this. You could probably even change it in the ASA and server configurations if needed. But naturally if you want to show what it currently is on the ASA then we could go on solving it by first checking the above commands.

- Jouni

mahesh18 · ‎11-13-2013

Hi Jouni,

When i ran the command show run contex admin it shows

config-url disk0:/admin.cfg

Then i ran the below command from system space

more disk0:/admin.cfg

this showed me full config of admin context and also community string was visible.

Seems community string is only visible from system space.

Best regards

Mahesh

jumora · ‎11-13-2013

Yeah, only through SYSTEM can you run these commands since the configuration file is read from disk or flash and none of the virtual firewall have access to these commands. The context defined as admin-context only gives you the privilege to jump from it to any of the other context or system execution space.

Value our effort and rate the assistance!

jumora · ‎11-13-2013

If you jump from admin defined context to system you can run the command more system as you found out.

Value our effort and rate the assistance!

mahesh18 · ‎11-14-2013

Hi Jumora,

Thanks for letting us reason why more command does not work from admin context.

Best regards

Mahesh