Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1541
Views
0
Helpful
3
Replies

Move interface ACL's, NAT's from one interface to another

Go to solution
Chris Campbell
Level 1
Level 1

‎10-11-2013 02:52 AM - edited ‎03-11-2019 07:50 PM

Hi

I have a Cisco ASA 5515-x with IOS 9.1.

My problem is i have 6 interfaces (1 failover, 2 dmz, 1 outside, 1 inside and 1 spare) and I need to create new:

  1. DMZ - for new LAN (subnet).
  2. Outside interface - for new Site to Site VPN peer, there is a requirement to use a different public address rather than the one on the existing outside interface.

There is no budget to purchase additional interfaces at the present.

The solution i have come up with is to:

  1. Divide the spare interface into 3 sub-interfaces for the 2 existing DMZ's and the new DMZ.
  2. Use either of the spare 2 interfaces (from existing DMZ's) as the new outside interface.
  3. Still leaving me with a spare interface for future expansion.

I have 2 questions:

  1. Firstly, is this an acceptable solution and if not what would be a better solution?
  2. Secondly, in my proposed solution, i will have to move all the ACLs and NATs from the existing DMZ's to the new sub-interfaces DMZ's (also one of the DMZ's is accessed by a site to site VPN on the existing outside interface). Is there an easy way to move this rules/NAT/etc or does it require going through the entire configuration renaming all the changes?

Any help would be much appreciated.

Chris

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎10-11-2013 03:23 AM

Hi,

Well I dont know why the requirement is to use a different public IP address for the L2L VPN connection then this seems to be the only way (use another interface). I assume then that you have another ISP link there or from same ISP but with IP from different public subnet than your current "outside"?

If you decide to use 2 WAN links on the ASA then for the L2L VPN purpose WAN link you need to configure static "route" for the remote VPN gateway and possibly also for the remote networks behind the L2L VPN unless the ASA installs those routes automatically based on the "crypto map" configurations.

With regards to moving the configurations around it seems to me that there is no easy/automatic way to migrate these configurations.

What you can essentially do atleast is

  • Collect all the configurations that reference the interfaces "nameif" value. These usually contains commands like "nat" , "access-group" , "route" and naturally some others
  • Remove the existing interfaces which means that all configurations that reference the "nameif" are removed. Notice that the ACL is not removed, only the "access-group" command
  • You then reconfigure the same interface somewhere else. In your case it seems to be an subinterface in some cases.
  • After the new interface is configured you should be able to drop the configurations that you collected earlier. What I would keep in mind in this situation is that you should keep track of the original order of the "nat" configurations (if using Manual NAT) and make sure you enter the "nat" commands in the same places they were. Depending on your current NAT configuration this might either be really simple (Mostly Auto NAT configurations) or something required a bit more planning (Manual NAT)

The above should be the main things to do on the ASA to migrate the configurations.

Naturally this is just a general description without taking into account everything that you might have in your environment.

- Jouni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎10-11-2013 03:23 AM

Hi,

Well I dont know why the requirement is to use a different public IP address for the L2L VPN connection then this seems to be the only way (use another interface). I assume then that you have another ISP link there or from same ISP but with IP from different public subnet than your current "outside"?

If you decide to use 2 WAN links on the ASA then for the L2L VPN purpose WAN link you need to configure static "route" for the remote VPN gateway and possibly also for the remote networks behind the L2L VPN unless the ASA installs those routes automatically based on the "crypto map" configurations.

With regards to moving the configurations around it seems to me that there is no easy/automatic way to migrate these configurations.

What you can essentially do atleast is

  • Collect all the configurations that reference the interfaces "nameif" value. These usually contains commands like "nat" , "access-group" , "route" and naturally some others
  • Remove the existing interfaces which means that all configurations that reference the "nameif" are removed. Notice that the ACL is not removed, only the "access-group" command
  • You then reconfigure the same interface somewhere else. In your case it seems to be an subinterface in some cases.
  • After the new interface is configured you should be able to drop the configurations that you collected earlier. What I would keep in mind in this situation is that you should keep track of the original order of the "nat" configurations (if using Manual NAT) and make sure you enter the "nat" commands in the same places they were. Depending on your current NAT configuration this might either be really simple (Mostly Auto NAT configurations) or something required a bit more planning (Manual NAT)

The above should be the main things to do on the ASA to migrate the configurations.

Naturally this is just a general description without taking into account everything that you might have in your environment.

- Jouni

0 Helpful

Go to solution
Chris Campbell
Level 1
Level 1
In response to Jouni Forss

‎10-11-2013 11:08 AM

Hi Jouni

Thanks for such a quick response.

The reason for 2 separate public addresses is more a management decision beyond my control, so just have to go with it:-(

Thanks for the information, i was thinking it would be a manual process, but had to check just in case anyone had a easy/quick solution for the move.

My plan is to:

  1. First save the running config as a backup in flash.
  2. Edit a copy of the conifg, adding sub-interfaces, changing ACL and NAT rules to reflect the new interfaces
  3. Replace the running config with the newly edited version.
  4. I can go back to backup of config if errors occur.

The process will also give me a chance to clean up the rules base to.

Chris

0 Helpful

Go to solution
Chris Campbell
Level 1
Level 1
In response to Chris Campbell

‎10-23-2013 11:50 AM

I finished the move, slightly different, but was still all manual as predicted and confirmed by Jouni:

  • I created 3 sub-interfaces on the spare interface for DMZ's.
  • Used a switch to VLAN them and connect to FW.
  • I copied all the existing DMZ rules to the new DMZ sub-interfaces.
  • Disabled existing DMZ interfaces.
  • Removed IP addresses from existing DMZ interfaces.
  • Put the IP addresses on new sub-interfaces.
  • Enabled the new sub-interfaces.
  • Went through the NAT rules and changed as required.
  • Used 1 of spare interfaces as new outside interface.
  • Added static routes for new outside interfaces.

Many thanks for your help Jouni.

Chris

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card