Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Subnet ID change on Inside interface

Hi All,

Two firewalls connected in Failover mode. We would like to change subnet mask on Inside interface.

Can we achive this without any impact ? becuase firewall is in production and do not want to get any distrubtion to the existing sessions.

Thanks

Sri

 

5 REPLIES
Hall of Fame Super Silver

Changing a subnet mask is

Changing a subnet mask is most likely going to at least momentarily interrupt traffic. It's only by chance that it's working if the ASA interface mask doesn't match the next downstream gateway and any other hosts on that subnet.

You must not be running a dynamic routing protocol like OSPF on the inside because neighbors won't establish adjacency with mismatched masks.

New Member

So, there will be a

So, there will be an interrruption in traffic for few seconds.

we will change subnet mask ID on active box for inside interface. configuration will get reflected in standby box through failover link ..right ? please correct me If I am wrong.

 

 

New Member

If you plan to change the

If you plan to change the mask make sure you are not going to violate the subnet requirements of your next hop to the inside of the ASA or you will break your routing, and consequently all traffic through the ASA to and from the inside. Be careful. If you don't understand what I just said get another set of eyes on the environment before making the change.

 

Yes, your configuration will be synchronized to your secondary ASA over the failover link.

New Member

I will tell why we want to

I will tell why we want to change subnet ID on inside interface :-)

while seting up the ASA, subnet ID is overlapped on inside and DMZ interfaces (ASA accepted because it runs on 8.2 code)

inside interface IP currently ( 10.1.1.1 - 255.255.255.0)

DMZ interface IP currently ( 10.1.1.34 - 255.255.255.224)

So we decided to change  inside interface subnet mask to 255.255.255.224 with same IP address 10.1.1.1.

 

New Member

What is your route to the

What is your route to the inside?

You should have a configuration line that begins "route inside".

101
Views
0
Helpful
5
Replies
CreatePlease to create content