Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1026
Views
0
Helpful
3
Replies

Change outside Interface IP on running PIX 501

travis0
Level 1
Level 1

‎01-07-2003 10:58 AM - edited ‎02-20-2020 10:28 PM

Hello,

I have a running PIX501 with VPN service, accesslists and nats. I want to change the external IP address on the box. which is the efficient way to do this without disruption the currrent configuration.

thank you,

travis,

0 Helpful
3 Replies 3

gfullage
Cisco Employee
Cisco Employee

‎01-07-2003 04:13 PM

You're going to have to "disrupt the current config" to do this. In fact, you're going to have to change any access-lists that reference this IP address, plus if you're running a VPN service, you're going to have to tell all your VPN clients that they need to connect to a new address now (or if it's a LAN-to-LAN tunnel then you'll need to change the other device to point to the new address).

This could turn into a major change, so some though needs to go into it.

As far as actually doing it though, just entering the new "ip address outside ..." command will make the change. For any static's and ACL's that reference the old address, add in new ones and then do "no ...." for all the old commands to get rid of them. For the VPN, you probably don't need to change anything on this PIX, but you'll have to change the other device or all your clients to use the new address. Resetting the tunnel with "clear cry isa" and "clear cry sa" will probably be necessary also.

0 Helpful

travis0
Level 1
Level 1
In response to gfullage

‎01-07-2003 04:29 PM

i expect to change all my access-lists that use the outside ethernet. I just hope I don't need to reconfigure the vpn service. it shouldn't because vpn commands do not bind to the external ip address.

what does "clear cry isa" & "clear cry sa" do?

thank you,

travis,

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to travis0

‎01-07-2003 07:22 PM

You shouldn't need to change the VPN config on this PIX, but you will need to change it on whatever is connecting to this PIX.

The clear commands I mentioned clear the VPN tunnel(s) on the PIX so that they can be rebuilt properly. You will suffer a VPN outage when you change the IP address, and so you'll need to clear everything on the PIX so that it can be rebuilt properly.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card