Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Change Interfaces

I setup port 0 as an Inside interface and port 1 as an Outside interface.  I would like to switch them (port 0 = outside, port 1 = inside).  Do I connect to the ASA through the Console Port or Management Port to make this change?  I was connecting through SSH and ASA did not allow me to save this change.  Thanks.

6 ACCEPTED SOLUTIONS

Accepted Solutions
Super Bronze

Re: Change Interfaces

Console port would be the best option as you are changing the interfaces around, and console connection will not affect your communication to the ASA itself.

Re: Change Interfaces

If you're modyfing parameters on an interface (which you're connected to), you need to be careful not to lose connectivity to the

Firewall (in case you have a remote session).

It has happened to me before to get locked-out of the ASA because of this, so if you are physically in the same location of the ASA, better to use the console connection.

If you have more than one interface that you can SSH into, then you can modify the other interface without any problem.

Normally, the rule is to use port 0 for outside and port 1 for inside as you mentioned.

Federico.

Re: Change Interfaces

Hi Laura,

Check if you have internet access from the ASA itself.

From the ASA itself:

ASA# ping 4.2.2.2

Check if you receive results.

If Internet is fine from the ASA, try the same thing from a computer behind the ASA.

If it does not work, do a traceroute and check the path of the packet.

Federico.

Re: Change Interfaces

The VPN traffic is not even getting to the ASA.

I think the problem is that the crypto map is applied to the inside interface.

Remove these commands, and reapply them to the outside interface:

no crypto map Outside_map interface Inside
no crypto isakmp enable Inside

crypto map Outside_map interface Outside

crypto isakmp enable Outside

Please try again.

Federico.

Re: Change Interfaces

If the Internet traffic from the VPN clients does not go through the ASA (split-tunneling enabled), then you don't need

the nat (outside) statement.

You can make sure by looking at your VPN client and checking the route details tab under statistics (while connected) and see the protected routes.

If you see 0.0.0.0 0.0.0.0 it means there's no split-tunneling. If you get a network or networks, it means you do have split-tunneling and therefore you can remove the nat (outside) statement.

Let me know how does it goes.

Federico.

Re: Change Interfaces

Laura,

The only reason that you would possibly need the command:

nat (Outside) 1 192.168.101.0 255.255.255.0

is in case you want to do NAT for the VPN pool when going out another interface.

The most clear example, is when you want the ASA to provide Internet access to the VPN clients.

So, the VPN clients connect to the ASA (sending all traffic = without split-tunneling) and the ASA translates the connections to the outside interface to re-route the traffic backout the outside interface.

If this is not the case (since you're using split-tunneling and therefore not sending the Internet traffic from the VPN clients to the ASA), there's no reason to have that command in your configuration.

Hope it helps.

Federico.

18 REPLIES
Super Bronze

Re: Change Interfaces

Console port would be the best option as you are changing the interfaces around, and console connection will not affect your communication to the ASA itself.

Re: Change Interfaces

If you're modyfing parameters on an interface (which you're connected to), you need to be careful not to lose connectivity to the

Firewall (in case you have a remote session).

It has happened to me before to get locked-out of the ASA because of this, so if you are physically in the same location of the ASA, better to use the console connection.

If you have more than one interface that you can SSH into, then you can modify the other interface without any problem.

Normally, the rule is to use port 0 for outside and port 1 for inside as you mentioned.

Federico.

New Member

Re: Change Interfaces

I was able to change the interfaces (inside to outside and outside to inside) and the IP addresses and save the config.  I also switch the cables.   I was able to ping all the internal servers.  However, I am not able to get on the internet.  I used to be able to SSH to the outside interface of the ASA.  I can no longer get to the outside interface of the ASA.  Is there something else that I need to do? Thanks.

New Member

Re: Change Interfaces

After changing the inside to outside interface and outside to inside interface and the IP addresses, everything that is "inside" is changed to "outside" and the "outside" is changed to "inside" by themselves.   Then, I changed everything back.  Still, I cannot get on the internet.  I still cannot login through VPN client either from any groups.  When I connect through VPN client, I got the error message "Secure VPN client terminated locally by the client.  Reason: 412:  The remote peer is no longer responding".    However, I can ping all internal servers.  Everything was working until I changed the interfaces.  Attached is the config.  Thanks.

Re: Change Interfaces

Hi Laura,

Check if you have internet access from the ASA itself.

From the ASA itself:

ASA# ping 4.2.2.2

Check if you receive results.

If Internet is fine from the ASA, try the same thing from a computer behind the ASA.

If it does not work, do a traceroute and check the path of the packet.

Federico.

New Member

Re: Change Interfaces

I apologize for my error.  For some reason, I am now able to get on the internet.  I guess it takes a while for the servers to recognize the changes. I am sorry for the trouble that you went through.   However, I am still unable to login to the VPN client.  I still got the 412 error message.  I created a new group and still got the same error.  Do you have any suggestions?  Thanks.

Re: Change Interfaces

To which VPN group are you connected?

To easily resolve the issue, please post the output of:

sh cry isa sa

sh cry ips sa

When attempting to establish the tunnel from the VPN client.

Federico.

New Member

Re: Change Interfaces

I tried all the groups.  When I typed "sh cry isa sa", I got the message "There are no isakmp sas".  When I typed "sh cry ips sa", I got the message "There are no ipsec sas".  Thanks.

Re: Change Interfaces

The VPN traffic is not even getting to the ASA.

I think the problem is that the crypto map is applied to the inside interface.

Remove these commands, and reapply them to the outside interface:

no crypto map Outside_map interface Inside
no crypto isakmp enable Inside

crypto map Outside_map interface Outside

crypto isakmp enable Outside

Please try again.

Federico.

New Member

Re: Change Interfaces

Thanks Federico.  You solved my problems again!!!  Those commands fixed the VPN authentication.  Thank you very much for your time.

Laura

New Member

Re: Change Interfaces

May I ask you another question?  Does it make any difference of the NAT order?  Would you put the NAT (inside) first before NAT (Outside)?

nat (Outside) 1 192.168.101.0 255.255.255.0
nat (Inside) 0 access-list nonat
nat (Inside) 1 0.0.0.0 0.0.0.0

Thanks.

Laura

Re: Change Interfaces

The order does not matter. What matters is the identifier, for example NAT 1, NAT 2, etc.

Actually, why do you have a nat (outside) command?

This is normally used if you want to give Internet access to your VPN clients, is that the case?

Federico.

New Member

Re: Change Interfaces

I want the VPN users to have access to the internet while logging in to VPN client.  That is why NAT (outside) was setup.  Since I setup Split-tunneling, the internet access does not go through my system while users are logging in to VPN client.  Let me know if you would set it up differently.  Thanks.

Re: Change Interfaces

If the Internet traffic from the VPN clients does not go through the ASA (split-tunneling enabled), then you don't need

the nat (outside) statement.

You can make sure by looking at your VPN client and checking the route details tab under statistics (while connected) and see the protected routes.

If you see 0.0.0.0 0.0.0.0 it means there's no split-tunneling. If you get a network or networks, it means you do have split-tunneling and therefore you can remove the nat (outside) statement.

Let me know how does it goes.

Federico.

New Member

Re: Change Interfaces

Federico,

I am sorry for not getting back to you sooner.  I had several production problems yesterday.  All my VPN groups have been setup for split-tunneling.  I see networks under statistics.  I have removed nat (Outside) statement.  Just wondering if had nat (Outside) statement, would it affect anything?  Would it affect performance?  But, I am glad that I ask the question.

Thanks.

Laura

Re: Change Interfaces

Laura,

The only reason that you would possibly need the command:

nat (Outside) 1 192.168.101.0 255.255.255.0

is in case you want to do NAT for the VPN pool when going out another interface.

The most clear example, is when you want the ASA to provide Internet access to the VPN clients.

So, the VPN clients connect to the ASA (sending all traffic = without split-tunneling) and the ASA translates the connections to the outside interface to re-route the traffic backout the outside interface.

If this is not the case (since you're using split-tunneling and therefore not sending the Internet traffic from the VPN clients to the ASA), there's no reason to have that command in your configuration.

Hope it helps.

Federico.

New Member

Re: Change Interfaces

Federico,

Thanks very much for taking time to explain to me about the NAT (Outside) statement.  I have removed it since we setup Split-tunneling for all the groups.

Again, I want to thank you for taking time to help solving my problems and explaining technical questions.

Laura

Re: Change Interfaces

Laura,

You're very much welcome and thank you for the ratings.

Cheers ;-)

Federico.

430
Views
0
Helpful
18
Replies