Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Change IP Address of Outside Interface

I need to change the IP address of the Outside interface remotely.  I plan to SSH in to the ASA and make a change.  I can't be on site to make this change since the site is out of state.  Will there be any problems?  The current config is

interface Ethernet0/0
nameif Outside
security-level 0
ip address 66.102.7.22 255.255.255.248

The new IP address will be 66.102.7.18 255.255.255.248.  Also, is this the correct syntax?

interface Ethernet 0/0

no ip address 66.102.7.22 255.255.255.248

ip address 66.102.7.18 255.255.255.248

Thanks.

Diane

5 ACCEPTED SOLUTIONS

Accepted Solutions

Re: Change IP Address of Outside Interface

Diane,

If you're accessing the ASA via its public IP on its outside interface, and if you change this IP, you will lose communication with the ASA.

It's better if you can do the change from the inside.

If you definitely need to change it remotely, you can change the IP and then attempt the SSH connection on the new IP.

However if something goes wrong, you can then not access the ASA.

The syntax is correct.

Federico.

Hall of Fame Super Blue

Re: Change IP Address of Outside Interface

dianewalker wrote:

I need to change the IP address of the Outside interface remotely.  I plan to SSH in to the ASA and make a change.  I can't be on site to make this change since the site is out of state.  Will there be any problems?  The current config is

interface Ethernet0/0
nameif Outside
security-level 0
ip address 66.102.7.22 255.255.255.248

The new IP address will be 66.102.7.18 255.255.255.248.  Also, is this the correct syntax?

interface Ethernet 0/0

no ip address 66.102.7.22 255.255.255.248

ip address 66.102.7.18 255.255.255.248

Thanks.

Diane

Diane

You can't do this remotely if the only way to ssh in is via the outside interface of the ASA. If you could enter via another interface on the ASA then you can do it remotely but otherwise you will need to either visit or talk someone else through it.

Jon

Hall of Fame Super Blue

Re: Change IP Address of Outside Interface

coto.fusionet wrote:

Diane,

I'm sorry, listen to jon. As he said don't even try it.

This is because you can't change both the outside IP and the deafult gateway at the same time.

You will lose complete access to it.

Federico.

Federico

Actually the default-gateway doesn't need changing as the new address is in the same subnet so you could take the chance. I am just wary of making these sort of changes as i have done it before and sometimes it has worked and sometimes it hasn't.

Jon

New Member

Re: Change IP Address of Outside Interface

TS, Frederico, Jon,

Maybe I'm crazy but is (or shouldnt) this be impossible?

First you do the "no ip address" command.

Since you use the IP you just removed, at this point you will already loose your connection.

Hence, your second command with the new IP will not be delivered to the ASA.

Which means you cannot access the ASA anymore from that point on, right?

Yours Sincerely,

Stan

Hall of Fame Super Blue

Re: Change IP Address of Outside Interface

Stan

You don't do the "no ip address ...", you simply type in the new ip ie. "ip address . You will get disconnected but if the default-gateway is the same you should then be able to reconnect. But as i say i've had this work and not work for me.

And there is nothing worse than changing an IP of a device 100s of miles away and then not being able to reconnect. You need a fast way of getting there or an updated CV

Jon

9 REPLIES

Re: Change IP Address of Outside Interface

Diane,

If you're accessing the ASA via its public IP on its outside interface, and if you change this IP, you will lose communication with the ASA.

It's better if you can do the change from the inside.

If you definitely need to change it remotely, you can change the IP and then attempt the SSH connection on the new IP.

However if something goes wrong, you can then not access the ASA.

The syntax is correct.

Federico.

New Member

Re: Change IP Address of Outside Interface

Thanks Federico and Jon.  I have another dumb question.  If I login to Cisco VPN client and then SSH to the Outside interface, would I still be able to change the IP address?  I can't be on site since the ASA is out of state.  If I still can't change the IP address of the Outside interface remotely, I will need to ask the local user to connect to the ASA through the Console port.  Then, I will need to give him the Enable password.  Looks like I have no choice but to ask the local user for help.

Thanks.

Diane

Re: Change IP Address of Outside Interface

You cannot do that.

The reason is because when you connect with the VPN client, you're connecting through the outside interface.

So, even if you connect with the VPN client, you will still lose connectivity if changing the IP.

As jon said, if the new IP is on the same subnet as the old IP, then you might give it a try.

However the recommendation is to do it from the inside.

Federico.

Hall of Fame Super Blue

Re: Change IP Address of Outside Interface

dianewalker wrote:

I need to change the IP address of the Outside interface remotely.  I plan to SSH in to the ASA and make a change.  I can't be on site to make this change since the site is out of state.  Will there be any problems?  The current config is

interface Ethernet0/0
nameif Outside
security-level 0
ip address 66.102.7.22 255.255.255.248

The new IP address will be 66.102.7.18 255.255.255.248.  Also, is this the correct syntax?

interface Ethernet 0/0

no ip address 66.102.7.22 255.255.255.248

ip address 66.102.7.18 255.255.255.248

Thanks.

Diane

Diane

You can't do this remotely if the only way to ssh in is via the outside interface of the ASA. If you could enter via another interface on the ASA then you can do it remotely but otherwise you will need to either visit or talk someone else through it.

Jon

Re: Change IP Address of Outside Interface

Diane,

I'm sorry, listen to jon. As he said don't even try it.

This is because you can't change both the outside IP and the deafult gateway at the same time.

You will lose complete access to it.

Federico.

Hall of Fame Super Blue

Re: Change IP Address of Outside Interface

coto.fusionet wrote:

Diane,

I'm sorry, listen to jon. As he said don't even try it.

This is because you can't change both the outside IP and the deafult gateway at the same time.

You will lose complete access to it.

Federico.

Federico

Actually the default-gateway doesn't need changing as the new address is in the same subnet so you could take the chance. I am just wary of making these sort of changes as i have done it before and sometimes it has worked and sometimes it hasn't.

Jon

Re: Change IP Address of Outside Interface

Yup! agreed...

Diane... please don't do it ;p

Federico.

New Member

Re: Change IP Address of Outside Interface

TS, Frederico, Jon,

Maybe I'm crazy but is (or shouldnt) this be impossible?

First you do the "no ip address" command.

Since you use the IP you just removed, at this point you will already loose your connection.

Hence, your second command with the new IP will not be delivered to the ASA.

Which means you cannot access the ASA anymore from that point on, right?

Yours Sincerely,

Stan

Hall of Fame Super Blue

Re: Change IP Address of Outside Interface

Stan

You don't do the "no ip address ...", you simply type in the new ip ie. "ip address . You will get disconnected but if the default-gateway is the same you should then be able to reconnect. But as i say i've had this work and not work for me.

And there is nothing worse than changing an IP of a device 100s of miles away and then not being able to reconnect. You need a fast way of getting there or an updated CV

Jon

1067
Views
0
Helpful
9
Replies
CreatePlease to create content