topic i think following line should in Network Security

HELP! NAT on Cisco ASA

shaheen.adil1 — Tue, 12 Mar 2019 06:18:43 GMT

Hi guys,

I need some support as i just came across a cisco ASA thats being used for NAT and I have to change the public IP of its WAN interface along with default gateway I am pasting the configs below with assumed IPs (10.10.1.0/29) instead of public for security reasons therefore here 10.10.1.5 is the public IP and 10.10.1.6 is the gateway so could somebody please help me out that what has to be changed and what should be the commands with complete syntax, as I am not familiar with it 😞

enable password kkjEDcH4x0RIZBsg encrypted
passwd 2KFQnbNIdI.2KYOU encrypted

names
name 10.10.1.0 ippublic description Network_INTERNET
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.205.254 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 10.10.1.5 255.255.255.248
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
ftp mode passive
clock timezone GMT 0
dns server-group DefaultDNS
domain-name liptinfor.net
access-list inside_nat0_outband extended permit ip 192.168.205.0 255.255.255.0 ippublic 255.255.255.248
access-list outside_access_in extended permit icmp any any
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outband
nat (inside) 1 0.0.0.0 0.0.0.0
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 10.10.1.6 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.205.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.205.146 255.255.255.255 inside
telnet 192.168.205.233 255.255.255.255 inside
telnet timeout 5
ssh timeout 5
console timeout 0

Hello shaheen.adil1,The only

joseoroz — Wed, 22 Jul 2015 01:28:34 GMT

Hello shaheen.adil1,

The only to changes are the external IP and default gateway.

These are the necessary commands:

interface Vlan2

ip address (new IP X.X.X.X X.X.X.X)

route outside 0.0.0.0 0.0.0.0 (new default gateway X.X.X.X)

As far as the NAT. If the internal range is not changed the PAT will be updated as soon as you change the public ip. This is because the overload is done with the command global and the keyword interface is been used so it will change dynamically the IP of the outside interface when you update it.

global (outside) 1 interface

Regards,

Jose Orozco.

access-list inside_nat0

Tagir Temirgaliyev — Wed, 22 Jul 2015 04:23:02 GMT

access-list inside_access extended permit ip 192.168.205.0 255.255.255.0 0 0
access-group inside_access in interface inside

Hi Jose, Thank you very much

shaheen.adil1 — Wed, 22 Jul 2015 08:29:10 GMT

Hi Jose,

Thank you very much for the response, I am gonna try this and will get back.

i think following line should

shaheen.adil1 — Wed, 22 Jul 2015 16:04:51 GMT

i think following line should also be modified according to new public IP subnet:

name 10.10.1.0 ippublic description Network_INTERNET

Hello Shaheen,The name

joseoroz — Wed, 22 Jul 2015 17:20:43 GMT

Hello Shaheen,

The name command will map an IP to a name so you can use a common name instead of having to remember the IP. If you want to keep that consistent then you may change it however is not necessary.

Tagir Temirgaliyev: There is no access group on the inside and the security level is higher than the outside so the traffic should be allowed. That ACL is not necessary for what Shaheen requested that is a public IP change.

Regards,

Jose Orozco

Hi Jose,thanks again for your

shaheen.adil1 — Wed, 22 Jul 2015 21:45:34 GMT

Hi Jose,

thanks again for your response, is there any command to change the IP for that name ? i mean if i want to use the same name but new public IP?

according to google search, there is a way to delete that map by entering:

no name <IP ADDRESS> <NAME>

and then redoing the map but i am not sure about its impact by deleting and creating again as that name (in red) is being used in the policy below:

access-list inside_nat0_outband extended permit ip 192.168.205.0 255.255.255.0 ippublic 255.255.255.248

and also i am a bit confused if i decide to delete the name and use the New Public IP directly in policy so how can i edit the policy? plus what sequence should i follow for the commands to complete the process:

1. no name <IP ADDRESS> <NAME>

2. editing the policy according to new IP (dont know the syntax)

3. interface Vlan2

ip address (new IP X.X.X.X X.X.X.X)

route outside 0.0.0.0 0.0.0.0 (new default gateway X.X.X.X)

thanks!

Hello shaheen.adil1.I think

joseoroz — Thu, 23 Jul 2015 01:24:15 GMT

Hello shaheen.adil1.

I think you are getting confused. The ACL that you are making reference is used on a no NAT configuration. Meaning that the traffic that conform the ACL wouldn't be natted. That rule is not related to a change of a public IP.

Now if you have used an IP that has a name mapping and you remove the mapping the IP or rules were are applied are not going to be affected.

On my previous post I provided the steps. You don't need to remove the name if to change the IP.

The commands will be:

1. interface Vlan2

2.ip address (new IP X.X.X.X X.X.X.X) this will replace the old IP.

3.no route outside 0.0.0.0 0.0.0.0 10.10.1.6 1 removes the old route

4.route outside 0.0.0.0 0.0.0.0 (new default gateway X.X.X.X) ads the new correct route.

Then add or remove any names accordingly.

Kind regards,

Jose Orozco.

Hi Jose, thank you once again

shaheen.adil1 — Thu, 23 Jul 2015 16:31:55 GMT

Hi Jose,

thank you once again for your detailed reply 🙂 actually yes i am getting confused 😞 cause i lack expertise on this and i have to get it done anyhow, I absolutely understood your explanation but the last thing is i also have to replace the public IP thats mapped inside the name ippublic because its the "Network IP" of the same public IP subnet so how can i edit the ACL for this? as the old public IP subnet would no longer be available.

and again if there is a way to edit ACL then what sequence of command should be followed.

Hello Shaheen,I understand.

joseoroz — Thu, 23 Jul 2015 18:03:00 GMT

Hello Shaheen,

I understand. In that case you can create the new ACL and then remove the old one. You have to do it on that order or the access list with be removed with the NAT.

So the order will be like this:

1 add the new ACL:

access-list inside_nat0_outband extended permit ip X.X.X.X 255.255.255.0 X.X.X.X 255.255.255.248

2 remove the old ACL:

no access-list inside_nat0_outband extended permit ip 192.168.205.0 255.255.255.0 ippublic 255.255.255.248

3.Create the new name for the network.

name new_name x.x.x.x x.x.x.x.x

Regards,

Jose Orozco.

Hi Jose,Really appreciate

shaheen.adil1 — Sun, 26 Jul 2015 22:27:45 GMT

Hi Jose,

Really appreciate your help and continuous response.

I will have the access to the ASA this week so gonna try these steps and will share the feedback.

Thanks!