In theory what you did should

Rene Mueller · ‎03-27-2017

Hey,

Is there a best practice when there is the need to change Interfaces on ASA 5520?

I have configured "External" and "Internal" Interface on let's say Gi0/0 and Gi0/1. Now I upgraded my ASA with 4GE-SSM RJ45 module. I need to switch the "External" and "Internal" Interfaces to the expansion module. What I did was, I exported Startup-Config, did a modify on the config (just reconfigured the parameters under Interface settings to the new interfaces) and copied the sartup-config back to the ASA. After a bootup of the ASA, everything looks fine at a first few, but I found out, that I cannot connect the Internet from a client behind the "Internal" Interface. I can connect and ping the ASA, but I cannot ping the Internet. From the ASA itself, I can ping the Internet.

Is it possible to reconfigure the Interface without configuration interruption when the ASA is up and running? Like if I remove the nameif and all other commands from an Interface, I am a little bit afraid of that the ASA automaticially deleteds the mappings behind the nameif -> Internal or External :-/

René

Marvin Rhoads · ‎03-27-2017

In theory what you did should work. You are correct though that removing a nameif will remove and NAT and ACL mappings that reference that nameif.

One of two things is likely - 1. you didn't name the nameif exactly the same (including case-sensitivity) or 2. One of the NAT rules didn't get copied in correctly.

That's assuming ping worked before. By default, you cannot ping through and ASA. You have to add "inspect icmp" to the default class-map in order to cause the ASA to keep track of stateless icmp flows and thus allow the icmp echo reply traffic back through the return interface.

ASA 5520 need to change Interface