Solved: ASA - change internal int settings remotely?

Willard Dennis · ‎08-25-2011

Hi all,

I have an ASA5520 that I need to re-address the two internal interfaces (sec level 100) on. If I can connect to this ASA remotely on the outside interface via ADSM, can I be sure I won't lose connectivity with the ASA while I'm changing the internal interfaces? If I can do this, it would save me a 2,000 mile flight and back Seems doable to me, but thought I'd ask.... I guess I could also engineer a remote access solution that connects to the Mgmt0 interface on the ASA, but that would take time and equipment. Let me know if anyone knows if ADSM via the outside interface seems like a bad idea.

Sent from Cisco Technical Support iPhone App

varrao · ‎08-25-2011

Hi,

You should not face any issue with it, since you are connected onto the outside interafce and aren't changing any config setting for outside, moreover you are on the internet, so i do not see any issue with it, you should definitely be able to that, but before that plan it correctly, like if you change the inside interface, what all config might change as well, check for nat statements and acess-lists, because after the change some services might be hit. One suggestion, do:

show run interface | in inside

show run | in

and check in the config, where the inside interface ip is used, be prepared to change the config after the maintenance to restore service.

One more thing, apart from the ASDM, keep a ssh or telnet session open as well, as a back up for managent access.

Let me know if you have any further queries.

Hope this helps,

Varun

Thanks,
Varun Rao

View solution in original post

varrao · ‎08-25-2011

Hi,

You should not face any issue with it, since you are connected onto the outside interafce and aren't changing any config setting for outside, moreover you are on the internet, so i do not see any issue with it, you should definitely be able to that, but before that plan it correctly, like if you change the inside interface, what all config might change as well, check for nat statements and acess-lists, because after the change some services might be hit. One suggestion, do:

show run interface | in inside

show run | in

and check in the config, where the inside interface ip is used, be prepared to change the config after the maintenance to restore service.

One more thing, apart from the ASDM, keep a ssh or telnet session open as well, as a back up for managent access.

Let me know if you have any further queries.

Hope this helps,

Varun

Thanks,
Varun Rao

Jennifer Halim · ‎08-25-2011

Yes, you won't lose connectivity to the ASA outside interface if you are changing the inside interface. But you just have to make sure that everything else behind those internal interfaces would also need to have the addressing change. Plus if you have any access-list or NAT statement on the ASA, you will also need to make that changes if you change the subnet.

On another note, i would enable SSH too on the outside interface, so at least you have both ASDM and SSH available to use. Plus if you have any other interfaces that you won't need to make changes on, then it would be good to configure VPN, and make sure that you can access those interfaces via VPN. Well, this is over the top, but it's better to have more access than no access.

Willard Dennis · ‎08-29-2011

Thanks! I thought it was possible, but you can never be too careful with these things...

Sent from Cisco Technical Support iPhone App