07-15-2013 08:26 AM - edited 03-11-2019 07:12 PM
Hi,
Please excuse me if this is a stupidly simple question but I could really do with some help as run out of time with this problem...
We have an ASA 5510 running version 8.2(5) of the OS software (according to ASDM). At the moment we have a very simple set up, there is an outside interface connected to our ISP and a DMZ interface connected to a server running virtual machines. There are also inside and management interfaces configured but not physically connected. The IP address assigned to the outside interface is a /30 e.g. 12.34.56.78/30. The DMZ network is 192.168.2.1/24. The outside interface is currently NAT'ed through to one of the virtual machines.
As we've just brought on a couple of new clients I need a couple of new IP addresses so we can host servers for them. Our ISP has agreed to supply me three new addresses but they will have to come from a new block and I'll have to give back the address I currently have. They have kindly offered to parallel run the old and new IP addresses for a while so the switch over is smooth.
So my questions are:
To complicate matters slightly we can't have any downtime and physically visiting the box would be awkward.
Many thanks for any help.
Solved! Go to Solution.
07-15-2013 12:29 PM
Hi,
Yes, that would seem to be a possibility also.
In addition to doing the change like that you could also use the command "reload in" command with its additional parameters. This would let you start a timer after which the ASA would reload. So in the event you lost connections to the ASA you could simply wait for the timer to run out and the ASA would boot back to the original config, presuming you had not saved the configuration.
Here is a link to the Command Reference section for that command
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/qr.html#wp1789096
- Jouni
07-15-2013 08:49 AM
Hi,
You wont be able to configure several network ranges to the "outside" interface of the ASA.
I cant see any way that you can avoid downtime doing this change especially since you need to switch the IP address of the "outside" interface. You will naturally loose your remote management connections as you do this change.
If you could actually keep the current IP address and have the ISP route the new public subnet towards your current ASA "outside" interface IP address then there would be no problems and no downtime.
In this case the ASA wont have to have the new subnet configured on ANY interface since the ISP would forward the subnet towards the ASA "outside" interface IP address. You could then simply configure Static NAT for the servers you need and when the ASA would receive traffic for those Static NAT public IP addresses it would work just fine even though the new IP address range is not configured anywhere else other than the NAT configurations.
Personally I wouldnt take the risk of doing such changes remotely. Naturally if the firewall is somewhere far away from your work place its pretty hard to do this change locally. In that case you could perhaps consider attempting to get someone else to do this change for you or be at site and provide some remote desktop connection through another Internet connection.
- Jouni
07-15-2013 09:30 AM
I was concerned the answer might be something along those lines. I'll ask my ISP if he can route the new IP addresses to our existing one but I don't think he'll be up for that, he's already said he wants to recover the old one when we get the new ones.
How about this for an idea though...
The ASA box has a physical interface (Ethernet0/3) that isn't currently configured. If I got the ISP to connect that to his network and route the new subnet to it could I then configure 0/3 as "outsideNew" while still accessing the box through the current "outside"? Once "outsideNew" was correctly configured and I could connect to it (for admin at least) I could turn "outside" off. If this will work it seems like the safest and simplest approach.
I should probably have mentioned initially that while our clients are just NAT'ed through to one of the virtual machines a couple of the guys from our company use the Cisco box as a VPN end point for remote desktop access to other virtual machines. I don't think this complicates issues but I thought I'd best mention it.
As for the ASA itself, physically the box is quite close to me but I've got to arrange to visit it. We're a small company and rely on a small local ISP for our connection, the box is at their HQ which isn't usually staffed.
07-15-2013 12:29 PM
Hi,
Yes, that would seem to be a possibility also.
In addition to doing the change like that you could also use the command "reload in" command with its additional parameters. This would let you start a timer after which the ASA would reload. So in the event you lost connections to the ASA you could simply wait for the timer to run out and the ASA would boot back to the original config, presuming you had not saved the configuration.
Here is a link to the Command Reference section for that command
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/qr.html#wp1789096
- Jouni
07-16-2013 01:43 AM
Brilliant, thanks for the help. I wish I had time to learn how to configure this box properly, I'm sure we could get so much more out of it than we are.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide