cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5997
Views
5
Helpful
11
Replies

Impact of Moving interface in ASA

mahesh18
Level 6
Level 6

Hi everyone,

I need to delete interface GigabitEthernet0/1.1 from the ASA.

Currently this interface is used in nat statements ,access-group ,http,and route statemets.

I am moving this int to new interface GigabitEthernet0/2.6.

So my question is if i delete the interface will it remove all the config of interface in ASA too?

Regards

Mahesh

3 Accepted Solutions

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi Mahesh,

A bit tricky question to answer without knowing the about the environment more.

But naturally if you remove a subinterface completely then all the configurations that refer to that removed interfaces "nameif" will be removed.

Do notice that even if the "access-group" command is removed, the actual "access-list" is not removed (it just will not be attached to any interface anymore). You will have to use the "access-group" command with the new interface you create to attach the same "access-list" again.

Also worth noting is that you can naturally already create the interface GigabitEthernet0/2.6 and prepare some configurations before doing the actual interface change.

Naturally you are not able to create another interface with the same "nameif" but it can be something similiar and you can change it to the same after you have removed the original interface. Also you cant use the same "ip address" (subnet) in the new interface while the original interface still has it.

The "route" command might be a bit different. You could create routes with worse metric value which would mean that they would not be used UNTIL you remove the original interface. At that time that original interfaces "route" would be removed and the new interfaces "route" with worse metric would come to use as there would be no other competing static routes.

So as I said, the changing an existing interface and all its related configurations to a new interface will be tricky and there is no easy way to just switch the configurations to a new interface unless you change the ip addresses and interfaces names used.

You should be able to easily gather all the configuration that refer to the current interface. Just check that interfaces "nameif" and then issue the command

show run | inc

Even though its not a clean output it should anyway list the configurations that refer to the "nameif"

These kind of changes are good to plan ahead and get backups so in the event of something going wrong you can compare old and new configurations.

- Jouni

View solution in original post

Hi,

Can't really say what the problem is/was since I don't know what the setup actually is. Its pretty hard to say when I can't see any configurations.

I am not sure what you actually changed as the latest message doesnt correspond the original post question.

You first move some interface from Gi0/1.1 to Gi0/2.6. You then move "outside" from Gi0/0.1 to Gi0/1. With that in mind it seems to me that you first moved some interface away from Gi0/1.1 so you could free up the Gi0/1 physical interface completely. Then it seems you moved the current "outside" Gi0/0.1 to the actual physical interface of Gi0/1

I mean atleast the above would seem logical. Moving existing subinterface to another physical interface to free up a physical interface so it can be deticated for some other purpose. In this case the external interface I guess.

According to your information the ASA was able to communicate with the external network through the new "outside" interface but hosts on the internal network were not able to communicate with the external network?

Typically I would probably look at the whole configuration myself in this situation both from the Router in front of the ASA and also from the ASA. If I didnt find anything wrong I would start using "packet-tracer" to simulate the connections/packets that need to pass through the ASA for the user to be able to browse the internet.

I guess in your case I would test the DNS traffic and the actual Web traffic with the "packet-tracer" command.

I am not sure what is happening as you say that you saw connections through the ASA. The question would be what connections. Were they just UDP/53 DNS connections or actual browser connection or perhaps just connections that connect with IP address only and dont use the DNS name?

Were the users able to ping the Google IP addresses for example?

Without seeing an actual topology of before and after and the ASA configuration before and after its pretty hard to give any specific help on this situation. The main questions in your case I guess would be related to NAT on the ASA.

- Jouni

View solution in original post

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

The connections you list are 1 HTTP connection that has not formed because the remote host has not responded and 2 UDP connection of which one is NTP and one is DNS.

When we look at the logs below it would seem to me that your connection goes through the ASA without a NAT translation.

Look at this log message

%ASA-6-302013: Built outbound TCP connection 105192494 for  outside:65.121.28.165/80 (66.x.x.x/80) to Inside:172.31.23.107/64157  (172.31.23.107/64157)

To me it seems that you are forming connection to the destination IP address.65.121.28.165. I am not sure why the IP address inside the "(" would be different? Thought it seems to me that your source IP address of 172.31.23.107 IS NOT translated. It seems to go through the ASA without NAT which naturally means that its not routable on the Internet and because this the connections for the users fail.

So I would look trough the NAT configurations since you seem to be missing them or there is some missconfiguration regarding them.

You said you moved the "inside" interface after which everything worked and then you moved "outside" interface and connections didnt work. I would look through the NAT configurations if they are missing something. Naturally the "outside" interface move will required you to redo all the configurations that references the "outside" interface.

- Jouni

View solution in original post

11 Replies 11

Jouni Forss
VIP Alumni
VIP Alumni

Hi Mahesh,

A bit tricky question to answer without knowing the about the environment more.

But naturally if you remove a subinterface completely then all the configurations that refer to that removed interfaces "nameif" will be removed.

Do notice that even if the "access-group" command is removed, the actual "access-list" is not removed (it just will not be attached to any interface anymore). You will have to use the "access-group" command with the new interface you create to attach the same "access-list" again.

Also worth noting is that you can naturally already create the interface GigabitEthernet0/2.6 and prepare some configurations before doing the actual interface change.

Naturally you are not able to create another interface with the same "nameif" but it can be something similiar and you can change it to the same after you have removed the original interface. Also you cant use the same "ip address" (subnet) in the new interface while the original interface still has it.

The "route" command might be a bit different. You could create routes with worse metric value which would mean that they would not be used UNTIL you remove the original interface. At that time that original interfaces "route" would be removed and the new interfaces "route" with worse metric would come to use as there would be no other competing static routes.

So as I said, the changing an existing interface and all its related configurations to a new interface will be tricky and there is no easy way to just switch the configurations to a new interface unless you change the ip addresses and interfaces names used.

You should be able to easily gather all the configuration that refer to the current interface. Just check that interfaces "nameif" and then issue the command

show run | inc

Even though its not a clean output it should anyway list the configurations that refer to the "nameif"

These kind of changes are good to plan ahead and get backups so in the event of something going wrong you can compare old and new configurations.

- Jouni

Hi Jouni,

IP address and name everything will remain same.

Thanks for wonderfull explanation.

I am doing the prep work before the change.

So  as per your explanation existing ACL will not be removed right?

I ran the command

show run | inc

IT showed me

mtu outside 1500

ip verify reverse-path interface outside

monitor inetrface outside

Will above commands will be removed?

I already saved the config and once i remove the interface and add the new one i will put the

NAT commands

access group

Route commands

ssh commands

http commands

Best Regards

MAhesh

Hi Jouni,

We have 2 ASA in Active standby pair.

Before change we power down standby ASA.

On Active ASA  we did below

We did change today of moving the interface with same IP to another interface in ASA.

We did this interface move  from  GigabitEthernet0/1.1  to interface GigabitEthernet0/2.6.

When we did this users were able to access the internet via ASA.

Then we did outside interface move from interface GigabitEthernet0/0.1   to interface GigabitEthernet0/1

After doing this internet was not working for users connection.

We check the config all was good.All interfaces were up up.

ASA has connection to Edge Router.From ASA i was able to ping the Internet websites fine.

However from PC no internet was working.It was showing page can not be displayed.

We clear xlate,arp and conn on ASA  no luck.Also i did clear arp on the Edge router still same thing.

When i did nslookup on user PC  with IP 4.2.2.2

DNS request timed out.

    timeout was 2 seconds.

DNS request timed out.

    timeout was 2 seconds.

IT did not work.

I did sh traffic on ASA it was showing packets from outside interface being send and received and they were increasing.

I ran the sh conn on ASA it showed connections established.

Can you tell me what else i could tried to know if there was issue with ASA?

Any troubleshooting command i can try next time to fix this.

For now we undo the change and will try next week.

Regards

MAhesh

Hi,

Can't really say what the problem is/was since I don't know what the setup actually is. Its pretty hard to say when I can't see any configurations.

I am not sure what you actually changed as the latest message doesnt correspond the original post question.

You first move some interface from Gi0/1.1 to Gi0/2.6. You then move "outside" from Gi0/0.1 to Gi0/1. With that in mind it seems to me that you first moved some interface away from Gi0/1.1 so you could free up the Gi0/1 physical interface completely. Then it seems you moved the current "outside" Gi0/0.1 to the actual physical interface of Gi0/1

I mean atleast the above would seem logical. Moving existing subinterface to another physical interface to free up a physical interface so it can be deticated for some other purpose. In this case the external interface I guess.

According to your information the ASA was able to communicate with the external network through the new "outside" interface but hosts on the internal network were not able to communicate with the external network?

Typically I would probably look at the whole configuration myself in this situation both from the Router in front of the ASA and also from the ASA. If I didnt find anything wrong I would start using "packet-tracer" to simulate the connections/packets that need to pass through the ASA for the user to be able to browse the internet.

I guess in your case I would test the DNS traffic and the actual Web traffic with the "packet-tracer" command.

I am not sure what is happening as you say that you saw connections through the ASA. The question would be what connections. Were they just UDP/53 DNS connections or actual browser connection or perhaps just connections that connect with IP address only and dont use the DNS name?

Were the users able to ping the Google IP addresses for example?

Without seeing an actual topology of before and after and the ASA configuration before and after its pretty hard to give any specific help on this situation. The main questions in your case I guess would be related to NAT on the ASA.

- Jouni

Hi Jouni,

You understand right when we move interface interface from Gi0/1.1  to  Gi0/2.6  that was inside interface and users

were able to access the internet.

When we move outside interface users were not able to access the internet.

Yes from ASA i was able to ping the Internet sites e.g 4.2.2.2 no issue.

Hosts on inside network were unable to access the internet.

Connections were

TCP outside 22.x.x.x:80 inside  172.31.164.x:4041, idle 0:00:13, bytes 0, flags saA

UDP outside 131.x.x.x:123 xNet 172.31.155.x:123, idle 0:00:46, bytes 4320, flags -

UDP outside nano.x.x.x:53 xNet 172.31.27.x:11946, idle 0:00:01, bytes 35, flags -

Here are logs from my pc when i try to access internet website

%ASA-6-106100: access-list Inside_001 permitted tcp Inside/172.31.23.107(64157) -> outside/66.x.x.x(80) hit-cnt 1 first hit [0x3b1e12a4, 0x0]

%ASA-6-302013: Built outbound TCP connection 105192494 for outside:66.x.x.x/80 (66.x.x.x/80) to Inside:172.31.23.107/64157 (172.31.23.107/64157)

%ASA-6-302014: Teardown TCP connection 105192183 for outside:66.x.x.x/80 to Inside:172.31.23.107/64153 duration 0:00:30 bytes 0 SYN Timeout

No users were not able to ping google.com.

Regards

MAhesh

Message was edited by: mahesh parmar

Message was edited by: mahesh parmar

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

The connections you list are 1 HTTP connection that has not formed because the remote host has not responded and 2 UDP connection of which one is NTP and one is DNS.

When we look at the logs below it would seem to me that your connection goes through the ASA without a NAT translation.

Look at this log message

%ASA-6-302013: Built outbound TCP connection 105192494 for  outside:65.121.28.165/80 (66.x.x.x/80) to Inside:172.31.23.107/64157  (172.31.23.107/64157)

To me it seems that you are forming connection to the destination IP address.65.121.28.165. I am not sure why the IP address inside the "(" would be different? Thought it seems to me that your source IP address of 172.31.23.107 IS NOT translated. It seems to go through the ASA without NAT which naturally means that its not routable on the Internet and because this the connections for the users fail.

So I would look trough the NAT configurations since you seem to be missing them or there is some missconfiguration regarding them.

You said you moved the "inside" interface after which everything worked and then you moved "outside" interface and connections didnt work. I would look through the NAT configurations if they are missing something. Naturally the "outside" interface move will required you to redo all the configurations that references the "outside" interface.

- Jouni

Hi Jouni,

Seems you are spot on i checked output of sh local host during the change window and it does not shows us

the Xlate entries.

Also i checked sh xlate from change window it does not show up  our global IP address.

I will compare the config  and will let you know what is missing.

Your are Best Jouni!

Regards

Mahesh

Hi Jouni,

We compared  the new config to old config it looks good and NAT config was also there.

Nothing was missing.So do not know why NAT was not working after the change.

Only thing we did not do after  change was to reboot the Active ASA.

This weekend  after doing the changes on Active ASA we will reboot it and will see if NAT is working or not?

Lets see if reboot do the magic!

Will let you know how it goes.

Regards

Mahesh

Message was edited by: mahesh parmar

Hi Jouni,

We did change today exactly as we did last time  and nat was working fine even without even rebooting the firewall.

Everything worked fine

Regards

MAhesh

Hi,

 

I'll give a hint, how it might work - actually it worked in my case, but I didn't intend it to do so. Here is the way to change "nameif" to other interface and not lose all other configration, connected to that nameif interface.

 

1. you save old config to flash:/something

2. you delete old interface

3. you create new interface / subinterface

4. you copy old config (from flash:/something) to running-config

 

It seems that at step 4, everything is copied exept copying old interfaces, as it can't override new interface (that we set-up at step 3).

 

That'.s it. Please give me an info if I'm wrong.


Best regards!

The thread you're replying to is 5 years old. :)

 

However with respect to your suggestion, as long as you keep the same nameif it should work. Personally I prefer to copy only the bits that reference that nameif.

Review Cisco Networking for a $25 gift card