Subnet ID change on Inside interface

s.kanth · ‎03-27-2014

Hi All,

Two firewalls connected in Failover mode. We would like to change subnet mask on Inside interface.

Can we achive this without any impact ? becuase firewall is in production and do not want to get any distrubtion to the existing sessions.

Thanks

Sri

Marvin Rhoads · ‎03-27-2014

Changing a subnet mask is most likely going to at least momentarily interrupt traffic. It's only by chance that it's working if the ASA interface mask doesn't match the next downstream gateway and any other hosts on that subnet.

You must not be running a dynamic routing protocol like OSPF on the inside because neighbors won't establish adjacency with mismatched masks.

s.kanth · ‎03-27-2014

So, there will be an interrruption in traffic for few seconds.

we will change subnet mask ID on active box for inside interface. configuration will get reflected in standby box through failover link ..right ? please correct me If I am wrong.

Joe Doran · ‎03-27-2014

If you plan to change the mask make sure you are not going to violate the subnet requirements of your next hop to the inside of the ASA or you will break your routing, and consequently all traffic through the ASA to and from the inside. Be careful. If you don't understand what I just said get another set of eyes on the environment before making the change.

Yes, your configuration will be synchronized to your secondary ASA over the failover link.

s.kanth · ‎03-27-2014

I will tell why we want to change subnet ID on inside interface :-)

while seting up the ASA, subnet ID is overlapped on inside and DMZ interfaces (ASA accepted because it runs on 8.2 code)

inside interface IP currently ( 10.1.1.1 - 255.255.255.0)

DMZ interface IP currently ( 10.1.1.34 - 255.255.255.224)

So we decided to change inside interface subnet mask to 255.255.255.224 with same IP address 10.1.1.1.

Joe Doran · ‎03-27-2014

What is your route to the inside?

You should have a configuration line that begins "route inside".