11-22-2010 09:08 AM - edited 03-11-2019 12:13 PM
I apologize in advance for my very basic questions.
I am switching ISPs in my company. Going from two T1s to a 10 meg up and down EIA Circuit.
My target turn on date is this Thursday. I am not an expert on our (legacy) Cisco 501 Pix unit in any way. It has been setup and running great for years. I have never had any problems going in and creating new translation and access rules as we have expanded our IT department, but my problem is that with all of my external IP addresses changing, I want to make sure that I have my bases covered.
My primary concern is with the PAT and just the basic interface settings that I need to look for in order to have my firewall work with my new IPs. NAT rules should fall right in place.
I guess my most basic question - once I connect my new source into my pix - will I immediately get internet at my workstations? I know I will have to change my NAT rules in order for my mail server (which is internal) to work.
In my translation rules list (and I use the graphical interface - I cannot do command line) that whoever initially setup the firewall has a PAT:
Original:
Inside:any/0.0.0.0
Translated:
Outside: 70.43.xxx.xxx (interface PAT)
This will obviously have to change as the 70. IP as it is going away as soon as I go live.
I am looking for help (perhaps checklist) on what steps I need to take. I am getting a range of 14 IP addresses with my new setup.
Again, sorry for sound so much like a Ciso Pix newb. Thanks much.
Rob Catron
11-22-2010 03:52 PM
A few things need to be changed once you connect to your new ISP:
1) The PIX outside interface ip address needs to changed to the new ISP assigned ip range, with the correct subnet.
2) The PIX default gateway needs to be changed to the next hop ip address of your ISP.
3) Assuming that you have "global (outside) 1 interface" command, you don't really need to change anything else for this particular command.
4) Your mail server, I assume that you would have a "static (inside,outside)" command, and yes, this needs to change to the new public IP address
5) Access-list on the outside interface, presumably you only have inbound mail, then the ACL needs to reflect the new ip address as well
If you share the current config, I can tell you which statement needs to be changed.
11-22-2010 04:43 PM
Thanks for the responses. I am using PDM, and not the CLI.
I spent this afternoon going through and noting the current IP addresses that were listed ("Route", "Outside Interface", and "Host/networks")
I was basically going to recreate the settings using the new IP addresses - keeping them in the same "order" so to speak. I called the ISP support line and they thought that would be the way to do it and confirmed the new IP information below (they also bought the company that "owned" my old IP range, so that helped as well in comparison).
I have the following new IP address info:
x.x.x.224/28
Gateway is x.x.x.225
Usable IP range = x.x.x.226 to x.x.x.238
If I compare the current IP addresses (and how they are arranged in my PIX now) to the new IP addresses, it would be as follows:
1) In PDM, under the "Host/Network" tab, I add x.x.x.224 as my outside network (with the new subnet mask)
2) If I go to the "System Properties" tab, and go to "Interfaces", I add the Outside Interface = x.x.x.226
3) Then, I go "Static Route" and add the Gateway IP x.x.x.225 IP there with a mask of 0.0.0.0 (? - that is what it is now)
4) Next, I go to translation rules and replace my current IP PAT and translate inside 0.0.0.0 to outside x.x.x.226 (same as the interface IP)
5) Then the easy part of configuring the additional Translation and access rules for my HVAC system, email server, Video processing computer, etc
Does that sound like the right order of things? I wasn't sure the exact order of 1 through 3 above. Any additional tips would be much appreciated.
Again, thanks for all of the help!
Sincerely
Rob
11-22-2010 04:50 PM
1) Yes
2) Yes
3) Yes
4) If it says translate to "interface", just let it be. Don't have to change anything. Unless it says an external ip address specific, you don't have to change this command.
5) You can't configure additional if you already have existing static translation statement. You would need to either remove the existing statement or to modify the ip address of the existing statement.
6) Under firewall policy/rule, you would also need to change the ip addresses as well from the old one to the new IPs.
After all the above changes, you would need to perform "clear xlate" and "clear arp".
11-23-2010 04:59 AM
After all the above changes, you would need to perform "clear xlate" and "clear arp".
Thank you, Jennifer...Can I issue those commands in the PDM inteface somehow?
11-23-2010 07:15 AM
From tools, select Command Line Interface. Then type clear arp then click send. Same for clear xlate
11-23-2010 04:23 PM
husycisco wrote:
From tools, select Command Line Interface. Then type clear arp then click send. Same for clear xlate
Thank you much. Tomorrow at 10 am EST is my big cut over.
Just a few final questions
Thank you all. i'll let you know how it went. Hopefully a Happy Thanksgiving
Rob
11-24-2010 03:45 AM
I don think that the order would matter, but remove the interface IP last. If you first remove it, the configuration bound to it, which you intend to remove, may become corrupt or removed. Doing these settings prior to connect the modem would be suitable.
Remember! to save your telnet or CLI session, so that you can revert in case.
11-24-2010 03:57 AM
husycisco wrote:
I don think that the order would matter, but remove the interface IP last. If you first remove it, the configuration bound to it, which you intend to remove, may become corrupt or removed. Doing these settings prior to connect the modem would be suitable.
Remember! to save your telnet or CLI session, so that you can revert in case.
Thank you - the sequence honestly is a still bit confusing to me. I have researched this morning, and it appears, when I setup the new IP information, that I start with the Outside Interface (inside wouldn't change), then Static Route. I am still not 100% certain how the "Host/Network" (outside network) falls into play (looking at my IP addresses in other posts, it is the x.x.x.224 address).
After I put in the Interface IP, does the pix automatically pick up the "Host/Network"? or is that something that I have to manually enter even before I setup the outside interface? In PDM, it is on the "Host/Network" tab which is a tab all to itself (Interface and Route are on the System Properties Tab)
Thanks - you mention saving your telnet or CLI session - but basically if I do not save my configuration to flash memory, I could simply reboot the device, or exit without a save, to bring my current configuation back, correct?
My current block of IPs will not be turned off for some time, so that is always my fallback - I can try and change today, if I can't go back to the settings I have now and hire a pro
11-22-2010 03:59 PM
Hello Robert,
If the PAT is issued via "global (outside) 1 interface" command, you wont have to change anything about NAT/PAT. Otherwise, it has to be changed as you stated.
Your primary concern will be to change the default route, which would probably be stated as "route outside 0.0.0.0 0.0.0.0 x.x.x.x" . Simply remove that current route by adding no to beginning, then add new one with new default gateway.
At the end, connect via command line(dont worry i wont ask to do configurations here ,) type enable, enter your password, when prompt goes to hostname#, run "clear xlate" and "clear arp" commands.
During EVERY change, your syslog server that you are watching live is your best friend.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide