Change of IP`s

pj_mtl · ‎10-25-2004

Hi,

I need someones help with this one. Our ISP decided to change my public IP addresses over the weekend.I had no trouble changing them on my PIX 515E firewall, but I have a question none the less. Is there a special way to change the IP of an access list that deals with a vpn connection? Or can you just change it without causing problems? Here is a copy of the config of my access list

access-list inside_outbound_nat0_acl permit ip interface inside 192.168.0.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip any 192.168.0.0 255.255.255.0

access-list outside_cryptomap_dyn_20 permit ip any 192.168.0.0 255.255.255.224

access-list outside_cryptomap_20 permit ip host (Public IP) SAP 255.255.255.252

access-list polyplan_remote_splitTunnelAcl permit ip 192.168.0.0 255.255.255.0 any

access-list acl-out2 permit tcp any host (Public IP) eq smtp

access-list acl-out2 permit tcp any host (Public IP) eq www

access-list acl-out2 permit tcp any host (Public IP) eq pop3

Any input would be greatly appreciated.

Thanks

ehirsel · ‎10-25-2004

Are you referring to this acl entry?

access-list outside_cryptomap_20 permit ip host (Public IP) SAP 255.255.255.252

If so, then if you have an entry using the old public ip address, then you can add another entry using the new public ip address and then remove the other entry. The crypto settings on your pix should dynamically build SA's using the new public ip address when interesting traffic arrives.

However the remote end may need to do an adjustment to match your new address, unless it is doing wildcard address masks, or unless your pix is an ez-vpn client to a remote vpn peer.

Let me know if this helps.

pj_mtl · ‎10-25-2004

Yes I was.

Thanks, I notified the remote end of the change and the connection seems to be working correctly. Thanks for the quick reply.