Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6670
Views
5
Helpful
4
Replies

exchange interfaces on Cisco ASA

gdspa
Level 1
Level 1

‎12-27-2010 05:05 AM - edited ‎02-21-2020 04:11 AM

Hi all,

I have this configuration:

interface Ethernet0/0
nameif outside
security-level 0
ip address x.x.x.x 255.255.255.224 standby x.x.x.y

interface Ethernet0/2
nameif dmz
security-level 95
ip address y.y.y.y 255.255.0.0 standby y.y.y.z

Ethernet0/0 is a gigabit port, Ethernet0/2 is a 100Mbps port.

We would like to move dmz to the Ethernet0/0 and outside to Ethernet0/2.

I have acl and nat rules that refer to the 2 interfaces.

Do I need only to copy in the running config a config with this lines?

interface Ethernet0/0
  nameif dmz

interface Ethernet0/2
  nameif outside

Can anyone suggest a solution?

0 Helpful
4 Replies 4

fadlouni
Level 1
Level 1

‎01-02-2011 03:33 AM

Hi.

The commands you want to do won't work. when you type on eth0/0 "nameif dmz" it will tell you there is another interface with that name and rejects it. same with the other interface.

and if at any time you do a "no nameif", then you'll lose any config mentioning that interface name.

I'm afraid there is no easy way to do this. you'll have to do the interface name change, and update everything in your config that references those names. including repasting access-group commands, and readding your nat statements.

Regards,

Fadi.

Does this answer the question? if yes please mark it as answered.

0 Helpful

gdspa
Level 1
Level 1
In response to fadlouni

‎01-04-2011 07:30 AM

And if I save a new config with the interface names changed on the startup config and reload firewall?

In this case I don't have 2 interface with the same name, do I?

0 Helpful

fadlouni
Level 1
Level 1
In response to gdspa

‎01-04-2011 07:32 AM

yes that should work.

Regards,

Fadi.

0 Helpful

Todd Pula
Level 7
Level 7
In response to gdspa

‎01-04-2011 02:27 PM

I just tested this on  my ASA.  Changing the interface name using the  "nameif" command will update the associated NAT and access-group  commands that reference the named interface.  Another option would be to change one of the interfaces to a  bogus name so that you don't hit the restricition of having a unique  name per interface.  This will allow you to swing the names around.  You will still need to change the interface IPs around.  Depending on how complex your firewall config is, your proposed approach will also work.  Make sure you leave a good working backup in flash so that you can easily roll back.

Todd

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card