cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1412
Views
0
Helpful
18
Replies

Change Interfaces

laurabolda
Level 1
Level 1

I setup port 0 as an Inside interface and port 1 as an Outside interface.  I would like to switch them (port 0 = outside, port 1 = inside).  Do I connect to the ASA through the Console Port or Management Port to make this change?  I was connecting through SSH and ASA did not allow me to save this change.  Thanks.

6 Accepted Solutions

Accepted Solutions

Jennifer Halim
Cisco Employee
Cisco Employee

Console port would be the best option as you are changing the interfaces around, and console connection will not affect your communication to the ASA itself.

View solution in original post

If you're modyfing parameters on an interface (which you're connected to), you need to be careful not to lose connectivity to the

Firewall (in case you have a remote session).

It has happened to me before to get locked-out of the ASA because of this, so if you are physically in the same location of the ASA, better to use the console connection.

If you have more than one interface that you can SSH into, then you can modify the other interface without any problem.

Normally, the rule is to use port 0 for outside and port 1 for inside as you mentioned.

Federico.

View solution in original post

Hi Laura,

Check if you have internet access from the ASA itself.

From the ASA itself:

ASA# ping 4.2.2.2

Check if you receive results.

If Internet is fine from the ASA, try the same thing from a computer behind the ASA.

If it does not work, do a traceroute and check the path of the packet.

Federico.

View solution in original post

The VPN traffic is not even getting to the ASA.

I think the problem is that the crypto map is applied to the inside interface.

Remove these commands, and reapply them to the outside interface:

no crypto map Outside_map interface Inside
no crypto isakmp enable Inside

crypto map Outside_map interface Outside

crypto isakmp enable Outside

Please try again.

Federico.

View solution in original post

If the Internet traffic from the VPN clients does not go through the ASA (split-tunneling enabled), then you don't need

the nat (outside) statement.

You can make sure by looking at your VPN client and checking the route details tab under statistics (while connected) and see the protected routes.

If you see 0.0.0.0 0.0.0.0 it means there's no split-tunneling. If you get a network or networks, it means you do have split-tunneling and therefore you can remove the nat (outside) statement.

Let me know how does it goes.

Federico.

View solution in original post

Laura,

The only reason that you would possibly need the command:

nat (Outside) 1 192.168.101.0 255.255.255.0

is in case you want to do NAT for the VPN pool when going out another interface.

The most clear example, is when you want the ASA to provide Internet access to the VPN clients.

So, the VPN clients connect to the ASA (sending all traffic = without split-tunneling) and the ASA translates the connections to the outside interface to re-route the traffic backout the outside interface.

If this is not the case (since you're using split-tunneling and therefore not sending the Internet traffic from the VPN clients to the ASA), there's no reason to have that command in your configuration.

Hope it helps.

Federico.

View solution in original post

18 Replies 18

Jennifer Halim
Cisco Employee
Cisco Employee

Console port would be the best option as you are changing the interfaces around, and console connection will not affect your communication to the ASA itself.

If you're modyfing parameters on an interface (which you're connected to), you need to be careful not to lose connectivity to the

Firewall (in case you have a remote session).

It has happened to me before to get locked-out of the ASA because of this, so if you are physically in the same location of the ASA, better to use the console connection.

If you have more than one interface that you can SSH into, then you can modify the other interface without any problem.

Normally, the rule is to use port 0 for outside and port 1 for inside as you mentioned.

Federico.

I was able to change the interfaces (inside to outside and outside to inside) and the IP addresses and save the config.  I also switch the cables.   I was able to ping all the internal servers.  However, I am not able to get on the internet.  I used to be able to SSH to the outside interface of the ASA.  I can no longer get to the outside interface of the ASA.  Is there something else that I need to do? Thanks.

After changing the inside to outside interface and outside to inside interface and the IP addresses, everything that is "inside" is changed to "outside" and the "outside" is changed to "inside" by themselves.   Then, I changed everything back.  Still, I cannot get on the internet.  I still cannot login through VPN client either from any groups.  When I connect through VPN client, I got the error message "Secure VPN client terminated locally by the client.  Reason: 412:  The remote peer is no longer responding".    However, I can ping all internal servers.  Everything was working until I changed the interfaces.  Attached is the config.  Thanks.

Hi Laura,

Check if you have internet access from the ASA itself.

From the ASA itself:

ASA# ping 4.2.2.2

Check if you receive results.

If Internet is fine from the ASA, try the same thing from a computer behind the ASA.

If it does not work, do a traceroute and check the path of the packet.

Federico.

I apologize for my error.  For some reason, I am now able to get on the internet.  I guess it takes a while for the servers to recognize the changes. I am sorry for the trouble that you went through.   However, I am still unable to login to the VPN client.  I still got the 412 error message.  I created a new group and still got the same error.  Do you have any suggestions?  Thanks.

To which VPN group are you connected?

To easily resolve the issue, please post the output of:

sh cry isa sa

sh cry ips sa

When attempting to establish the tunnel from the VPN client.

Federico.

I tried all the groups.  When I typed "sh cry isa sa", I got the message "There are no isakmp sas".  When I typed "sh cry ips sa", I got the message "There are no ipsec sas".  Thanks.

The VPN traffic is not even getting to the ASA.

I think the problem is that the crypto map is applied to the inside interface.

Remove these commands, and reapply them to the outside interface:

no crypto map Outside_map interface Inside
no crypto isakmp enable Inside

crypto map Outside_map interface Outside

crypto isakmp enable Outside

Please try again.

Federico.

Thanks Federico.  You solved my problems again!!!  Those commands fixed the VPN authentication.  Thank you very much for your time.

Laura

May I ask you another question?  Does it make any difference of the NAT order?  Would you put the NAT (inside) first before NAT (Outside)?

nat (Outside) 1 192.168.101.0 255.255.255.0
nat (Inside) 0 access-list nonat
nat (Inside) 1 0.0.0.0 0.0.0.0

Thanks.

Laura

The order does not matter. What matters is the identifier, for example NAT 1, NAT 2, etc.

Actually, why do you have a nat (outside) command?

This is normally used if you want to give Internet access to your VPN clients, is that the case?

Federico.

I want the VPN users to have access to the internet while logging in to VPN client.  That is why NAT (outside) was setup.  Since I setup Split-tunneling, the internet access does not go through my system while users are logging in to VPN client.  Let me know if you would set it up differently.  Thanks.

If the Internet traffic from the VPN clients does not go through the ASA (split-tunneling enabled), then you don't need

the nat (outside) statement.

You can make sure by looking at your VPN client and checking the route details tab under statistics (while connected) and see the protected routes.

If you see 0.0.0.0 0.0.0.0 it means there's no split-tunneling. If you get a network or networks, it means you do have split-tunneling and therefore you can remove the nat (outside) statement.

Let me know how does it goes.

Federico.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: