Solved: Re: Change IP Address of Outside Interface

dianewalker · ‎05-19-2010

I need to change the IP address of the Outside interface remotely. I plan to SSH in to the ASA and make a change. I can't be on site to make this change since the site is out of state. Will there be any problems? The current config is

interface Ethernet0/0
nameif Outside
security-level 0
ip address 66.102.7.22 255.255.255.248

The new IP address will be 66.102.7.18 255.255.255.248. Also, is this the correct syntax?

interface Ethernet 0/0

no ip address 66.102.7.22 255.255.255.248

ip address 66.102.7.18 255.255.255.248

Thanks.

Diane

Federico Coto Fajardo · ‎05-19-2010

Diane,

If you're accessing the ASA via its public IP on its outside interface, and if you change this IP, you will lose communication with the ASA.

It's better if you can do the change from the inside.

If you definitely need to change it remotely, you can change the IP and then attempt the SSH connection on the new IP.

However if something goes wrong, you can then not access the ASA.

The syntax is correct.

Federico.

View solution in original post

Jon Marshall · ‎05-19-2010

dianewalker wrote:

I need to change the IP address of the Outside interface remotely. I plan to SSH in to the ASA and make a change. I can't be on site to make this change since the site is out of state. Will there be any problems? The current config is

interface Ethernet0/0
nameif Outside
security-level 0
ip address 66.102.7.22 255.255.255.248

The new IP address will be 66.102.7.18 255.255.255.248. Also, is this the correct syntax?

interface Ethernet 0/0

no ip address 66.102.7.22 255.255.255.248

ip address 66.102.7.18 255.255.255.248

Thanks.

Diane

You can't do this remotely if the only way to ssh in is via the outside interface of the ASA. If you could enter via another interface on the ASA then you can do it remotely but otherwise you will need to either visit or talk someone else through it.

Jon

View solution in original post

Jon Marshall · ‎05-19-2010

coto.fusionet wrote:

Diane,

I'm sorry, listen to jon. As he said don't even try it.

This is because you can't change both the outside IP and the deafult gateway at the same time.

You will lose complete access to it.

Federico.

Federico

Actually the default-gateway doesn't need changing as the new address is in the same subnet so you could take the chance. I am just wary of making these sort of changes as i have done it before and sometimes it has worked and sometimes it hasn't.

Jon

View solution in original post

StanDamen · ‎05-19-2010

TS, Frederico, Jon,

Maybe I'm crazy but is (or shouldnt) this be impossible?

First you do the "no ip address" command.

Since you use the IP you just removed, at this point you will already loose your connection.

Hence, your second command with the new IP will not be delivered to the ASA.

Which means you cannot access the ASA anymore from that point on, right?

Yours Sincerely,

Stan

View solution in original post

Jon Marshall · ‎05-20-2010

Stan

You don't do the "no ip address ...", you simply type in the new ip ie. "ip address . You will get disconnected but if the default-gateway is the same you should then be able to reconnect. But as i say i've had this work and not work for me.

And there is nothing worse than changing an IP of a device 100s of miles away and then not being able to reconnect. You need a fast way of getting there or an updated CV

Jon

View solution in original post

Federico Coto Fajardo · ‎05-19-2010

Diane,

If you're accessing the ASA via its public IP on its outside interface, and if you change this IP, you will lose communication with the ASA.

It's better if you can do the change from the inside.

If you definitely need to change it remotely, you can change the IP and then attempt the SSH connection on the new IP.

However if something goes wrong, you can then not access the ASA.

The syntax is correct.

Federico.

dianewalker · ‎05-19-2010

Thanks Federico and Jon. I have another dumb question. If I login to Cisco VPN client and then SSH to the Outside interface, would I still be able to change the IP address? I can't be on site since the ASA is out of state. If I still can't change the IP address of the Outside interface remotely, I will need to ask the local user to connect to the ASA through the Console port. Then, I will need to give him the Enable password. Looks like I have no choice but to ask the local user for help.

Thanks.

Diane

Federico Coto Fajardo · ‎05-19-2010

You cannot do that.

The reason is because when you connect with the VPN client, you're connecting through the outside interface.

So, even if you connect with the VPN client, you will still lose connectivity if changing the IP.

As jon said, if the new IP is on the same subnet as the old IP, then you might give it a try.

However the recommendation is to do it from the inside.

Federico.

Jon Marshall · ‎05-19-2010

dianewalker wrote:

I need to change the IP address of the Outside interface remotely. I plan to SSH in to the ASA and make a change. I can't be on site to make this change since the site is out of state. Will there be any problems? The current config is

interface Ethernet0/0
nameif Outside
security-level 0
ip address 66.102.7.22 255.255.255.248

The new IP address will be 66.102.7.18 255.255.255.248. Also, is this the correct syntax?

interface Ethernet 0/0

no ip address 66.102.7.22 255.255.255.248

ip address 66.102.7.18 255.255.255.248

Thanks.

Diane

You can't do this remotely if the only way to ssh in is via the outside interface of the ASA. If you could enter via another interface on the ASA then you can do it remotely but otherwise you will need to either visit or talk someone else through it.

Jon

Federico Coto Fajardo · ‎05-19-2010

Diane,

I'm sorry, listen to jon. As he said don't even try it.

This is because you can't change both the outside IP and the deafult gateway at the same time.

You will lose complete access to it.

Federico.

Jon Marshall · ‎05-19-2010

coto.fusionet wrote:

Diane,

I'm sorry, listen to jon. As he said don't even try it.

This is because you can't change both the outside IP and the deafult gateway at the same time.

You will lose complete access to it.

Federico.

Federico

Actually the default-gateway doesn't need changing as the new address is in the same subnet so you could take the chance. I am just wary of making these sort of changes as i have done it before and sometimes it has worked and sometimes it hasn't.

Jon

Federico Coto Fajardo · ‎05-19-2010

Yup! agreed...

Diane... please don't do it ;p

Federico.

StanDamen · ‎05-19-2010

TS, Frederico, Jon,

Maybe I'm crazy but is (or shouldnt) this be impossible?

First you do the "no ip address" command.

Since you use the IP you just removed, at this point you will already loose your connection.

Hence, your second command with the new IP will not be delivered to the ASA.

Which means you cannot access the ASA anymore from that point on, right?

Yours Sincerely,

Stan

Jon Marshall · ‎05-20-2010

Stan

You don't do the "no ip address ...", you simply type in the new ip ie. "ip address . You will get disconnected but if the default-gateway is the same you should then be able to reconnect. But as i say i've had this work and not work for me.

And there is nothing worse than changing an IP of a device 100s of miles away and then not being able to reconnect. You need a fast way of getting there or an updated CV

Jon

AbteenZ · ‎05-28-2019

You can always use

reload in mm

where mm is the minutes you like the device to reload after and make your changes and if it didn't work as intended, the device would reload from the startup config.

Just make sure to not copy the running config to the nvram before making sure everything is working fine.