cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
779
Views
0
Helpful
7
Replies

Changing the Server IP in a ASA 5505?

imtwTech1
Beginner
Beginner

                   Hi everyone, I know know nothing about cisco devices. Just wanted to get that out there. I recently came to a job that has a 5505 setup as the network gateway, and as a vpn for employees to work from home via the Cisco VPN remote client program. We had one main server that was domain controller, dns, and dhcp. It was a old 03 box, and I setup a new 08 r2 box on a different IP, and migrated all the above functions to it. Old server was a xxx.xxx.xxx.31, new server xxx.xxx.xxx.6. I found the java ASDM program(6.1) and connected to the ASA, and I have changed .31 to .6 in as many places as I can find, however, vpn clients on the outside can no longer connect to their desktops, as when i open a command prompt on their computer, the only IP they can ping is xxx.xxx.xxx.31, pinging xxx.xxx.xxx.6, or any other address fails. I'm guessing maybe it's in the firewall of the asa, but have no ideal really. Was there anything else I was suppose to do? Someplace I overlooked? I have done save to flash, and reload current, but not a physical power reset since I made the changes.

Thank-you.

1 Accepted Solution

Accepted Solutions

That new server (.6), does it have any windows firewall that might be blocking inbound access? Pls kindly check on the server itself.

If you can still ping the old server (.31), then the configuration on the ASA doesn't really matter much as it has been configured to allow subnet (192.168.0.0/24).

View solution in original post

7 Replies 7

Jennifer Halim
Cisco Employee
Cisco Employee

Pls kindly share the current configuration so we can go through to see if there is any missing ones.

Output of "show run" would give us the whole configuration file.

ASA Version 8.0(3)
!
hostname asa5505
domain-name imt.local
enable password 8Ry2YjIyt7RRXU24 encrypted
names
name 192.168.10.0 VPN_Clients
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.0.2 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address xx.xxx.xxx.xxx 255.255.255.252
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa803-k8.bin
ftp mode passive
clock timezone CST -6
clock summer-time CDT recurring
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.0.6
name-server 192.168.0.30
domain-name imt.local
access-list inside_access_in extended permit icmp any any echo
access-list inside_access_in extended permit icmp any any echo-reply
access-list inside_access_in extended permit icmp any any unreachable
access-list inside_access_in extended permit icmp any any time-exceeded
access-list inside_access_in extended permit ip any any
access-list inside_access_in remark Portal.cat.com
access-list inside_access_in extended permit tcp any any eq ftp
access-list inside_access_in remark SFTP / ftps
access-list inside_access_in extended permit tcp any any eq ssh
access-list imtw_splitTunnelAcl standard permit 192.168.0.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 VPN_Clients 255.255.255.0
access-list outside_access_in extended permit tcp any any eq 10000
access-list outside_access_in extended permit icmp any any echo
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in remark portal.cat.com
access-list outside_access_in extended permit tcp any any eq ftp
access-list outside_access_in remark FTPS SFTP port 22 open
access-list outside_access_in extended permit tcp any any eq ssh
pager lines 24
logging enable
logging asdm debugging
mtu inside 1500
mtu outside 1500
ip local pool IMTW-Pool VPN_Clients-192.168.10.10 mask 255.255.255.0
ip verify reverse-path interface outside
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-613.bin
asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.xxx 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
webvpn
  file-browsing enable
aaa-server data protocol nt
aaa-server data host 192.168.0.6
nt-auth-domain-controller dominion
aaa-server data host 192.168.0.31
nt-auth-domain-controller 192.168.0.6
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 209.37.141.0 255.255.255.0 outside
http 98.214.199.11 255.255.255.255 outside
http 192.168.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set strong esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto dynamic-map dynmap 1 set transform-set strong
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 strong
crypto map outside_map 65535 ipsec-isakmp dynamic dynmap
crypto map IMTW 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map IMTW interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
vpn-addr-assign local reuse-delay 5
telnet timeout 5
ssh 192.168.0.0 255.255.255.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
dhcpd dns 192.168.0.6
dhcpd auto_config outside
dhcpd update dns
!
dhcpd update dns interface outside
!

threat-detection basic-threat
threat-detection statistics
ntp server 192.168.0.31 source inside
webvpn
enable outside
svc image disk0:/anyconnect-win-2.2.0136-k9.pkg 1
svc enable
port-forward Portal www data www Office Portal Server
port-forward Portal 81 Data www Remote Server
tunnel-group-list enable
internal-password enable
group-policy DfltGrpPolicy attributes
banner value #####################################################################
banner value #     Access to this computer network is STRICTLY controlled        #
banner value # by Illinois Machine & Tool Works. Unauthorized use or abuse of    #
banner value #                  this resource is prohibited.                     #
banner value #####################################################################
wins-server value 192.168.0.6
dns-server value 192.168.0.6
vpn-simultaneous-logins 10
vpn-idle-timeout 60
vpn-tunnel-protocol l2tp-ipsec svc
group-lock value imtw
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value imtw_splitTunnelAcl
default-domain value imt.local
user-authentication enable
address-pools value IMTW-Pool
webvpn
  svc ask enable
group-policy imtw internal
group-policy imtw attributes
vpn-tunnel-protocol IPSec svc webvpn
username Richard.Hedge password 49vTa2sQObBZbJbJ encrypted
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool IMTW-Pool
tunnel-group imtw type remote-access
tunnel-group imtw general-attributes
address-pool (inside) IMTW-Pool
address-pool IMTW-Pool
tunnel-group imtw webvpn-attributes
group-alias IMTW enable
tunnel-group imtw ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 900 retry 2
tunnel-group Clientless type remote-access
tunnel-group Clientless webvpn-attributes
group-alias Clientless enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect sqlnet
  inspect skinny 
  inspect sunrpc
  inspect xdmcp
  inspect netbios
  inspect tftp
  inspect ipsec-pass-thru
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:12eb3f9a79c04d7157dfa22448226234
: end
asdm image disk0:/asdm-613.bin
asdm history enable

I see where a NTP server still shows .31, and I also wanted to point out that I added .06 as a AAA server along side the .31, but testing of the aaa server fails. .31 is still up as a file server, I didn't remove it for fear that I would loose connection to it all together. Thanks

This line is incorrect:

ip local pool IMTW-Pool VPN_Clients-192.168.10.10 mask 255.255.255.0

VPN_Clients is a name and it is 192.168.10.0, the IP Pool should start with a valid address, ie: 192.168.10.1

Pls kindly change the pool to be:

ip local pool IMTW-Pool 192.168.10.1-192.168.10.10 mask 255.255.255.0

Ok, I updated the pool. I don't believe that suggestion was intended to fix the problem. I have also power cycled the device. Next idea?

That new server (.6), does it have any windows firewall that might be blocking inbound access? Pls kindly check on the server itself.

If you can still ping the old server (.31), then the configuration on the ASA doesn't really matter much as it has been configured to allow subnet (192.168.0.0/24).

I'm such an idiot, it was the new endpoint protection firewall blocking requests that came in over the vpn. .6 had recieved the update, .31 had not. Thanks for checking my work none the less.      

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: