What shall we need to do while Changing the External Interface IP Address on ASA? What common issues shall we pay attention to after changing the IP address on the external interface of the ASA? In the following document from Cisco Support Community, the Cisco user share a sample configuration for changing the external interface IP address on ASA. What is it? Let’s have a look!
Configuration
To change the external ip address, we need to go to the external interface, and enter the new ip address as mentioned below:
hostname(config)# interface {physical_interface[.subinterface] | mapped_name}
hostname(config-if)# ip address new_ip_address [mask]
(re-entering the new ip will replace the old one)
Also, if the default gateway changes, ensure that you change the default-gateway as well to that of the new next hop
To define the new default route, enter the following command:
hostname(config)# no route if_name 0.0.0.0 0.0.0.0 x.x.x.x
hostname(config)# route if_name 0.0.0.0 0.0.0.0 y.y.y.y
where if_name is the external interface name
x.x.x.x is the ip address of the old default gateway
y.y.y.y is the ip address of the new default gateway
Common Issues:
Unable to Access the Internet
After changing the IP address on the external interface of the ASA, if the internal users are unable to access the web, then ensure that the device upstream to the ASA (the next-hop) reflects the MAC address of the ASA bound to the new IP address. If this is not the case, then clear this ARP cache entry on the next-hop so that it learns the new IP address of the ASA.
VPN-related Issues
1. Site-to-site VPN:
For site-to-site VPN, the peer/remote ASA needs to reflect the new IP of the ASA.
For example, if we have an existing lan-to-lan VPN between two sites, ASA1 (external ip address 1.1.1.1) and ASA 2 (external ip address 2.2.2.2) and if the external interface ip address for ASA 1 is changed to 3.3.3.3, the following changes need to be made on ASA 2:
First, we need to remove the crypto map entry on ASA 2 corresponding to the old external ip address of ASA 1:
ASA2(config)# no crypto-map <crypto-map-name> <id> set peer 1.1.1.1
ASA2(config)# crypto-map <crypto-map-name> <id> set peer 3.3.3.3
Second, a new tunnel-group needs to be configured under which the pre-shared key for ASA 1’s new IP address wlll be stored:
ASA2(config)# tunnel-group 3.3.3.3 type ipsec-l2l
ASA2(config)# tunnel-group 3.3.3.3 ipsec-attributes
ASA2(config-ipsec)# pre-shared-key <preshared-key>
Following this, the old tunnel-group reflecting the old external ip address of ASA 1 can be deleted by issuing the command :
ASA2(config)# clear configure tunnel-group 1.1.1.1
2. Remote-access VPN:
Ensure that the VPN clients connect to the ASA using its new external interface IP address and not the old one.
NOTE: For obvious reasons, do not attempt to change the external interface IP address of the ASA if it is being managed remotely by you.
Related Information:
1. Configuring Interface Parameters: https://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intparam.html
More…