Nov 5, 2012

Changing ISP through the outside interface

Sometimes the only way to get in to the firewall management console is through outside interface. If you have no console connection or management access to an internal interface, and you need to change the external IP address (the same used to SSH), then you have to setup SLA Monitor to recover management access after changing the external IP address.

Current configuration:

interface FastEthernet0/0
 ip address OLD_IP
route outside OLD_GW 1

You need a temporary configuration to enable SLA Monitor on the current default route:

sla monitor 1
 type echo protocol ipIcmpEcho OLD_GW interface outside
sla monitor schedule 1 life forever start-time now
track 1 rtr 1 reachability
route outside 0 0 OLD_GW 1 track 1
no route outside 0 0 OLD_GW 1
route outside 0 0 NEW_GW 10

Now you can change the external IP address, swap the cable and connect to the new ISP's router:

interface FastEthernet0/0
 ip address NEW_IP

At this point, you lose SSH access. After connecting to the new ISP, SLA Monitor status will change to DOWN, because the firewall is not getting echo replies from the old gateway anymore. The old default route is not valid, therefore it is removed from the routing table. The firewall uses the new default route (pointing to the new gateway) and we have SSH access to the outside interface again.

Removing temporary and old configuration:

no route outside 0 0 OLD_GW 1 track 1
clear conf track 1
clear conf sla monitor 1
route outside 0 0 NEW_GW 1

Now you can save the configuration.

It's a good idea to clear xlate, then you force all connections to use the new external address as the public address (if you have NAT overload).

If you don't have physical access to the firewall and you are not able to reload if anything goes wrong, it's also a good idea to schedule a reload to recover the old configuration before making any change:

reload in 10 no confirm quick

If you lose connectivity at all, the firewall will reboot after 10 minutes and load the startup configuration. If you have everything working fine, you can cancel the reload:

reload cancel

asa(config)# end
asa# wr mem

1 comment:

  1. That was a neat trick but we do this a little simpler. We create a config file with the changes we need to configure and upload it to the ASA. The I run:

    Copy disk0:/filename running-config.

    It will only change the rowes specified in the file :)