Changing IP addresses on a PIX

An operation as simple as changing IP address of one of the interfaces of a PIX (e.g. when switching to a different ISP) can be tricky.

You just need to stick to the following steps:

  1. Change the IP address and the default route, if applicable:
    ip address outside A.B.C.D W.X.Y.Z
    route outside A.B.C.E
  2. Reconfigure NAT and ACLs, if applicable.

  3. “Restart” the crypto map on the interface if the PIX serves as a VPN server:

    no crypto map map_name interface outside
    crypto map map_name interface outside

    If you don’t do this, during a VPN connection attempt the login window will pop up, but the connection process will hang on the “Securing communications channel…” stage (after which an error 412 window will pop up – “The remote peer is no longer responding.”).

  4. Regenerate the RSA certificates (you can display those currently used by the device with a show ca mypubkey rsa command):

    pix# configure terminal
    pix(config)# ca generate rsa key 1024
  5. Save the certificates in memory:
    pix(config)# ca save all
  6. Save the configuration:
    pix# write memory

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s