01-14-2020 07:11 AM
Hello,
We have a remote office that is changing ISP's and just wanted to confirm the steps I would need to take in changing the firewall config for this to work. We are currently running a ASA 5516 and have a site to site VPN from the remote to main office. Here's what i'm thinking needs to happen:
Is there anything else I'm missing?
Thanks
01-14-2020 07:23 AM
01-14-2020 07:36 AM
Thanks for the reply. When you say tunnel-group, are you just talking about the peer IP address in the connection profile? From what i read, you should just be able to add a secondary peer IP address under crypto maps and then delete the primary one once the secondary connection has been made. I was just curious if anyone has had any luck with this method.
01-14-2020 12:10 PM - edited 01-14-2020 12:19 PM
I did a similar migration. in my case i created the tunnel-group as back up. but this did not resolve the issue. than what i did was created a new tunnel. (Note, in my case. I had a out of band managment console to both boxes HQ and Branch) so i follow these config. hope it make sense to you.
existing setup was
ASA-1(config)# tunnel-group 123.123.123.123 type ipsec-l2l ASA-1(config)# tunnel-group 123.123.123.123 ipsec-attributes ASA-1(config-tunnel-ipsec)# remote-authentication pre-shared-key 1234567890 ASA-1(config-tunnel-ipsec)# local-authentication pre-shared-key 1234567890 ASA-1(config-tunnel-ipsec)# isakmp keepalive threshold 10 retry 2 ASA-1(config-tunnel-ipsec)# exit
ASA-1(config)# crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC ASA-1(config)# crypto map CRYPTO-MAP 1 set peer 123.123.123.123 ASA-1(config)# crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM ASA-1(config)# crypto map CRYPTO-MAP interface outside
I pre-config this configuration on notepad and during the change windows created a new tunnel with new public ip address
ASA-1(config)# tunnel-group 1.1.1.1 type ipsec-l2l ASA-1(config)# tunnel-group 1.1.1.1 ipsec-attributes ASA-1(config-tunnel-ipsec)# remote-authentication pre-shared-key 1234567890 ASA-1(config-tunnel-ipsec)# local-authentication pre-shared-key 1234567890 ASA-1(config-tunnel-ipsec)# isakmp keepalive threshold 10 retry 2 ASA(config-tunnel-ipsec)# exit
ASA-1(config)# crypto map CRYPTO-MAP 2 match address VPN-INTERESTING-TRAFFIC ASA-1(config)# crypto map CRYPTO-MAP 2 set peer 1.1.1.1 ASA-1(config)# crypto map CRYPTO-MAP 2 set ikev2 ipsec-proposal VPN-TRANSFORM ASA-1(config)# crypto map CRYPTO-MAP interface outside
once new tunnel is up and running you can delete the non-used tunnel. you can also use the command clear configure tunnel-group 123.123.123.123
01-15-2020 07:09 AM - edited 01-15-2020 07:25 AM
Thanks for your response. I'm a little confused regarding your second config. You said you created a backup tunnel group but that didn't resolve the issue but isn't that what you're doing in the second config? And regarding the peer address with the new IP, can't i just add that as a secondary in the current crypto map without adding a new one?
01-15-2020 09:05 AM
Hi. at work change window i was trying to be over smart :) and did config i this which did not work.
existing setup was
ASA-1(config)# tunnel-group 123.123.123.123 type ipsec-l2l ASA-1(config)# tunnel-group 123.123.123.123 ipsec-attributes ASA-1(config-tunnel-ipsec)# remote-authentication pre-shared-key 1234567890 ASA-1(config-tunnel-ipsec)# local-authentication pre-shared-key 1234567890 ASA-1(config-tunnel-ipsec)# isakmp keepalive threshold 10 retry 2 ASA-1(config-tunnel-ipsec)# exit
ASA-1(config)# crypto map CRYPTO-MAP 1 match address VPN-INTERESTING-TRAFFIC ASA-1(config)# crypto map CRYPTO-MAP 1 set peer 123.123.123.123 ASA-1(config)# crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal VPN-TRANSFORM ASA-1(config)# crypto map CRYPTO-MAP interface outside
at set peer I just change the public peer ip address and expected to work which did not work. in order to make it work i have to create another tunnel-group and crypto map. Apologies for the confusion
01-15-2020 01:25 PM
Ahhh, gotcha. Yea i was hoping i could just create a new tunnel group and change the peer IP address and be done with it.
01-15-2020 01:30 PM
all the best make sure you have a pre-config on notepad in case you need to speed up due to change windows. all the best.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide