I copied a Cisco 5510 startup-config to an identical Cisco 5510.
After copying through tftp, I executed a reload.
Everything looks good. Line by line compare results are the same.
The problem is I can no longer use ASDM or ssh to interface with Cisco 5510.
Telnet works fine.
I am fairly new to Cisco firewalls.
Solved! Go to Solution.
Can you share the VPN setup ( Crypto map and tunnel group you already have) Change the Ip peer to 188.8.131.52
This is the ASA that will need to change the peer IP, the other ASA config will stay pretty much the same, except for the new IP that we have recieved.
Everything else should stay the same.
So basically, we will move and I need to make sure I can still establish a site to site vpn.
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-128-SHA
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 184.108.40.206
crypto map outside_map 20 set transform-set ESP-AES-128-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp identity hostname
crypto isakmp enable outside
crypto isakmp policy 10
tunnel-group Pleasanton type remote-access
tunnel-group Pleasanton general-attributes
tunnel-group Pleasanton ipsec-attributes
tunnel-group 220.127.116.11 type ipsec-l2l
tunnel-group 18.104.22.168 ipsec-attributes
So only do the following: Lets say new ip is 22.214.171.124
clear configure tunnel-group 126.96.36.199
tunnel-group 188.8.131.52 type ipsec-l2l
tunnel-group 184.108.40.206 ipsec-attributes
pre-shared key x.x.x.x
no crypto map outside_map 20 set peer 220.127.116.11
crypto map outside_map 20 set peer 18.104.22.168
Thank you again!
I shall try this at end of the month when we move.
Now I feel prepared.
One more thing please.
I want to buy another 5510 to be on the safe side and use it as a back up later.
Can I create another VPN between the new Cisco and the one that we were talking about?
I only know how to use asdm.
Message was edited by: Duong Nguyen
Great, yes. That is all you need..
Let me know the result
It can be done, but if is going to be used as a backup why dont you use a failover cluster or why dont you set the same configuration on this box and have it ready to start working?
Let me know if I understood your query
So you think its a good idea that I configure the new box. Create a new VPN tunnel between the 2 Cisco 5510s.
Then when I move I will just plug in and it should work. I guess a 5510 can have more than one tunnel created on it.
Exactly and of course more than one tunnel ( that is for sure)
I tried to create a remote access tunnel into the firewall, using asdm wizard but it didnt work.
Anyway I can just modify the old remote access tunnel ?
Are you talking about the Remote Access VPN (IPsec or SSL/AnyConnect) or a Site to Site VPN?
In most cases I imagine you should be able to use the old configurations. Possibly need to remove some configurations and add new ones. Can say for sure until you have described the situation
I would be easier to see the configuration in CLI format to go through this.
MIght be even worth making a new post on these forums so the post doesnt contain extra information that is not related to the current problem.