cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1072
Views
10
Helpful
25
Replies
Highlighted
Beginner

Cisco 5510 Startup-Config copy

I copied a Cisco 5510 startup-config to an identical Cisco 5510.

After copying through tftp, I executed a reload. 

Everything looks good. Line by line  compare results are the same.

The problem is I can no longer use ASDM or ssh to interface with Cisco 5510.

Telnet works fine.

I am fairly new to Cisco firewalls.

Please advise.

25 REPLIES 25
Highlighted

Can you teach me to create a or modify a point to point vpn?

Can I just edit the old VPN with new IP ADDRESS?

Please advise.

Highlighted

Hello Duong,

My pleasure

Can you share the VPN setup ( Crypto map and tunnel group you already have) Change the Ip peer to 2.2.2.2

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Highlighted

This is the ASA that will need to change the peer IP, the other ASA config will stay pretty much the same, except for the new IP that we have recieved.

Everything else should stay the same.

So basically, we will move and I need to make sure I can still establish a site to site vpn.

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-128-SHA

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer 2.2.2.2

crypto map outside_map 20 set transform-set ESP-AES-128-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp identity hostname

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

tunnel-group Pleasanton type remote-access

tunnel-group Pleasanton general-attributes

address-pool Pleasanton

default-group-policy Pleasanton_1

tunnel-group Pleasanton ipsec-attributes

pre-shared-key xxxxxxxxxxxxxxxxxxxxxx

tunnel-group 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 ipsec-attributes

Highlighted

Hello

So only do the following: Lets say new ip is 4.4.4.4

clear configure tunnel-group 2.2.2.2

tunnel-group  4.4.4.4 type ipsec-l2l

tunnel-group 4.4.4.4 ipsec-attributes

pre-shared key x.x.x.x

no crypto map outside_map 20 set peer 2.2.2.2

crypto map outside_map 20 set peer 4.4.4.4

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Highlighted

Thank you again!

I shall try this at end of the month when we move.

Now I feel prepared.

One more thing please.

I want to buy another 5510 to be on the safe side and use it as a back up later.

Can I create another VPN between the new Cisco and the one that we were talking about?

I only know how to use asdm.

Message was edited by: Duong Nguyen

Highlighted

Hello Duong,

Great, yes. That is all you need..

Let me know the result

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Highlighted

Hello,

It can be done, but if is going to be used as a backup why dont you use a failover cluster or why dont you set the same configuration on this box and have it ready to start working?

Let me know if I understood your query

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Highlighted

So you think its a good idea that I configure the new box.  Create a new VPN tunnel between the 2 Cisco 5510s.

Then when I move I will just plug in and it should work.  I guess a 5510 can have more than one tunnel created on it.

Highlighted

Hello Duong,

Exactly and of course more than one tunnel ( that is for sure)

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Highlighted

I tried to create a remote access tunnel into the firewall, using asdm wizard but it didnt work.

Anyway I can just modify the old remote access tunnel ?

Highlighted

Hi,

Are you talking about the Remote Access VPN (IPsec or SSL/AnyConnect) or a Site to Site VPN?

In most cases I imagine you should be able to use the old configurations. Possibly need to remove some configurations and add new ones. Can say for sure until you have described the situation

I would be easier to see the configuration in CLI format to go through this.

MIght be even worth making a new post on these forums so the post doesnt contain extra information that is not related to the current problem.

- Jouni

Content for Community-Ad