Re: CISCO ASA 5505 - SITE TO SITE VPN ISSUE

gayankool · ‎08-14-2018

Hi All,

Appreciate if someone can help me . we are going to change our ISP.we need to change the VPN settings on our branch office(as on the picture -using cisco asa).

I have few questions

-is it possible to do this by changing the current public ip on current cisco asa policy ?edit current public ip address and add new ip address.

or

-can i add new ip address to crypto map > peer target as secondary ip ( i tried this but i didnt work with new isp public ip address)

or

-do i need to create complete new policy (nothing has changed from Head office side)

can someone please help me with this .

Really appreciate.

Thanks.

Warren Chang · ‎08-14-2018

1. is it possible to do this by changing the current public ip on current cisco asa policy ?edit current public ip address and add new ip address.

or

2. can i add new ip address to crypto map > peer target as secondary ip ( i tried this but i didnt work with new isp public ip address)

These two options would work for the 1st you would need to change the peer IP in a couple places for it take effect. For the second option that I have done before but with AWS but both peers actually were up so it did work when a peer went down, I would verify that the the tunnel is not staying on the old peer and if it is reset the tunnel after all the change are made and confirm it fails over to the new IP

Richard Burts · ‎08-14-2018

Your drawing shows the head office with Sonicwall and Branch with ASA. It is not clear to me whether the ISP changing is the ISP for head office or ISP for Branch or both? Can you clarify?

You mention that you have tried one of the changes. Is the second ISP already in place and connected?

There are multiple places in the ASA config where the IPSEC peer address is used. It should be possible to edit the config and change the several places where the address is used. But you might want to consider using the approach of configuring a new policy with the new address. That way the old config can work as long as the original ISP is operational at the peer and the new config can work when the new ISP becomes active.

HTH

Rick

HTH

Rick

gayankool · ‎08-15-2018

HI Rick,

Sorry for misunderstanding. Head office's ISP going to be changed soon. So need to configure on branch side. I am going to configure new policy for asa. ill let you know how this goes.

Thanks.

Gayan

gayankool · ‎08-15-2018

HI All,

I tried to create a new policy for new isp.

i created below ,

-Tunnel Group

-Crypto Maps

-Connection profile

from the ASDM ,but when i tried to save ,i got below message.

"The protected traffic overlaps with that of the connection profile (old public ip).This can cause traffic initiated from the local networl, which is intended to go through (new public ip) to go through (current public ip instead."

not sure why its trying to do this.i created a new group policy and new tunnel group .

can someone please help.

Thanks.

Richard Burts · ‎08-15-2018

Thanks for the additional information. I am guessing that when you created the new crypto map that you used the same access list to match traffic and identify what is to be encrypted in the new map entry that was used in the existing map entry. So now you have two entries in the crypto map each trying to identify the same traffic. That is what the message is about. My suggestion would be for now to put a different ACL in the new crypto map entry (probably configure the ACL to match on source addresses that do not exist on the ASA so that it will not attempt to encrypt any traffic). That will allow you to save the config changes. Then at the time when the new ISP is active and you want to switch over you will change the match statement in the original crypto map entry (or perhaps remove the original crypto map entry) and change the new crypto map entry to use the right ACL. Then traffic will use the new crypto map and your VPN should work.

HTH

Rick

HTH

Rick

gayankool · ‎08-16-2018

Hi Rick,
Thanks very much for you Reply.
Ill try this today and let you know the outcome.
Thanks again.
Gayan

Richard Burts · ‎08-16-2018

Gayan

You are welcome. Do let us know the results when you have tried this approach.

HTH

Rick

HTH

Rick

gayankool · ‎08-21-2018

Hi Rick,

Sorry it took while to do testing as i need to do this out office hours.

I created a new Crpto map entry with differnt ACL also differnt object name (for source and destination addresses).
This time i assinged new ISP line as primary and old line as secondary. VPN didnt go down this time i manage to connect to the site.
Next i unplug the old line physically from the BT circut then i lost the vpn connection.Not sure why this happned even i created new cryptp map and object.We are planing to stop the current isp in two months are service provider is really BAD.It seems like we still need current line runnig as secondary even New line runnig as primary.

Not understand why this new line relate to old public ip .what i did today deleted all new ISP details and used Site to site vpn wizard to create a tunnel. I am going to test this today afternoon ill let you know how this goes.

Any thoughts on this ,appreciate your help in advance.

Richard Burts · ‎08-29-2018

Gayan

We do not know the details of what you changed and that makes it difficult to identify what the resulting problem is about. I am puzzled about your reference to new and old ISP as primary and secondary. Can you clarify?

What I was trying to suggest was that you leave the existing configuration for VPN in place. And that you configure new entries for the new VPN. A new entry in the crypto map would have a set peer for the address for the new ISP, the set statements for security policy in the new crypto map would probably be what you used for the existing VPN (but these changes might be an opportunity to switch to something more secure if your existing policies are not so strong - like if you are using 3DES). The match statement in the new crypto map would need to match to a different access list. You would configure new tunnel group using the address of the new ISP and probably similar policies, passwords, etc. for the new tunnel group. Doing it this way would allow the VPN to continue to operate with the old ISP. When you are ready to switch to the new ISP you would change the match statement for the old ISP to use a different access list (or perhaps just remove the match statement in that crypto map entry) and change the match statement in the new crypto map entry to use the access list that really matches the remote peer. You would then clear the crypto sessions (probably both ISAKMP and IPSEC). That should shift to use the new ISP.

HTH

Rick

HTH

Rick

Dennis Mink · ‎08-14-2018

if all you are changing is ISP and hence public IP;s then all that is required is that the remote end change the peer IP address that they are pointing to

Please remember to rate useful posts, by clicking on the stars below.