cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
26627
Views
15
Helpful
4
Comments
Thulasi Shankar
Level 1
Level 1

 

 

Introduction

This document provides a sample configuration for changing the external interface IP address on ASA.

 

Configuration

 

To change the external ip address, we need to go to the external interface, and enter the new ip address as mentioned below:

 

hostname(config)# interface {physical_interface[.subinterface] | mapped_name}

 

hostname(config-if)# ip address new_ip_address [mask] 
 

(re-entering the new ip will replace the old one)

 

Also, if the default gateway changes, ensure that you change the default-gateway as well to that of the new next hop

 

To define the new default route, enter the following command:

 

hostname(config)# no route if_name 0.0.0.0 0.0.0.0 x.x.x.x

hostname(config)# route if_name 0.0.0.0 0.0.0.0 y.y.y.y

where if_name is the external interface name
      
      x.x.x.x is the ip address of the old default gateway
     
      y.y.y.y is the ip address of the new default gateway

Common Issues:

 

Unable to Access the Internet

 

After changing the IP address on the external interface of the ASA, if the internal users are unable to access the web, then ensure that the device upstream to the ASA (the next-hop) reflects the MAC address of the ASA bound to the new IP address. If this is not the case, then clear this ARP cache entry on the next-hop so that it learns the new IP address of the ASA.

 

VPN-related Issues

 

1. Site-to-site VPN:

 

For site-to-site VPN, the peer/remote ASA needs to reflect the new IP of the ASA.

 

For example, if we have an existing lan-to-lan VPN between two sites, ASA1 (external ip address 1.1.1.1) and ASA 2 (external ip address 2.2.2.2) and if the external interface ip address for ASA 1 is changed to 3.3.3.3, the following changes need to be made on ASA 2:

 

First, we need to remove the crypto map entry on ASA 2 corresponding to the old external ip address of ASA 1:

 

ASA2(config)# no crypto-map <crypto-map-name> <id> set peer 1.1.1.1

ASA2(config)# crypto-map <crypto-map-name> <id> set peer 3.3.3.3

 

Second, a new tunnel-group needs to be configured under which the pre-shared key for ASA 1's new IP address wlll be stored:

 

ASA2(config)# tunnel-group 3.3.3.3 type ipsec-l2l

ASA2(config)# tunnel-group 3.3.3.3 ipsec-attributes

ASA2(config-ipsec)# pre-shared-key <preshared-key>

 

Following this, the old tunnel-group reflecting the old external ip address of ASA 1 can be deleted by issuing the command :

 

ASA2(config)# clear configure tunnel-group 1.1.1.1

 

2. Remote-access VPN:

 

Ensure that the VPN clients connect to the ASA using its new external interface IP address and not the old one.

 

 

NOTE: For obvious reasons, do not attempt to change the external interface IP address of the ASA if it is being managed remotely by you.

 

Related Information:

 

1. Configuring Interface Parameters:

 

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intparam.html

Comments
Peter Long
Level 1
Level 1

Ive just finished writing a related article if its of any use to anyone.

Cisco ASA - Changing the Outside IP Address

Pete

leander013
Community Member

Hi Pete,

Your article helps a lot. Thank you and more power!

Best Regards,

LJ

Peter Long
Level 1
Level 1

Great news! ThanQ

P

leander013
Community Member

Hi Thulasi,

First of all I would like to thank you for posting this article it helps a lot.

I just want to know if the solutions on the common issues particularly on the VPN related issues are applicable to which version of ASA Firmware? Is it applicable to both versions 8.2 below and 8.3 above?

Your response is highly appreciated.

Best Regards,

LJ

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: