Showing results for 
Search instead for 
Did you mean: 

Changing the External Interface IP Address on ASA





This document provides a sample configuration for changing the external interface IP address on ASA.




To change the external ip address, we need to go to the external interface, and enter the new ip address as mentioned below:


hostname(config)# interface {physical_interface[.subinterface] | mapped_name}


hostname(config-if)# ip address new_ip_address [mask] 

(re-entering the new ip will replace the old one)


Also, if the default gateway changes, ensure that you change the default-gateway as well to that of the new next hop


To define the new default route, enter the following command:


hostname(config)# no route if_name x.x.x.x

hostname(config)# route if_name y.y.y.y

where if_name is the external interface name
      x.x.x.x is the ip address of the old default gateway
      y.y.y.y is the ip address of the new default gateway

Common Issues:


Unable to Access the Internet


After changing the IP address on the external interface of the ASA, if the internal users are unable to access the web, then ensure that the device upstream to the ASA (the next-hop) reflects the MAC address of the ASA bound to the new IP address. If this is not the case, then clear this ARP cache entry on the next-hop so that it learns the new IP address of the ASA.


VPN-related Issues


1. Site-to-site VPN:


For site-to-site VPN, the peer/remote ASA needs to reflect the new IP of the ASA.


For example, if we have an existing lan-to-lan VPN between two sites, ASA1 (external ip address and ASA 2 (external ip address and if the external interface ip address for ASA 1 is changed to, the following changes need to be made on ASA 2:


First, we need to remove the crypto map entry on ASA 2 corresponding to the old external ip address of ASA 1:


ASA2(config)# no crypto-map <crypto-map-name> <id> set peer

ASA2(config)# crypto-map <crypto-map-name> <id> set peer


Second, a new tunnel-group needs to be configured under which the pre-shared key for ASA 1's new IP address wlll be stored:


ASA2(config)# tunnel-group type ipsec-l2l

ASA2(config)# tunnel-group ipsec-attributes

ASA2(config-ipsec)# pre-shared-key <preshared-key>


Following this, the old tunnel-group reflecting the old external ip address of ASA 1 can be deleted by issuing the command :


ASA2(config)# clear configure tunnel-group


2. Remote-access VPN:


Ensure that the VPN clients connect to the ASA using its new external interface IP address and not the old one.



NOTE: For obvious reasons, do not attempt to change the external interface IP address of the ASA if it is being managed remotely by you.


Related Information:


1. Configuring Interface Parameters:

Peter Long

Ive just finished writing a related article if its of any use to anyone.

Cisco ASA - Changing the Outside IP Address


Community Member

Hi Pete,

Your article helps a lot. Thank you and more power!

Best Regards,


Peter Long

Great news! ThanQ


Community Member

Hi Thulasi,

First of all I would like to thank you for posting this article it helps a lot.

I just want to know if the solutions on the common issues particularly on the VPN related issues are applicable to which version of ASA Firmware? Is it applicable to both versions 8.2 below and 8.3 above?

Your response is highly appreciated.

Best Regards,


Content for Community-Ad