Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
868
Views
3
Helpful
3
Replies

ASA L2L change of IP

Go to solution
Hieronymous Merkin
Level 1
Level 1

‎08-08-2014 07:45 AM

Given a two site ASA deployment, with a Site to Site VPN established and working, we need to change providers on one end.  this change will require a change in the peer IP address of one end.  Can we just change the tunnel ip address or do we have to regenerate the entire configuration?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
nkarthikeyan
Level 7
Level 7

‎08-08-2014 10:37 AM

Hi,

 

You can follow the below steps.

 

Add the new tunnel group for new address

asa1(config)# tunnel-group 4.4.4.4 type ipsec-l2l
asa1(config)# tunnel-group 4.4.4.4 general-attributes
asa1(config-tunnel-general)# tunnel-group 4.4.4.4 ipsec-attributes
asa1(config-tunnel-ipsec)#  ikev1 pre-shared-key C1sc0123

!

asa1(config)# no crypto map Outside_map 1 set peer 2.2.2.2 
WARNING: The crypto map entry will be incomplete!
asa1(config)# crypto map Outside_map 1 set peer 4.4.4.4 
asa1(config)# show run crypto | include peer
crypto map Outside_map 1 set peer 4.4.4.4

!

clear configure tunnel-group 2.2.2.2

!

 

 

 

Regards

Karthik

View solution in original post

0 Helpful

Go to solution
nkarthikeyan
Level 7
Level 7
In response to Hieronymous Merkin

‎08-11-2014 09:37 PM

Hi,

 

Since you are not going to have any changes in the LAN part.... and you just have changes in peer ip address since, other end is having changes with isp ip addressing stack..... so for that you need to create a tunnel group with the changed ip address and make changes in crypto peer to remove the old address and add new.... then at last remove the existing tunnel-group.....

 

Yes. That is what am saying.... this would be the configuration changes @ your end.... just you need to change peer ip address, pre-shared-key and crypto map name ..... according to your configuration.....

 

Regards

Karthik

View solution in original post

3 Replies 3

Go to solution
nkarthikeyan
Level 7
Level 7

‎08-08-2014 10:37 AM

Hi,

 

You can follow the below steps.

 

Add the new tunnel group for new address

asa1(config)# tunnel-group 4.4.4.4 type ipsec-l2l
asa1(config)# tunnel-group 4.4.4.4 general-attributes
asa1(config-tunnel-general)# tunnel-group 4.4.4.4 ipsec-attributes
asa1(config-tunnel-ipsec)#  ikev1 pre-shared-key C1sc0123

!

asa1(config)# no crypto map Outside_map 1 set peer 2.2.2.2 
WARNING: The crypto map entry will be incomplete!
asa1(config)# crypto map Outside_map 1 set peer 4.4.4.4 
asa1(config)# show run crypto | include peer
crypto map Outside_map 1 set peer 4.4.4.4

!

clear configure tunnel-group 2.2.2.2

!

 

 

 

Regards

Karthik

0 Helpful

Go to solution
Hieronymous Merkin
Level 1
Level 1

‎08-11-2014 11:33 AM

nkarhikeyan I see what you wrote, but I am not sure I understand.  Is the answer to my quesiton "NO"?  and how do I interpret the config you entered?  If all of this already exists, should we not be able to just change the tunnel peer address?

0 Helpful

Go to solution
nkarthikeyan
Level 7
Level 7
In response to Hieronymous Merkin

‎08-11-2014 09:37 PM

Hi,

 

Since you are not going to have any changes in the LAN part.... and you just have changes in peer ip address since, other end is having changes with isp ip addressing stack..... so for that you need to create a tunnel group with the changed ip address and make changes in crypto peer to remove the old address and add new.... then at last remove the existing tunnel-group.....

 

Yes. That is what am saying.... this would be the configuration changes @ your end.... just you need to change peer ip address, pre-shared-key and crypto map name ..... according to your configuration.....

 

Regards

Karthik

Customers Also Viewed These Support Documents