Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14786
Views
10
Helpful
8
Replies

ASA Site to Site VPN peer IP destination IP change

Go to solution
sreeraj.murali
Level 3
Level 3

‎10-14-2017 04:36 AM - edited ‎03-12-2019 04:37 AM

Hi,

We have the Site to Site ASA VPN running.

Site-A-IP Address 1.2.3.4

remote Site-B - IP Address 5.6.7.8

The tunnel is up and running currently.

 

The remote site is getting IP Address changed to 9.10.11.12. Please let me know, the changes requires on the remote end. If you could share the steps for the changing the CLI and ASDM, that would help.

Our site-Site A has ASA 9.1/ASDM 7.1.

 

I went thru the Cisco online resource, and found that, I would need to create a new tunnel group, with existing Group Policy and new SECRET SHARED KEY(local and remote key same)  share with Site B Security Admin. After that, need to edit the Crypto map adding the new destination peer IP Address 9.10.11.12. I am attaching the screenshot from ASDM, which has to be done for the change.

 

Also, please suggest the verification and troubleshooting steps/command to check whether the tunnel is up with new peer IP Address.

 

Please provide expert assistance.

 

Thanks & Regards

Sreeraj

 

Labels:
Preview file
50 KB
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
sreeraj.murali
Level 3
Level 3
In response to Flavio Miranda

‎10-14-2017 05:44 PM

Thanks for the help
I managed to have the changes made by creating new Tunnel Group-with new Peer IP and Adding the same to exising Cryptomap and it worked.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Flavio Miranda
VIP
VIP

‎10-14-2017 08:35 AM

Hi,

 

 change IP address is very simple, just issue no ip address at interface config level and then ip add and type the new IP address.

 Just keep in mind that this need to be done via console cable or using another interface otherwise you can get in trouble. 

 You dont need to create a new tunnel group if you can let the VPN down for sometime. You just edit the config on the currently VPN to reflect the new IP address.

 Maybe it is easier to create a new one and replace after ready.

Some usefull commands:

show crypto isakmp sa
 show crypto ipsec sa

 

Go to solution
sreeraj.murali
Level 3
Level 3
In response to Flavio Miranda

‎10-14-2017 08:43 AM

Hi,

Thanks for the response.

I don't need to change my side IP address.

The IP address is getting changed at remote end and I need to make changes on my side to make the tunnel up with the IP changes made on remote peer with new IKE shared secret key.

Please advice.
0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to sreeraj.murali

‎10-14-2017 09:12 AM

Alright. The idea is the same. 

 

 

 

 

 

 

 

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful

Go to solution
sreeraj.murali
Level 3
Level 3
In response to Flavio Miranda

‎10-14-2017 09:15 AM

Oh Sorry, I realised now.

Could you please share the config change required to reflect the change in shared key and IP.
0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to sreeraj.murali

‎10-14-2017 09:25 AM

Send me the show running-configuração and I point you um the right direction. 

 You can hide sensitive information. Only need the overall information.

0 Helpful

Go to solution
sreeraj.murali
Level 3
Level 3
In response to Flavio Miranda

‎10-14-2017 05:44 PM

Thanks for the help
I managed to have the changes made by creating new Tunnel Group-with new Peer IP and Adding the same to exising Cryptomap and it worked.
0 Helpful

Go to solution
Flavio Miranda
VIP
VIP
In response to sreeraj.murali

‎10-14-2017 05:50 PM

Glad to hear that.

 

 

 

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful
Customers Also Viewed These Support Documents