Changing the VPN peer IP on an ASA

Andy White · ‎06-11-2013

Hello,

I have a few site-to-site VPNs connecting to my ASA 5520, but one of the remote VPNs is changing it's public IP, how can I change this IP on the ASA without starting again? On the ADSM it is greyed out so I can't edit it, but can I just change it in the CLI?

Thanks

Jouni Forss · ‎06-11-2013

Hi,

Essentially if the remote VPN peer IP address changes you have to do a couple of changes on the CLI of the ASA

You will have to replace the "crypto map" configuration line that sets the peer IP address

You can use the command "show run crypto map" command to list the whole "crypto map" configuration on the ASA

The command you are looking to change looks the following

crypto map set peer x.x.x.x

You will need to remove the old one and configure the new one

no crypto map set peer x.x.x.x

crypto map set peer

You will also have a "tunnel-group" configuration that you need to change by removing the old one and adding it with the new IP address but otherwise with the same information.

You might have something like this

tunnel-group x.x.x.x type ipsec-l2l

tunnel-group x.x.x.x ipsec-attributes

pre-shared-key

Those should pretty much be the things you need to change

Hope this helps

- Jouni

Matt Lang · ‎06-11-2013

Andy,

You should be able to use the CLI and modify the crypto map entry for this specific tunnel. So if the existing IP address is a.a.a.a and the new address is b.b.b.b, the command would be:

crypto map crypto_map_name ## set peer a.a.a.a b.b.b.b

You will also need to create a new tunnel group. Basically you will just copy your existing tunnel group config for a.a.a.a and paste that in the config replacing a.a.a.a with b.b.b.b.

Matt