Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2138
Views
0
Helpful
2
Replies

Migrate vpn tunnel to new ASA

Go to solution
khaled alodat
Level 1
Level 1

‎03-12-2014 06:42 AM

Hi,

 

Is there any way to migrate an existing sites (vpn ) to a new ASA.

 

We have more than 50 offices connected to our main office, we have installed a new ASA firewall with a bigger pipe.

I need a way to migrate the offices that saves time (going to each and every office) and money (buying a new router and send it with the new config).

 

I was thinking of adding a new peer adress and kill the preshared key on the old VPN.

 

can some one please help me.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jj27
Spotlight
Spotlight

‎03-12-2014 08:10 AM

Yes.

I would do the following if I were tasked with this project.
 

  1. Configure the new ASA with all of the tunnel-groups for the remote peers and the rest of the VPN configuration (crypto maps, ACLs, NAT, etc.)
  2. Login to the remote ASAs via the outside interface.  Most organizations allow SSH/https to their firewalls from specific management IPs at the main site.
    1. Create a tunnel-group for the peer IP of the new ASA.
    2. Change the existing crypto map peer IP to point to the new IP address.
  3. On your network routing core at the main site, change/add an IP route for the remote site local subnets to point to the inside interface of the new ASA so all of your local networks can properly reach the remote sites.

 

That should be it.  Thanks.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
jj27
Spotlight
Spotlight

‎03-12-2014 08:10 AM

Yes.

I would do the following if I were tasked with this project.
 

  1. Configure the new ASA with all of the tunnel-groups for the remote peers and the rest of the VPN configuration (crypto maps, ACLs, NAT, etc.)
  2. Login to the remote ASAs via the outside interface.  Most organizations allow SSH/https to their firewalls from specific management IPs at the main site.
    1. Create a tunnel-group for the peer IP of the new ASA.
    2. Change the existing crypto map peer IP to point to the new IP address.
  3. On your network routing core at the main site, change/add an IP route for the remote site local subnets to point to the inside interface of the new ASA so all of your local networks can properly reach the remote sites.

 

That should be it.  Thanks.

0 Helpful

Go to solution
khaled alodat
Level 1
Level 1
In response to jj27

‎03-13-2014 02:34 AM

Thank you for your help.

 

What you have mentined is the right way to do it, but what i need to do is like a failover plan, a  crypto map with two peer address. by the way, the remote site is not an  ASA, i have 800 router.

My question is : Can you create one creypto map with two peer address, if yes .

 

what i will do is the follwing ;

 

1- create the crypto map with two peer address.

2- change the preshared ket on the tunnel group on the main ASA (which mean the vpn will go down ) so it will jump to the second peer (which i have already configured on the second main ASA that i have recently implemented.

3- change the route on the core switch 

 

The idea is not to have any down time at all. 

0 Helpful
Customers Also Viewed These Support Documents