After you created a Site-to-Site VPN (if you don’t know, check this post)
In this case we will use putty (click here to download it) to connect to the ASA 5510
1. Login in to the cisco asa and put it in configuration mode (command: configure terminal):
1 2 3 4 5 |
RemoteSite> RemoteSite> enable Password: *********** RemoteSite# configure terminal RemoteSite(config)# |
2. To see all the cryptomaps run the command “show run crypto map“. (you may see more or less depending on the amount of VPN tunnels you have.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
RemoteSite(config)# show run crypto map crypto map outside_map 1 match address outside_1_cryptomap crypto map outside_map 1 set pfs crypto map outside_map 1 set peer 111.111.111.111 crypto map outside_map 1 set transform-set ESP-3DES-SHA crypto map outside_map 2 match address outside_2_cryptomap crypto map outside_map 2 set pfs crypto map outside_map 2 set peer 123.123.123.123 crypto map outside_map 2 set transform-set ESP-3DES-SHA crypto map outside_map 3 match address outside_3_cryptomap crypto map outside_map 3 set pfs crypto map outside_map 3 set peer 133.133.133.133 crypto map outside_map 3 set transform-set ESP-3DES-SHA crypto map outside_map 4 match address outside_4_cryptomap crypto map outside_map 4 set pfs crypto map outside_map 4 set peer 144.144.144.144 crypto map outside_map 4 set transform-set ESP-3DES-SHA RemoteSite(config)# |
3. Find the IP you want to change, from the example above we can see the tunnel we want to change is using “outside_map 2” so lets remove the entry for the old IP address and put one in for the new IP address. Use the command “no crypto map xxxxxxxxxxxx” to delete the tunnel and then “crypto map xxxxxxx” to create the tunnel.
1 2 3 4 |
RemoteSite(config)# no crypto map outside_map 2 set peer 123.123.123.123 WARNING: The crypto map entry will be incomplete! RemoteSite(config)# crypto map outside_map 2 set peer 234.234.234.234 RemoteSite(config)# |
4. That’s the cryptomap changed, now for the tunnel group. You can see all your tunnel groups with a “sho run tun” command.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
RemoteSite(config)# sho run tun tunnel-group DefaultL2LGroup ipsec-attributes isakmp keepalive threshold 20 retry 2 tunnel-group DefaultRAGroup ipsec-attributes isakmp keepalive threshold 20 retry 2 tunnel-group DefaultWEBVPNGroup ipsec-attributes isakmp keepalive threshold 20 retry 2 tunnel-group 111.111.111.111 type ipsec-l2l tunnel-group 111.111.111.111 ipsec-attributes pre-shared-key ***** tunnel-group 123.123.123.123 type ipsec-l2l tunnel-group 123.123.123.123 ipsec-attributes pre-shared-key ***** tunnel-group 133.133.133.133 type ipsec-l2l tunnel-group 133.133.133.133 ipsec-attributes pre-shared-key ***** isakmp keepalive threshold 20 retry 2 tunnel-group 144.144.144.144 type ipsec-l2l tunnel-group 144.144.144.144 ipsec-attributes pre-shared-key ***** |
5. To delete a tunnel group, you use the “clear config tunnel-group” command.
Note: Before you delete it, make sure you know the pre shared key / shared secret – to see this, issue a “more system:running-config” command.
1 2 |
RemoteSite(config)# clear config tunnel-group 123.123.123.123 RemoteSite(config)# |
6. Then simply create a new tunnel group, with the new IP address, and the same shared secret / pre shared key as the old one.
1 2 3 |
RemoteSite(config)# tunnel-group 234.234.234.234 type ipsec-l2l RemoteSite(config)# tunnel-group 234.234.234.234 ipsec-attributes RemoteSite(config-tunnel-ipsec)# pre-shared-key 123456789 |
7. Finally, save the new config with a “write mem” command
1 2 3 4 5 |
RemoteSite(config)# write mem Building configuration… Cryptochecksum: f3645705 ae6bafda c5606697 ecd61948 9830 bytes copied in 1.550 secs (9830 bytes/sec) [OK] RemoteSite(config)# |
Done, you changed the Remote Site IP address and the VPN should be up and running.