Easily Change Cisco ASA VPN Peer IP

Webmaster | Dec 19, 2018| Security

VPN use is very prevalent these days, especially for businesses and the number of mobile workers, remote offices and tunneled cloud infrastructure. Inevitably at some point the IP address of an end point will need to be changed.

This can be accomplished quickly and easy in a few steps, in this blip we’ll look at a simple IKEv1 VPN tunnel -while IKEv2 is the way to go these days – there are still a gazillion IKEv1 tunnels in operation. The steps can be broke down to a handful of steps: Make Config Backup & get Pre-Shared Key, Modify Cryptomap, Modify Tunnel Group.

First things first, always make a backup of your Cisco ASA 5506 config before modifications, whether this is simply copy/paste to a text file or copying it off somewhere remotely, do it ! You’ll want to ensure you have the pre shared key for any tunnels you plan on modifying, so pro tip – using the “more system:running-config” will display the pre shared key in plain text with the entire ASA config.

Secondly, we’ll find and change the cryptomap entries. This can be accomplished a few ways, we’ll use one simple way. In this example 1.2.3.4 will be our existing VPM Tunnel Peer IP and 6.7.8.9 will the new peer IP we’re changing to. (substitute fot the IPs you’re using).

# sh run | b peer 1.2.3.4

You should see something similar to:

crypto map outside_map X set peer 1.2.3.4

where the outsidemap X name may be something different on yours according to interface names, but that’s the crypto map we need to modify.

Remove old entry…

# no crypto map outside_map X set peer 1.2.3.4

You may see an warning message like this, but do not utterly panic, carry on. WARNING: The crypto map entry will be incomplete!

Add new entry…

# crypto map outside_map X set peer 6.7.8.9

Third and last, with the crypto may changed, we’ll change the tunnel group. Use “sho run tun” to see all the tunnel groups or “sh run tunnel-group 1.2.3.4” to see just the one you need. Be sure you have the pre shared key and all the attribute lines for the specific tunnel group before clearing it !

# clear config tunnel-group 1.2.3.4

Then re-create tunnel group with new IP and same attributes:

# tunnel-group 6.7.8.9 type ipsec-l2l
# tunnel-group 6.7.8.9 ipsec-attributes
# pre-shared-key some_good_password

That’s it. User the “wr mem” command to write your new confi to the Cisco ASA flash. For clarity here are the commands:

# conf t
# no crypto map outside_map X set peer 1.2.3.4
# crypto map outside_map X set peer 6.7.8.9
# clear config tunnel-group 1.2.3.4 
# tunnel-group 6.7.8.9 type ipsec-l2l
# tunnel-group 6.7.8.9 ipsec-attributes
# pre-shared-key some_good_password
# wr mem
#Asa #Cisco #Vpn

See Also