VPN use is very prevalent these days, especially for businesses and the number of mobile workers, remote offices and tunneled cloud infrastructure. Inevitably at some point the IP address of an end point will need to be changed.
This can be accomplished quickly and easy in a few steps, in this blip we’ll look at a simple IKEv1 VPN tunnel -while IKEv2 is the way to go these days – there are still a gazillion IKEv1 tunnels in operation. The steps can be broke down to a handful of steps: Make Config Backup & get Pre-Shared Key, Modify Cryptomap, Modify Tunnel Group.
First things first, always make a backup of your Cisco ASA 5506 config before modifications, whether this is simply copy/paste to a text file or copying it off somewhere remotely, do it ! You’ll want to ensure you have the pre shared key for any tunnels you plan on modifying, so pro tip – using the “more system:running-config” will display the pre shared key in plain text with the entire ASA config.
Secondly, we’ll find and change the cryptomap entries. This can be accomplished a few ways, we’ll use one simple way. In this example 126.96.36.199 will be our existing VPM Tunnel Peer IP and 188.8.131.52 will the new peer IP we’re changing to. (substitute fot the IPs you’re using).
# sh run | b peer 184.108.40.206
You should see something similar to:
crypto map outside_map X set peer 220.127.116.11
where the outsidemap X name may be something different on yours according to interface names, but that’s the crypto map we need to modify.
Remove old entry…
# no crypto map outside_map X set peer 18.104.22.168
You may see an warning message like this, but do not utterly panic, carry on. WARNING: The crypto map entry will be incomplete!
Add new entry…
# crypto map outside_map X set peer 22.214.171.124
Third and last, with the crypto may changed, we’ll change the tunnel group. Use “sho run tun” to see all the tunnel groups or “sh run tunnel-group 126.96.36.199” to see just the one you need. Be sure you have the pre shared key and all the attribute lines for the specific tunnel group before clearing it !
# clear config tunnel-group 188.8.131.52
Then re-create tunnel group with new IP and same attributes:
# tunnel-group 184.108.40.206 type ipsec-l2l # tunnel-group 220.127.116.11 ipsec-attributes # pre-shared-key some_good_password
That’s it. User the “wr mem” command to write your new confi to the Cisco ASA flash. For clarity here are the commands:
# conf t # no crypto map outside_map X set peer 18.104.22.168 # crypto map outside_map X set peer 22.214.171.124 # clear config tunnel-group 126.96.36.199 # tunnel-group 188.8.131.52 type ipsec-l2l # tunnel-group 184.108.40.206 ipsec-attributes # pre-shared-key some_good_password # wr mem