How to change a L2L VPN peer IP on Cisco ASA 8.3(2)4

Today a customer called to change the IP address of a L2L VPN peer on his Cisco ASA 8.3(2)4.

The task can be divided in 3 steps:

1) Get the VPN password. It should be written somewhere in the network documentation, as stated by rule 7, but you know, password sometimes just get lost.

2) Find and update crypto map

asa# sh run | b peer 1.1.1.1

You should get a line like

crypto map outside_map X set peer 1.1.1.1

where X is the crypto map we have to modify. Copy any line associated with the crypto map, in my case it is:

! REMOVE OLD PEER
no crypto map outside_map 6 set peer 1.1.1.1
! ADD NEW PEER
    crypto map outside_map 6 set peer 2.2.2.2
    crypto map outside_map 6 set transform-set ESP-AES-128-SHA
    crypto map outside_map 6 match address outside_6_cryptomap
    crypto map outside_map 6 set pfs group5

3) Find and update the tunnel group

asa# sh run tunnel-group 1.1.1.1

then copy any attribute to the new tunnel group

! REMOTE PREVIOUS TUNNEL_
no tunnel-group 1.1.1.1 ipsec-attributes
no tunnel-group 1.1.1.1
! CREATE NEW TUNNEL WITH THE SAME ATTRIBUTES
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key Sup3Rs3cr3t@

Now just check the if the new peer is up

sh crypto ipsec sa peer 2.2.2.2

If it doesn’t show up verify all the configurations are correct and check IKEv1 status

asa# sh crypto ikev1 sa

Compare with these possible outputs

and read these Tips on Troubleshooting VPN’s in General.

 
comments powered by Disqus