ASA VPN Tunnel Peer IP Change

Using these steps you are trying to minimize downtime. The beauty is that you keep the OLD IP up and running while you have the NEW IP configured. You can pretty much prep the NEW IP ahead of time and then during a change control time, swing the traffic over.


=====Gather Info Commands:
sh running-config tunnel-group (ASA – Get Tunnel Group Config)
sh running-config crypto map (ASA – Get Crypto Map Config(ONLY the line with the PEER IP Info))
more system:running-config | i ipsec-attributes|pre-shared-key (ASA – Get the PSK for your PEER)
sh run | inc (ASA/7K – Get the route(s) that are on the 7K)
sh isakmp sa | inc (ASA – Verify tunnel is up)

1. Get the PSK for the OLD IP (if you’re keeping the old PSK):

more system:running-config |  i ipsec-attributes|pre-shared-key

2. Configure and copy NEW Tunnel Group with the PSK you got from #1:

tunnel-group type ipsec-l2l
tunnel-group general-attributes
  default-group-policy CORDEROPolicy
tunnel-group ipsec-attributes
  ikev1 pre-shared-key P@ssw0rd

3. Add new IP to Crypto Map:

crypto map outside_map 27 set peer

4. Change route on ASA (if there is one):

no route Outside 1
route Outside 1

5. Check route on the Core switches if you are using statics (in this case it’s a 7K core):

ip route
no ip route

6. Remove OLD IP from the Crypto Map:

no crypto map outside_map 27 set peer

7. Delete OLD Tunnel Group:

clear configure tunnel-group