ASA VPN Tunnel Peer IP Change

Using these steps you are trying to minimize downtime. The beauty is that you keep the OLD IP up and running while you have the NEW IP configured. You can pretty much prep the NEW IP ahead of time and then during a change control time, swing the traffic over.

OLD IP: 174.46.144.158
NEW IP: 206.74.203.162

=====Gather Info Commands:
sh running-config tunnel-group (ASA – Get Tunnel Group Config)
sh running-config crypto map (ASA – Get Crypto Map Config(ONLY the line with the PEER IP Info))
more system:running-config | i ipsec-attributes|pre-shared-key (ASA – Get the PSK for your PEER)
sh run | inc 174.46.144.158 (ASA/7K – Get the route(s) that are on the 7K)
sh isakmp sa | inc 206.74.203.162 (ASA – Verify tunnel is up)

=====STEPS:
1. Get the PSK for the OLD IP (if you’re keeping the old PSK):

more system:running-config |  i ipsec-attributes|pre-shared-key

2. Configure and copy NEW Tunnel Group with the PSK you got from #1:

tunnel-group 206.74.203.162 type ipsec-l2l
tunnel-group 206.74.203.162 general-attributes
  default-group-policy CORDEROPolicy
tunnel-group 206.74.203.162 ipsec-attributes
  ikev1 pre-shared-key P@ssw0rd

3. Add new IP to Crypto Map:

crypto map outside_map 27 set peer 174.46.144.158 206.74.203.162

4. Change route on ASA (if there is one):

no route Outside 192.168.255.10 255.255.255.255 174.46.144.158 1
route Outside 192.168.255.10 255.255.255.255 206.74.203.162 1

5. Check route on the Core switches if you are using statics (in this case it’s a 7K core):

ip route 206.74.203.162 172.16.11.223
no ip route 174.46.144.158/32 172.16.11.223

6. Remove OLD IP from the Crypto Map:

no crypto map outside_map 27 set peer 174.46.144.158

7. Delete OLD Tunnel Group:

clear configure tunnel-group 174.46.144.158
More Stories
Netflow on a Cisco ASR1002-X for Orion