Easy change of a Cisco ASA VPN site-2-site tunnel IP address.

Since a few times i had to change some site-2-site vpn tunnels on cisco ASA’s and first my colleague was saying I had to remove the whole VPN configuration and rebuild this configuration. However during my testing and on. I found a way that i didn’t had to remove the whole configuration of the site-2-site… Well below i descriped when i do to change an ip address of an cisco site-2-site tunnel in live. situation while the other site got an new IP address.
First you have to look for the current configuration like below:

crypto map OUTSIDE_map 1 set peer <current IP >
tunnel-group <current IP> type ipsec-l2l
tunnel-group <current IP> ipsec-attributes
pre-shared-key <current KEY>

Second you create the same configuration with the new IP address of the location: 

crypto map OUTSIDE_map 1 set peer <new IP >
tunnel-group <new IP> type ipsec-l2l
tunnel-group <new IP> ipsec-attributes
pre-shared-key <remain the same KEY>

So you will see in the show running-config a line like below:
crypto map OUTSIDE_map 1 set peer <current IP > <new IP >
The next thing what you need to do is to remove. the old IP settings on the ASA. You will need to do the following handlings.

Type than:
no crypto map OUTSIDE_map 1 set peer <current IP >
no tunnel-group <current IP> type ipsec-l2l
no tunnel-group <current IP> ipsec-attributes

It may be possible that the Cisco Asa answers back to use the clear command. If you use that command the configuration of the tunnel-group will be gone also.
If you do show running-config than you will see that the old configuration is removed and the new is configured. Just check with the ASDM of your vpn tunnel is back online. and than it should be working like before..

6 thoughts on “Easy change of a Cisco ASA VPN site-2-site tunnel IP address.”

  1. just a suggestion, we can also type “clear configure tunnel-group ” instead of the two line “no tunnel-group…”

  2. That was the command I forgot thanks a lot for the suggestion. On the last based ASA software you need to do “clear configure tunnel-group”..

  3. Pingback: How to update Cisco VPN site-to-site peer IP

Leave a Reply to Pete LongCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.