Changing IP Addresses in VPN Tunnel

Unanswered Question
Jan 31st, 2007

We have a remote site that is changing their subnet. They have an access list doing a NONAT across the VPN tunnel.

Will anything break if we just leave all the crypto maps, and the access lists the same, simply change the IP addresses that are defined from 192.168.x.x to 10.x.x.x, , reapply the config on the remote pix which will break the VPN tunnel, then apply a new config on the PIX we have here? Will the config work OK, after both ends have their subnets changed and then we just send interesting traffic across to bring the tunnel back up? I am pretty sure that it is set up with pre shared keys. what problems will we run into? How can we debug if we have a problem? We have no one on site that can help. Can we do a reload 30 like you can on a router on PIX 6.3? That way if it fails the router will reboot later if we don't do a write.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
m-haddad Wed, 01/31/2007 - 16:21


Changing the access-lists on both sides would result in re-establishing the tunnel. Therefore, if you login remotely and do the configuration you would lose connectivity.

I suggest configure a parrallel environement. That is don't remove anything from the crypto or NONAT ACLs. Just add new lines to match the new IP Addressing. Once you add them clear the tunnel and let it establish again. After you are sure that everything is working remove the old subnet from the ACL.

Schedueled reload on PIX is not supported in version 6.x. It is supported in ver 7.0

Let me know if you require anything further,

Appreciate you rating,


jdwcal730 Wed, 01/31/2007 - 16:25

So I should just be able to copy and paste all of the old lines, change the IP addresses so it maches and apply only the new lines into the config?

When you add new Crypto Maps and access lists for the VPN's doesn't it break the existing ones for a few seconds?

m-haddad Wed, 01/31/2007 - 16:40

PIX can have only one crypto map with different instance numbers. So if you modify an instance it would break the VPN tunnel for this instance for few seconds. However, what I suggested is just adding the new IP Addresses ACL Lines to the crypto ACL and NONAT. After you perform some testing and make sure things are working on the new subnet remove the old lines.

Hope this clarifies the issue,

Let me know if you need anything else,


jdwcal730 Thu, 02/01/2007 - 07:50

The only other question related to this, is doing this on a router to router VPN, apparently the new subnet has not been added to the interface of the router. Is there a problem adding a second IP address to the VLAN interface on the router? The existing IP address is in the current tunnel, can I add a second IP address to the existing VLAN interface, then add the new IP addresses to the NONAT and the access list without breaking the existing VPN? Thanks for your help, so far very helpful.

m-haddad Thu, 02/01/2007 - 08:44


Adding the second subnet to the router won't break the VPN Tunnel. Even if you modify the NONAT ACL this won't break the tunnel. The tunnel will break once you modify the crypto ACL because it will match the new subnet and will re-establish another tunnel matching the new encryption domain.

Therefore, first modify the ACLs on the remote device and when you modify the crypto ACL on the remote device your VPN Session will break. Once it breaks go your local router and do the modification and the tunnel should initiate correctly.

Hope this helps and let me know if you have other questions,

Glad I am able to help,



This Discussion