How to change VPN peer address on ASA 5520

Answered Question
Mar 21st, 2007

Environment:

ASA 5520 running 7.2(1)

IPSEC L2L VPN established using Wizard.

The IP address of the remote peer needs to change. Using ASDM, I cannot change the Tunnel Group name (which is currently the peer address). I can change the peer address in the IPSec rule, but is this all that is needed?

Do I have to add a new tunnel group using the new peer address for the name? If so how does this relate to the other objects that are required for a VPN?

When you create a VPN using the Wizard, it creates multiple objects that are hard to track when changes are required. Is it best to delete all of the current VPN objects and create a new config using the wizard again?

Is it better to make the changes using the CLI? What lines need to be changed for the peer address when using commands?

Thanks in advance for any help!

I have this problem too.
0 votes
Correct Answer by acomiskey about 9 years 8 months ago

I can change the peer address in the IPSec rule, but is this all that is needed?

- No, tunnel group name must match peer address.

Do I have to add a new tunnel group using the new peer address for the name?

- Yes.

Is it better to make the changes using the CLI?

- I would always recommend it, but if you don't know it you have no option.

Add new tunnel-group with group name as new peer address, same key etc. Add new peer address to peer settings under edit ipsec rule. Then you should be able to remove the old tunnel group. Hope this helps you, been a while since I did it this way.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
acomiskey Wed, 03/21/2007 - 12:54

I can change the peer address in the IPSec rule, but is this all that is needed?

- No, tunnel group name must match peer address.

Do I have to add a new tunnel group using the new peer address for the name?

- Yes.

Is it better to make the changes using the CLI?

- I would always recommend it, but if you don't know it you have no option.

Add new tunnel-group with group name as new peer address, same key etc. Add new peer address to peer settings under edit ipsec rule. Then you should be able to remove the old tunnel group. Hope this helps you, been a while since I did it this way.

Actions

This Discussion