×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Migrate vpn tunnel to new ASA

Answered Question
Mar 12th, 2014
User Badges:

Hi,

 

Is there any way to migrate an existing sites (vpn ) to a new ASA.

 

We have more than 50 offices connected to our main office, we have installed a new ASA firewall with a bigger pipe.

I need a way to migrate the offices that saves time (going to each and every office) and money (buying a new router and send it with the new config).

 

I was thinking of adding a new peer adress and kill the preshared key on the old VPN.

 

can some one please help me.

Correct Answer by jjohnston1127 about 3 years 5 months ago

Yes.

I would do the following if I were tasked with this project.
 

  1. Configure the new ASA with all of the tunnel-groups for the remote peers and the rest of the VPN configuration (crypto maps, ACLs, NAT, etc.)
  2. Login to the remote ASAs via the outside interface.  Most organizations allow SSH/https to their firewalls from specific management IPs at the main site.
    1. Create a tunnel-group for the peer IP of the new ASA.
    2. Change the existing crypto map peer IP to point to the new IP address.
  3. On your network routing core at the main site, change/add an IP route for the remote site local subnets to point to the inside interface of the new ASA so all of your local networks can properly reach the remote sites.

 

That should be it.  Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
jjohnston1127 Wed, 03/12/2014 - 08:10
User Badges:
  • Silver, 250 points or more

Yes.

I would do the following if I were tasked with this project.
 

  1. Configure the new ASA with all of the tunnel-groups for the remote peers and the rest of the VPN configuration (crypto maps, ACLs, NAT, etc.)
  2. Login to the remote ASAs via the outside interface.  Most organizations allow SSH/https to their firewalls from specific management IPs at the main site.
    1. Create a tunnel-group for the peer IP of the new ASA.
    2. Change the existing crypto map peer IP to point to the new IP address.
  3. On your network routing core at the main site, change/add an IP route for the remote site local subnets to point to the inside interface of the new ASA so all of your local networks can properly reach the remote sites.

 

That should be it.  Thanks.

khaled alodat Thu, 03/13/2014 - 02:34
User Badges:

Thank you for your help.

 

What you have mentined is the right way to do it, but what i need to do is like a failover plan, a  crypto map with two peer address. by the way, the remote site is not an  ASA, i have 800 router.

My question is : Can you create one creypto map with two peer address, if yes .

 

what i will do is the follwing ;

 

1- create the crypto map with two peer address.

2- change the preshared ket on the tunnel group on the main ASA (which mean the vpn will go down ) so it will jump to the second peer (which i have already configured on the second main ASA that i have recently implemented.

3- change the route on the core switch 

 

The idea is not to have any down time at all. 

Actions

This Discussion