×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Site-to-Site ASA VPN changing public IP

Unanswered Question
Jun 25th, 2014
User Badges:

Hello,

We have a remote office that has a managed lease line and we have an ASA connected off this to create a site-to-site VPN to another office.  However the company that runs this line is changing the public IP if the router and we will also have to change our ASAs info.

I have ask the guys to let me know before they pull the plug as I need to SSH onto the ASA and change the IP, but is this possible as I will change the IP and lose connection.

The VPN/ASA is a simple configuration, I only need to change 2 areas:

 

interface Vlan2
 nameif outside
 security-level 0
 ip address 211.36.49.x 255.255.255.252

And

route outside 0.0.0.0 0.0.0.0 211.36.49.x 1

Any ideas on how I shoudl do this as I can't tavel there as I need to manage the other end at the HQ?

Thanks

 

 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
nkarthikeyan Wed, 06/25/2014 - 04:08
User Badges:
  • Gold, 750 points or more

Hi,

 

If one end is with static and other end is having DHCP enabled for the outside/peer ip address interface then you can have the dynamic map enabled at your end to do with this without changing the IP address every time. Also other end should have the relevant domain created for it.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-nex...

http://www.slideshare.net/irisdan/site-tosite-ipsec-vpn-between-two-cisc...

HTH

 

Regards

Karthik

Marius Gunnerud Wed, 06/25/2014 - 05:37
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

How are you managing the remote end? is it over the VPN or do you connect directly via SSH to the outside interface?

It would be best if you were on site or have someone onsite that you can guide through setting up the ASA.  You would need to add new NAT entries, update the ACLs allowing traffic in and add a new default route.  Without that default route you will not be able to SSH back into the ASA...and the ASA only supports one active default route at a time. You would also need to change the peer address in the S2S vpn configuration.

What I would suggest is that you create a script and email it to someone at the remote office and explain how he/she would connect to the ASA.  The script would only need to have the new default route, remove the old default route, make sure that SSH is enabled for the outside interface and that your public IP...or you can configure any IP for a limited time...can access the ASA via SSH/HTTPS, and make sure that you have a username and password configured on the ASA or a local RADIUS/TACACS server that you can use to access the ASA.  Once you have access, you can configure everything else remotely.

--

Please remember to select a correct answer and rate helpful posts

Andrew White Thu, 06/26/2014 - 03:32
User Badges:

I think I may be able to use a laptop with 3G connectivity to remote on to and make the change, here is the config.

I think only 2 lines will need to be changed highlighted below?  Plus the remote peer IP on the remote ASA:

 

Cryptochecksum: 480321b6 29c94e53 1b334f84 2881915a 
!
ASA Version 8.2(2) 
!
hostname Eh-CBSO-ASA
!
interface Vlan1
 description inside
 nameif inside
 security-level 100
 ip address 172.19.3.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 211.36.49.x 255.255.255.252 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 description inside
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
 domain-name gb.vo.local
same-security-traffic permit intra-interface
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list inside_access_in extended permit ip 172.19.3.0 255.255.255.0 any 
access-list inside_access_in extended permit icmp any any 
access-list outside_access_in extended permit icmp any any 
access-list outside_1_cryptomap extended permit ip 172.19.3.0 255.255.255.0 any 
access-list inside_nat0_outbound extended permit ip 172.19.3.0 255.255.255.0 any 
access-list global_mpc extended permit ip any any 
flow-export destination inside 192.168.28.136 9996
flow-export template timeout-rate 1
flow-export delay flow-create 60
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 211.36.49.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 81.* 
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000 
console timeout 10
management-access inside
dhcpd auto_config outside
!
dhcpd address 172.19.3.20-172.19.3.254 inside
dhcpd dns 192.168.21.10 192.168.21.11 interface inside
dhcpd option 3 ip 172.19.3.1 interface inside
dhcpd enable inside
!

priority-queue outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 81.* type ipsec-l2l
tunnel-group 81.* ipsec-attributes
 pre-shared-key *
!
class-map Citrix1
 match port tcp eq 1434
class-map Citrix2
 match port tcp eq 2598
class-map netflow-export-policy
 match access-list global_mpc
!
!
policy-map global-policy
 class netflow-export-policy
  flow-export event-type all destination 192.168.28.136
policy-map QoS
 class Citrix1
  priority
 class Citrix2
  priority
!
service-policy global-policy global
service-policy QoS interface outside
*

Marius Gunnerud Thu, 06/26/2014 - 03:44
User Badges:
  • Red, 2250 points or more
  • Cisco Designated VIP,

    2017 Firewalling

Yep that should sort you out.  Just keep in mind if things don't come up right away issue a clear xlate and possible clear arp...you might also want to have your ISP on speed dial to have them issue a clear arp also if needed.

--

Please remember to select a correct answer and rate helpful posts

 

Actions

This Discussion