Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Changing bandwidth on ASA 5505 with L2L VPN in place?

I have a question regarding changing the external IP address on an ASA 5505.  Some background:

A client of ours has 2 locations, both with ASA 5505 firewalls and static IP addresses.  A L2L VPN exists between the two locations.  We can access the ISDM on both ASA 5505's remotely.

One of these locations is ready to change bandwidth providers and will need a new IP address assigned to the outside interface.  We'd prefer to accomplish this remotely as this location is a good distance away.

So my questions are:

1. Is it possible to modify the IP address on the outside interface remotely (and have the client plug into the new equipment) without first removing the L2L VPN?

2. Is it possible to modify both the IP address on the outside interface and the default gateway via the Command Line Tool in ASDM?

Thanks in advance for any help with this issue.


Re: Changing bandwidth on ASA 5505 with L2L VPN in place?

Hi, if you have no other way to connect to the site other than their corrent public IP address ( That will change ) , you better have a solid plan to make the IP address of outside interface and default route changes  becuase once you change it from remote you will drop the ssh  connections or https for that matter,  I would definately not advice to use asdm.

You could approach the changes  like this:

Probably the easiest way would be to have a simple  four lines script and have someone in the remote site  do the changes  , perhaps create a temporary user account  on the asa for that person  with enable priviledge  and walk them through to  enter the script in firewall  ( Without saving the config  so you have the option to reload as a fall back) ,   the four  or more lines script would be the changes of the ourtside interface IP address  , removal of the old default route,  and the new default route in addition to clear apr  and clear xlate

Another option you have is to do ALL these chnages remotely yourself , make a backup config  of your firewall and save it in disk0  flash,  make sure you have some type of access to a machine inside the LAN  either through WEB VPN and load RDP or something ,  example:

#copy start-config  disk0:asa-5505-bkp-config      ( This  will be your backup )

then you can load that same config  from browser  - example


then copy that config you see on the browser  on a plain text editor like notepad , make the changes you need to make , and name the config file as asa-5505-new-config, all the secret keys will be in place so you do not have to change already encrypted passwords of any kind., for the l2l tunnel the other end will need to make the chnages on the tunnel group to reflect the new peer public IP address.

save the config  without txt extention , then tftp that new config to asa firewall disk0:   ( #copy tftp disk0: )

then from the firewall command line  you can do the following after you  tftp that new config file to disk0,

#copy disk0:/asa-5505-new-config startup-config   ( copies the new config to startup-config )

then go into configuration mode and  make the firewall boot from the new config

#config t

#(config)boot config disk0:asa-5505-new-config

exit config mode and verify  config boot variable

#show boot    ( its output should look like bellow)

BOOT variable = disk0:/asa822-12-k8.bin
Current BOOT variable = disk0:/asa822-12-k8.bin
CONFIG_FILE variable =

Current CONFIG_FILE variable = disk0:/asa-5505-new-config

then issue reload command  , DO NOT  say yes when ask to save  the config  chnages  because running config will overwrite the startup config.

Here is some guidelines when working with boot  and config files