Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
758
Views
0
Helpful
1
Replies

Changing bandwidth on ASA 5505 with L2L VPN in place?

SAMnetmlg
Level 1
Level 1

‎07-01-2010 07:54 AM - edited ‎03-11-2019 11:06 AM

I have a question regarding changing the external IP address on an ASA 5505.  Some background:

A client of ours has 2 locations, both with ASA 5505 firewalls and static IP addresses.  A L2L VPN exists between the two locations.  We can access the ISDM on both ASA 5505's remotely.

One of these locations is ready to change bandwidth providers and will need a new IP address assigned to the outside interface.  We'd prefer to accomplish this remotely as this location is a good distance away.

So my questions are:

1. Is it possible to modify the IP address on the outside interface remotely (and have the client plug into the new equipment) without first removing the L2L VPN?

2. Is it possible to modify both the IP address on the outside interface and the default gateway via the Command Line Tool in ASDM?

Thanks in advance for any help with this issue.

Labels:
0 Helpful
1 Reply 1

JORGE RODRIGUEZ
Level 10
Level 10

‎07-01-2010 04:51 PM

Hi, if you have no other way to connect to the site other than their corrent public IP address ( That will change ) , you better have a solid plan to make the IP address of outside interface and default route changes  becuase once you change it from remote you will drop the ssh  connections or https for that matter,  I would definately not advice to use asdm.

You could approach the changes  like this:

Probably the easiest way would be to have a simple  four lines script and have someone in the remote site  do the changes  , perhaps create a temporary user account  on the asa for that person  with enable priviledge  and walk them through to  enter the script in firewall  ( Without saving the config  so you have the option to reload as a fall back) ,   the four  or more lines script would be the changes of the ourtside interface IP address  , removal of the old default route,  and the new default route in addition to clear apr  and clear xlate

Another option you have is to do ALL these chnages remotely yourself , make a backup config  of your firewall and save it in disk0  flash,  make sure you have some type of access to a machine inside the LAN  either through WEB VPN and load RDP or something ,  example:

#copy start-config  disk0:asa-5505-bkp-config      ( This  will be your backup )

then you can load that same config  from browser  - example

https://firewall_inside_ip_address-of_firewall/config/asa-5505-bkp-config

then copy that config you see on the browser  on a plain text editor like notepad , make the changes you need to make , and name the config file as asa-5505-new-config, all the secret keys will be in place so you do not have to change already encrypted passwords of any kind., for the l2l tunnel the other end will need to make the chnages on the tunnel group to reflect the new peer public IP address.

save the config  without txt extention , then tftp that new config to asa firewall disk0:   ( #copy tftp disk0: )

then from the firewall command line  you can do the following after you  tftp that new config file to disk0,

#copy disk0:/asa-5505-new-config startup-config   ( copies the new config to startup-config )

then go into configuration mode and  make the firewall boot from the new config

#config t

#(config)boot config disk0:asa-5505-new-config

exit config mode and verify  config boot variable

#show boot    ( its output should look like bellow)

BOOT variable = disk0:/asa822-12-k8.bin
Current BOOT variable = disk0:/asa822-12-k8.bin
CONFIG_FILE variable =

Current CONFIG_FILE variable = disk0:/asa-5505-new-config

then issue reload command  , DO NOT  say yes when ask to save  the config  chnages  because running config will overwrite the startup config.

Here is some guidelines when working with boot  and config files

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/b.html#wp1355786

Regards

Jorge Rodriguez
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card