Changing bandwidth on ASA 5505 with L2L VPN in place?
I have a question regarding changing the external IP address on an ASA 5505. Some background:
A client of ours has 2 locations, both with ASA 5505 firewalls and static IP addresses. A L2L VPN exists between the two locations. We can access the ISDM on both ASA 5505's remotely.
One of these locations is ready to change bandwidth providers and will need a new IP address assigned to the outside interface. We'd prefer to accomplish this remotely as this location is a good distance away.
So my questions are:
1. Is it possible to modify the IP address on the outside interface remotely (and have the client plug into the new equipment) without first removing the L2L VPN?
2. Is it possible to modify both the IP address on the outside interface and the default gateway via the Command Line Tool in ASDM?
Re: Changing bandwidth on ASA 5505 with L2L VPN in place?
Hi, if you have no other way to connect to the site other than their corrent public IP address ( That will change ) , you better have a solid plan to make the IP address of outside interface and default route changes becuase once you change it from remote you will drop the ssh connections or https for that matter, I would definately not advice to use asdm.
You could approach the changes like this:
Probably the easiest way would be to have a simple four lines script and have someone in the remote site do the changes , perhaps create a temporary user account on the asa for that person with enable priviledge and walk them through to enter the script in firewall ( Without saving the config so you have the option to reload as a fall back) , the four or more lines script would be the changes of the ourtside interface IP address , removal of the old default route, and the new default route in addition to clear apr and clear xlate
Another option you have is to do ALL these chnages remotely yourself , make a backup config of your firewall and save it in disk0 flash, make sure you have some type of access to a machine inside the LAN either through WEB VPN and load RDP or something , example:
#copy start-config disk0:asa-5505-bkp-config ( This will be your backup )
then you can load that same config from browser - example
then copy that config you see on the browser on a plain text editor like notepad , make the changes you need to make , and name the config file as asa-5505-new-config, all the secret keys will be in place so you do not have to change already encrypted passwords of any kind., for the l2l tunnel the other end will need to make the chnages on the tunnel group to reflect the new peer public IP address.
save the config without txt extention , then tftp that new config to asa firewall disk0: ( #copy tftp disk0: )
then from the firewall command line you can do the following after you tftp that new config file to disk0,
#copy disk0:/asa-5505-new-config startup-config ( copies the new config to startup-config )
then go into configuration mode and make the firewall boot from the new config
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...