Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2478
Views
0
Helpful
4
Replies

Site-to-Site ASA VPN changing public IP

Andrew White
Level 2
Level 2

‎06-25-2014 01:39 AM

Hello,

We have a remote office that has a managed lease line and we have an ASA connected off this to create a site-to-site VPN to another office.  However the company that runs this line is changing the public IP if the router and we will also have to change our ASAs info.

I have ask the guys to let me know before they pull the plug as I need to SSH onto the ASA and change the IP, but is this possible as I will change the IP and lose connection.

The VPN/ASA is a simple configuration, I only need to change 2 areas:

 

interface Vlan2
 nameif outside
 security-level 0
 ip address 211.36.49.x 255.255.255.252

And

route outside 0.0.0.0 0.0.0.0 211.36.49.x 1

Any ideas on how I shoudl do this as I can't tavel there as I need to manage the other end at the HQ?

Thanks

 

 

Labels:
0 Helpful
4 Replies 4

nkarthikeyan
Level 7
Level 7

‎06-25-2014 04:08 AM

Hi,

 

If one end is with static and other end is having DHCP enabled for the outside/peer ip address interface then you can have the dynamic map enabled at your end to do with this without changing the IP address every time. Also other end should have the relevant domain created for it.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/112075-dynamic-ipsec-asa-router-ccp.html

http://www.slideshare.net/irisdan/site-tosite-ipsec-vpn-between-two-cisco-asaone-with-dynamic-ip#

HTH

 

Regards

Karthik

0 Helpful

Marius Gunnerud
VIP
VIP

‎06-25-2014 05:37 AM

How are you managing the remote end? is it over the VPN or do you connect directly via SSH to the outside interface?

It would be best if you were on site or have someone onsite that you can guide through setting up the ASA.  You would need to add new NAT entries, update the ACLs allowing traffic in and add a new default route.  Without that default route you will not be able to SSH back into the ASA...and the ASA only supports one active default route at a time. You would also need to change the peer address in the S2S vpn configuration.

What I would suggest is that you create a script and email it to someone at the remote office and explain how he/she would connect to the ASA.  The script would only need to have the new default route, remove the old default route, make sure that SSH is enabled for the outside interface and that your public IP...or you can configure any IP for a limited time...can access the ASA via SSH/HTTPS, and make sure that you have a username and password configured on the ASA or a local RADIUS/TACACS server that you can use to access the ASA.  Once you have access, you can configure everything else remotely.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Andrew White
Level 2
Level 2
In response to Marius Gunnerud

‎06-26-2014 03:32 AM

I think I may be able to use a laptop with 3G connectivity to remote on to and make the change, here is the config.

I think only 2 lines will need to be changed highlighted below?  Plus the remote peer IP on the remote ASA:

 

Cryptochecksum: 480321b6 29c94e53 1b334f84 2881915a 
!
ASA Version 8.2(2) 
!
hostname Eh-CBSO-ASA
!
interface Vlan1
 description inside
 nameif inside
 security-level 100
 ip address 172.19.3.1 255.255.255.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 211.36.49.x 255.255.255.252 
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
 description inside
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
ftp mode passive
clock timezone GMT/BST 0
clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00
dns server-group DefaultDNS
 domain-name gb.vo.local
same-security-traffic permit intra-interface
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
access-list inside_access_in extended permit ip 172.19.3.0 255.255.255.0 any 
access-list inside_access_in extended permit icmp any any 
access-list outside_access_in extended permit icmp any any 
access-list outside_1_cryptomap extended permit ip 172.19.3.0 255.255.255.0 any 
access-list inside_nat0_outbound extended permit ip 172.19.3.0 255.255.255.0 any 
access-list global_mpc extended permit ip any any 
flow-export destination inside 192.168.28.136 9996
flow-export template timeout-rate 1
flow-export delay flow-create 60
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 211.36.49.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 81.* 
crypto map outside_map 1 set transform-set ESP-AES-256-SHA
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
crypto isakmp ipsec-over-tcp port 10000 
console timeout 10
management-access inside
dhcpd auto_config outside
!
dhcpd address 172.19.3.20-172.19.3.254 inside
dhcpd dns 192.168.21.10 192.168.21.11 interface inside
dhcpd option 3 ip 172.19.3.1 interface inside
dhcpd enable inside
!

priority-queue outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 81.* type ipsec-l2l
tunnel-group 81.* ipsec-attributes
 pre-shared-key *
!
class-map Citrix1
 match port tcp eq 1434
class-map Citrix2
 match port tcp eq 2598
class-map netflow-export-policy
 match access-list global_mpc
!
!
policy-map global-policy
 class netflow-export-policy
  flow-export event-type all destination 192.168.28.136
policy-map QoS
 class Citrix1
  priority
 class Citrix2
  priority
!
service-policy global-policy global
service-policy QoS interface outside
*

0 Helpful

Marius Gunnerud
VIP
VIP
In response to Andrew White

‎06-26-2014 03:44 AM

Yep that should sort you out.  Just keep in mind if things don't come up right away issue a clear xlate and possible clear arp...you might also want to have your ISP on speed dial to have them issue a clear arp also if needed.

--

Please remember to select a correct answer and rate helpful posts

 

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents