Tunnel-group DefaultWEBVPNGroup ipsec-attributes
Tunnel-group DefaultRAGroup ipsec-attributes Tunnel-group DefaultL2LGroup ipsec-attributes From the example above we can see the tunnel we want to change is using “outside_map 2” so lets remove the entry for the old IP address and put one in for the new IP address. First lets find the cryptomap, connect to the ASA, log in go to enable mode then configuration mode.Ĭrypto map outside_map 1 match address outside_1_cryptomapĬrypto map outside_map 1 set peer 111.111.111.111Ĭrypto map outside_map 1 set transform-set ESP-3DES-SHAĬrypto map outside_map 2 match address outside_2_cryptomapĬrypto map outside_map 2 set peer 123.123.123.123 <<<< Here it is!!!Ĭrypto map outside_map 2 set transform-set ESP-3DES-SHAĬrypto map outside_map 3 match address outside_3_cryptomapĬrypto map outside_map 3 set peer 133.133.133.133Ĭrypto map outside_map 3 set transform-set ESP-3DES-SHAĬrypto map outside_map 4 match address outside_4_cryptomapĬrypto map outside_map 4 set peer 144.144.144.144Ĭrypto map outside_map 4 set transform-set ESP-3DES-SHAĤ. First – you need to understand a couple of things, for a VPN to work, it needs the IP address of the “Other End” of the tunnel in two places.Ģ. In this example my main site (123.123.123.123) has changed its IP address to (234.234.234.234), and I need to reconfigure the remote site(s).ġ. Option 1 From Command Line (for ASDM see below) Well you can simply delete the VPNs and recreate them, but multiply that by 24 – then add on all the extra config for the hairpins and that’s a massive amount of work (and for the client a LOT of downtime.) So a swift config change on the remote sites is a much better idea.įor Cisco PIX firewalls running version 6 click here. On the main site this is pretty straightforward, just change the outside interfaces IP address, sub net mask and the default route (That’s the default gateway for non cisco-ites).Īll well and good, but what about his other 24 sites? They all had VPN’s back to the main site, and all these VPN’s were “ hairpinned” together for “ spoke to spoke” communication. Vsys1 1.1.1.5/元-Untrust (1.1.1.I had a client the other week with about 25 sites, his core site was changing ISP and therefore changing its IP address. Note: 元-Trust is the zone of the tunnel interface and 元-Untrust is the external interface.Īs soon as the tunnel comes up, this is replaced with the actual IP address of the dynamic show session allġ1 ipsec-esp ACTIVE TUNN 10.129.72.38/元-Trust/50 (10.129.72.38) ID Application State Type Flag Src/Zone/Proto (translated IP) Initially, when the tunnel is down, we see an ipsec-esp session with destination as 0.0.0.0, since we are not sure of the peer show session all Hence, we selected the option "Enable Passive Mode." Note: Since this is the static peer and does not know the IP address of the dynamic end, it would not be able to initiate the VPN. Also, "Peer IP Type" is dynamic here since we are not sure of the IP on the other end. Note: Peer Identification on the static peer needs to be the same as Local Identification configured on the dynamic peer. Hence, do not select "Enable Passive Mode."
Note: Since Firewall B has the dynamic IP address, it needs to be the initiator for the VPN tunnel each time.
This is an important configuration since it is the only way for the peer to identify the dynamic gateway. It could be anything as long as it is same on the other end. However, we can use any of the available qualifiers, making sure it is the same on the peer end as well. Note: In this example, Local ID is mentioned as FQDN (email address). Interface on Firewall B gets the IP address dynamically from the DHCP server (interface on Router configured as DHCP server). PA-Firewall A (10.129.70.38) - Router (DHCP server) - (DHCP IP) PA-Firewall B
0 kommentar(er)
