Changing VPN endpoint IP on the Cisco asa5505
November 14th, 2007 by Anthony Curreri
There’s probably a ‘proper’ way Change the IP address of your Cisco asa5505 endpoints.
I have no idea what it is. Why does Cisco make routine maintenance tasks difficult? Oh well.
Here’s the way I do it, which I think is really straightforward and easy. It’s basically these steps:
- Download the complete configuration text file from the asa5505
- Do a find and replace on the VPN endpoints IP address
- Upload the new configuration and restart the asa5505
Easy, right! Here are the detailed steps:
- Put your computer behind the firewall.
- Start a TFTP server. If you are running windows, you can download and installa Cisco TFTP Server very easily. There are linux servers for this too.
- Connect to the console. I like using the blue console cable. If you need to know how to do this, check out the first couple steps here.
- Type ‘ena’ to enter enable mode. You may need to enter your enable password.
- Type ‘copy running-config tftp:’ to start the transfer. The asa 5505 will ask you a few questions, like what is the IP of the TFTP server? Conveniently, this is at the top of the TFTP server window. The entire exchange should look like this:
ciscoasa(config)# copy running-config tftp:
Source filename [running-config]?
Address or name of remote host []? 192.168.3.66
Destination filename [running-config]?
Cryptochecksum: 3e2fdd1f ba8792a1 11a9e4e7 f89d46dd
!!
4165 bytes copied in 1.290 secs (4165 bytes/sec)
- The Cisco TFTP Server saves the uploaded file here by default: ‘C:\Program Files\Cisco Systems\Cisco TFTP Server’
- Open that file and replace all of the old IP’s for the VPN server with the new IP address. In my file there were three instances.
- Make sure your TFTP server is still running, and enter ‘copy tftp: startup-config’, then answer the prompts. If you try to replace the running config you’ll probably get errors. For example:
ciscoasa# copy tftp: startup-config
Address or name of remote host [192.168.3.66]?
Source filename [running-config]?
Accessing tftp://192.168.3.66/running-config…!!
Writing system file…
!!
4165 bytes copied in 0.380 secs
ciscoasa#
- That’s it, now you just need to reboot the device without saving the running-config! Type ‘reload’.
If you found this helpful, help me by checking out the ads on the right. Thank you!
Link to this post! Copy and paste this code into your blog or website:
What if I have 200 tunnels up and are being used? I have to reboot the device and bring down all the tunnels? I find it easier to delete the old tunnel and rebuild the tunnel with the new IP. No reboot required.