Cisco

ASA VPN Tunnel Groups

sysop

From Command Line
In this example my main site (123.123.123.123) has changed its IP address to (234.234.234.234), and I need to reconfigure the remote site(s).

1. First – you need to understand a couple of things, for a VPN to work, it needs the IP address of the “Other End” of the tunnel in two places.
a. In the Cryptomap.
b. In a Tunnel Group.

2. First lets find the cryptomap, connect to the ASA, log in go to enable mode then configuration mode.

Sent username “pix”
Type help or ‘?’ for a list of available commands.
RemoteSite>
RemoteSite> enable
Password: ***********
RemoteSite# configure terminal
RemoteSite(config)#

3. To see all the cryptomaps issue a “show run crypto map” command. (you may see more or less depending on the amount of VPN tunnels you have.
RemoteSite(config)# show run crypto map
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs
crypto map outside_map 1 set peer 111.111.111.111
crypto map outside_map 1 set transform-set ESP-3DES-SHA
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set pfs
crypto map outside_map 2 set peer 123.123.123.123 <<< crypto map outside_map 2 set transform-set ESP-3DES-SHA
crypto map outside_map 3 match address outside_3_cryptomap
crypto map outside_map 3 set pfs
crypto map outside_map 3 set peer 133.133.133.133
crypto map outside_map 3 set transform-set ESP-3DES-SHA
crypto map outside_map 4 match address outside_4_cryptomap
crypto map outside_map 4 set pfs
crypto map outside_map 4 set peer 144.144.144.144
crypto map outside_map 4 set transform-set ESP-3DES-SHA
RemoteSite(config)#

4. From the example above we can see the tunnel we want to change is using “outside_map 2” so lets remove the entry for the old IP address and put one in for the new IP address.
RemoteSite(config)# no crypto map outside_map 2 set peer 123.123.123.123
WARNING: The crypto map entry will be incomplete!
RemoteSite(config)# crypto map outside_map 2 set peer 234.234.234.234
RemoteSite(config)#

5. That’s the cryptomap changed, now for the tunnel group. You can see all your tunnel groups with a “sho run tun” command.
RemoteSite(config)# sho run tun
tunnel-group DefaultL2LGroup ipsec-attributes
isakmp keepalive threshold 20 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 20 retry 2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 20 retry 2
tunnel-group 111.111.111.111 type ipsec-l2l
tunnel-group 111.111.111.111 ipsec-attributes
pre-shared-key *****
tunnel-group 123.123.123.123 type ipsec-l2l <<< tunnel-group 123.123.123.123 ipsec-attributes
pre-shared-key *****
tunnel-group 133.133.133.133 type ipsec-l2l
tunnel-group 133.133.133.133 ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 20 retry 2
tunnel-group 144.144.144.144 type ipsec-l2l
tunnel-group 144.144.144.144 ipsec-attributes
pre-shared-key *****

6. To delete a tunnel group, you use the “clear config tunnel-group” command.

Note: Before you delete it, make sure you know the pre shared key / shared secret – to see this, issue a “more system:running-config” command.

RemoteSite(config)# clear config tunnel-group 123.123.123.123
RemoteSite(config)#

7. Then simply create a new tunnel group, with the new IP address, and the same shared secret / pre shared key as the old one.

RemoteSite(config)# tunnel-group 234.234.234.234 type ipsec-l2l
RemoteSite(config)# tunnel-group 234.234.234.234 ipsec-attributes
RemoteSite(config-tunnel-ipsec)# pre-shared-key 123456789

8. Save the new config with a “write mem” command
RemoteSite(config)# write mem
Building configuration…
Cryptochecksum: f3645705 ae6bafda c5606697 ecd61948

9830 bytes copied in 1.550 secs (9830 bytes/sec)
[OK]
RemoteSite(config)#

10. Job done!

Well that didn’t seem very quick? No, but for the sake of explanation I did go a little deep, if you have multiple sites, just have the following in notepad.

configure terminal
no crypto map outside_map 2 set peer 123.123.123.123
crypto map outside_map 2 set peer 234.234.234.234
clear config tunnel-group 123.123.123.123
tunnel-group 123.123.123.123 type ipsec-l2l
tunnel-group 123.123.123.123 ipsec-attributes
pre-shared-key 123456789
write mem

Cisco Router Commands Cheat Sheet

sysop

TERMINAL CONTROLS:

  • Config# terminal editing – allows for enhanced editing commands
  • Config# terminal monitor – shows output on telnet session
  • Config# terminal ip netmask-format hexadecimal|bit-count|decimal – changes the format of subnet masks

    HOST NAME:

  • Config# hostname ROUTER_NAME

    BANNER:

  • Config# banner motd # TYPE MESSAGE HERE # – # can be substituted for any character, must start and finish the message

    DESCRIPTIONS:

  • Config# description THIS IS THE SOUTH ROUTER – can be entered at the Config-if level

    CLOCK:

  • Config# clock timezone Central -6
    # clock set hh:mm:ss dd month yyyy – Example: clock set 14:35:00 25 August 2003

    CHANGING THE REGISTER:

  • Config# config-register 0x2100 – ROM Monitor Mode
  • Config# config-register 0x2101 – ROM boot
  • Config# config-register 0x2102 – Boot from NVRAM

    BOOT SYSTEM:

  • Config# boot system tftp FILENAME SERVER_IP – Example: boot system tftp 2600_ios.bin 192.168.14.2
  • Config# boot system ROM
  • Config# boot system flash – Then – Config# reload

    CDP:

  • Config# cdp run – Turns CDP on
  • Config# cdp holdtime 180 – Sets the time that a device remains. Default is 180
  • Config# cdp timer 30 – Sets the update timer.The default is 60
  • Config# int Ethernet 0
  • Config-if# cdp enable – Enables cdp on the interface
  • Config-if# no cdp enable – Disables CDP on the interface
  • Config# no cdp run – Turns CDP off

    HOST TABLE:

  • Config# ip host ROUTER_NAME INT_Address – Example: ip host lab-a 192.168.5.1
    -or-
  • Config# ip host RTR_NAME INT_ADD1 INT_ADD2 INT_ADD3 – Example: ip host lab-a 192.168.5.1 205.23.4.2 199.2.3.2 – (for e0, s0, s1)

    DOMAIN NAME SERVICES:

  • Config# ip domain-lookup – Tell router to lookup domain names
  • Config# ip name-server 122.22.2.2 – Location of DNS server
  • Config# ip domain-name cisco.com – Domain to append to end of names

    CLEARING COUNTERS:

  • # clear interface Ethernet 0 – Clears counters on the specified interface
  • # clear counters – Clears all interface counters
  • # clear cdp counters – Clears CDP counters