Need Help with Tunnel Endpoint Change on Cisco Pix

Hello,

One of our customers is making a VPN tunnel endpoint change (New endpoint and IP address). The old endpoint will no longer be operational by the end of the month. The problem is that my manager of IT is on leave, cannot be contacted, and will not be back before then.
So it falls in my hands to make the change. I'm a Cisco noob, and I was wondering if someone could help me with the procedure.
Everything else will be remaining the same on the tunnel, I just need to change the IP address to reflect the new endpoint.

LVL 1
Methodman85Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
JFrederick29Connect With a Mentor Commented:
Really, all you need to do is change the peer IP to the new one when it is time to cutover along with adding a new ISAKMP prehared key statement or tunnel-group if using 7.x/8.x code on your PIX which specifies the new peer IP.  The key should remain the same (just the IP changes).

At time of cutover (don't do this before hand):

conf t
no crypto map ibm 110 set peer 209.197.5.36
crypto map ibm 110 set peer <newip>   <--set new IP

If 6.x code (verify with show version):

isakmp key ******** address <newip> netmask 255.255.255.255  <--use the same/existing preshared key

If 7.x/8.x code:

tunnel-group <newip> ipsec-attributes
 pre-shared-key *    <--use the same/existing preshared key


Your other questions:

>access-list Client1 permit ip 10.11.4.40 255.255.255.248 10.14.0.0 255.255.192.0 ->Is Client1 now a variable defined here? An access list entry that can be referenced for other use?
Yes, this is an access-list that will be used for some purpose and will be referenced/called by the name (Client1).  (Does not need to change).

>crypto ipsec transform-set Client esp-3des esp-md5-hmac -> The "Client" here, is this a seperate from the access-list "Client1". Is this the name for the VPN tunnel?
This is the IPSEC transform set which has nothing to do with the accses-list other than it is all part of the VPN setup.  The transform set is referenced in the Crypto map by name (Client).  (Does not need to change).

>crypto map ibm 110 ipsec-isakmp -> What does this line do?
Tells this Crypto map sequence to use ISAKMP/IPSEC.  (Does not need to change).

>crypto map ibm 110 match address Client1 -> "Client1" from the access-list is referenced here, what does this do?
This is the interesting traffic that will be sent over the VPN tunnel based on the parameters in the Client1 access-list.  (Does not need to change).

>crypto map ibm 110 set peer 209.197.5.36 -> This is the old endpoint.
Specifies your peer (the other end of the tunnel).  This needs to change (see above).

>crypto map ibm 110 set transform-set Client Reference to "Client" here, what does this do?
This indicates which transform set to use in this crypto map (encryption parameters).  (Does not need to change).
0
 
Methodman85Author Commented:
I need help understanding what I see in the config.

I see:

access-list Client1 permit ip 10.11.4.40 255.255.255.248 10.14.0.0 255.255.192.0 ->Is Client1 now a variable defined here? An access list entry that can be referenced for other use?

crypto ipsec transform-set Client esp-3des esp-md5-hmac -> The "Client" here, is this a seperate from the access-list "Client1". Is this the name for the VPN tunnel?

crypto map ibm 110 ipsec-isakmp -> What does this line do?

crypto map ibm 110 match address Client1 -> "Client1" from the access-list is referenced here, what does this do?

crypto map ibm 110 set peer 209.197.5.36 -> This is the old endpoint.

crypto map ibm 110 set transform-set Client Reference to "Client" here, what does this do?

Also, you say disable isakmp. Will that disable all the other tunnels as well, will I have to generate a new key for all of them?
0
 
Methodman85Author Commented:
Awesome! Thanks so much for breaking this down JFrederick29
It's version 6.x by the way.


So from start to finish:

>en
>config t
>no crypto map ibm 110 set peer 209.197.5.36
>cypto map ibm 110 set peer 66.34.134.89
>isakmp key <astrongkey> address 66.34.134.89 netmask 255.255.255.255 mp-xauth no-config-mode
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
JFrederick29Commented:
Exactly.  Just make sure <astrongkey> is the existing key (the same as the one on the other end).
0
 
Methodman85Author Commented:
Do i have to bring down the crypto map for the outside interface fist?

0
 
JFrederick29Commented:
Nope, those are the only changes you need to make.  When you make that change, the tunnel will tear down (if its up) and will automatically attempt to come back up when interesting traffic is seen.
0
 
Methodman85Author Commented:
Thanks so much!
0
All Courses

From novice to tech pro — start learning today.