Changing VPN endpoint IP on the Cisco asa5505

There’s probably a ‘proper’ way Change the IP address of your Cisco asa5505 endpoints.

I have no idea what it is. Why does Cisco make routine maintenance tasks difficult? Oh well.

Here’s the way I do it, which I think is really straightforward and easy. It’s basically these steps:

  1. Download the complete configuration text file from the asa5505
  2. Do a find and replace on the VPN endpoints IP address
  3. Upload the new configuration and restart the asa5505

Easy, right! Here are the detailed steps:

  • Put your computer behind the firewall.
  • Start a TFTP server. If you are running windows, you can download and installa Cisco TFTP Server very easily. There are linux servers for this too.
  • Connect to the console. I like using the blue console cable. If you need to know how to do this, check out the first couple steps here.
  • Type ‘ena’ to enter enable mode. You may need to enter your enable password.
  • Type ‘copy running-config tftp:’ to start the transfer. The asa 5505 will ask you a few questions, like what is the IP of the TFTP server? Conveniently, this is at the top of the TFTP server window. The entire exchange should look like this:
ciscoasa(config)# copy running-config tftp:

Source filename [running-config]?

Address or name of remote host []?

Destination filename [running-config]?
Cryptochecksum: 3e2fdd1f ba8792a1 11a9e4e7 f89d46dd
4165 bytes copied in 1.290 secs (4165 bytes/sec)

  • The Cisco TFTP Server saves the uploaded file here by default: 'C:Program FilesCisco SystemsCisco TFTP Server'
  • Open that file and replace all of the old IP's for the VPN server with the new IP address. In my file there were three instances.
  • Make sure your TFTP server is still running, and enter 'copy tftp: startup-config', then answer the prompts. If you try to replace the running config you'll probably get errors. For example:
ciscoasa# copy tftp: startup-config

Address or name of remote host []?

Source filename [running-config]?

Accessing tftp://!!
Writing system file...
4165 bytes copied in 0.380 secs

  • That's it, now you just need to reboot the device without saving the running-config! Type 'reload'.

3 thoughts on “Changing VPN endpoint IP on the Cisco asa5505

  1. Ed

    Thank You, Thank You, Thank You. I have spent nearly 76 hours trying to change this address, I tried to access it though an external interface and change the internal bindings to my own Ip, 192.168… is so lame. I tried using Hyperterminal and changed the IP addresses but it would remove the ASDM access. This post worked. Oh yeah forget to mention I had to dust off an old lap top with a serial and XP to make all this happen. Thank You Cisco I hope all of this work is worth it!!!

  2. Joe S

    What if I have 200 tunnels up and are being used? I have to reboot the device and bring down all the tunnels? I find it easier to delete the old tunnel and rebuild the tunnel with the new IP. No reboot required.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.