通过VPN隧道从内部接口访问ASDM的ASA配置示例

简介

本文档介绍如何使用两个思科自适应安全设备(ASA)防火墙配置LAN到LAN VPN隧道。Cisco自适应安全设备管理器(ASDM)通过公共端的外部接口在远程ASA上运行，并对常规网络和ASDM流量进行加密。ASDM是基于浏览器的配置工具，旨在帮助您通过GUI设置、配置和监控ASA防火墙。您不需要对ASA防火墙CLI有深入的了解。 

先决条件

要求

Cisco 建议您了解以下主题：

• IPSec 加密
• 思科ASDM

注意：确保您的拓扑中使用的所有设备都符合Cisco ASA 5500系列硬件安装指南中描述的要求。

提示：请参阅IP安全(IPSec)加密简介Cisco文章，熟悉基本IPsec加密。

使用的组件

本文档中的信息基于以下软件和硬件版本：

• Cisco ASA防火墙软件版本9.x。
  
  
• ASA-1和ASA-2均为Cisco ASA防火墙5520
  
  
• ASA 2使用ASDM版本7.2(1)

注意：当系统提示您输入ASDM的用户名和密码时，默认设置不需要用户名。如果之前配置了使能密码，请输入该密码作为ASDM密码。如果没有启用口令，请将用户名和口令条目都留空，然后单击OK以继续。

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始（默认）配置。如果您使用的是真实网络，请确保您已经了解所有命令的潜在影响。

配置

使用本节中描述的信息来配置本文档中描述的功能。

网络图

配置

以下是在ASA-1上使用的配置：

ASA-1
 
ASA Version 9.1(5)
!
hostname ASA-1
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 203.0.113.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.18.124.1 255.255.255.0
!
 
!--- Traffic matching ACL 101 is punted to VPN
!--- Encrypt/Decrypt traffic matching ACL 101 

access-list 101 extended permit ip 172.18.124.0 255.255.255.0 192.168.10.0
 255.255.255.0

!--- Do not use NAT
!--- on traffic matching below Identity NAT

object network obj_192.168.10.0
subnet 192.168.10.0 255.255.255.0

object network obj_172.18.124.0
subnet 172.18.124.0 255.255.255.0

nat (inside,outside) source static obj_172.18.124.0 obj_172.18.124.0 destination
 static obj_192.168.10.0 obj_192.168.10.0 no-proxy-arp route-lookup

!--- Configures a default route towards the gateway router.

route outside 0.0.0.0 0.0.0.0 203.0.113.252 1

!--- Point the configuration to the appropriate version of ASDM in flash

asdm image asdm-722.bin

!--- Enable the HTTP server required to run ASDM.
 
http server enable
 
!--- This is the interface name and IP address of the host or 
!--- network that initiates the HTTP connection.
 
http 172.18.124.102 255.255.255.255 inside
 
!--- Implicitly permit any packet that came from an IPsec 
!--- tunnel and bypass the checking of an associated access-group
!--- command statement for IPsec connections.
 
sysopt connection permit-vpn
 
!--- Specify IPsec (phase 2) transform set.
!--- Specify IPsec (phase 2) attributes.

crypto ipsec ikev1 transform-set vpn esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map vpn 10 match address 101
crypto map vpn 10 set peer 198.51.100.2
crypto map vpn 10 set ikev1 transform-set vpn
crypto map vpn interface outside
 
!--- Specify ISAKMP (phase 1) attributes.
  
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
 
!--- Specify tunnel-group ipsec attributes.
 
tunnel-group 198.51.100.2 type ipsec-l2l
tunnel-group 198.51.100.2 ipsec-attributes
ikev1 pre-shared-key cisco

以下是在ASA-2上使用的配置：

ASA-2
 
ASA Version 9.1(5)
!
hostname ASA-2
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 198.51.100.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
  
!--- Traffic matching ACL 101 is punted to VPN
!--- Encrypt/Decrypt traffic matching ACL 101 

access-list 101 extended permit ip 192.168.10.0 255.255.255.0 172.18.124.0
 255.255.255.0
 
!--- Do not use NAT 
!--- on traffic matching below Identity NAT
 
object network obj_192.168.10.0
subnet 192.168.10.0 255.255.255.0
 
object network obj_172.18.124.0
subnet 172.18.124.0 255.255.255.0
 
nat (inside,outside) source static obj_192.168.10.0 obj_192.168.10.0 destination
 static obj_172.18.124.0 obj_172.18.124.0 no-proxy-arp route-lookup

!--- Configures a default route towards the gateway router.
 
route outside 0.0.0.0 0.0.0.0 198.51.100.252 1
 
!--- Point the configuration to the appropriate version of ASDM in flash

asdm image asdm-722.bin
 
!--- Enable the HTTP server required to run ASDM.
 
http server enable
 
!--- This is the interface name and IP address of the host or 
!--- network that initiates the HTTP connection.
 
http 192.168.10.102 255.255.255.255 inside

!--- Add an aditional 'http' configuration to allow the remote subnet
!--- to access ASDM over the VPN tunnel

http 172.18.124.0 255.255.255.0 outside
 
!--- Implicitly permit any packet that came from an IPsec 
!--- tunnel and bypass the checking of an associated access-group 
!--- command statement for IPsec connections.
 
sysopt connection permit-vpn
 
!--- Specify IPsec (phase 2) transform set.
!--- Specify IPsec (phase 2) attributes.

crypto ipsec ikev1 transform-set vpn esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map vpn 10 match address 101
crypto map vpn 10 set peer 203.0.113.2
crypto map vpn 10 set ikev1 transform-set vpn
crypto map vpn interface outside
 
!--- Specify ISAKMP (phase 1) attributes.
  
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
  
!--- Specify tunnel-group ipsec attributes.
 
tunnel-group 203.0.113.2 type ipsec-l2l
tunnel-group 203.0.113.2 ipsec-attributes
ikev1 pre-shared-key cisco

通过VPN隧道访问ASDM/SSH

要从ASA-1内部网络通过ASA-2的内部接口访问ASDM，必须使用此处所述的命令。此命令只能用于一个接口。在ASA-2上，使用management-access inside命令配置management-access：

management-access 
       
       

验证

本部分提供的信息可用于验证您的配置是否正常工作。

注意：思科CLI分析器（仅限注册客户）支持某些show命令。要查看对 show 命令输出的分析，请使用思科 CLI 分析器。

使用以下命令可验证您的配置：

• 输入show crypto isakmp sa/show isakmp sa命令以验证第1阶段是否正确建立。
• 输入show crypto ipsec sa以验证第2阶段是否建立正确。

命令汇总

将VPN命令输入到ASA后，当流量在ASDM PC (172.18.124.102)和ASA-2的内部接口(192.168.10.1)之间传递时建立VPN隧道。此时，ASDM PC可以访问https://192.168.10.1，并通过VPN隧道与ASA-2的ASDM接口通信。

故障排除

本部分提供可用于对配置进行故障排除的信息。

注意：请参阅Cisco自适应安全设备管理器Cisco的ASA连接问题一文，以对ASDM相关问题进行故障排除。

调试输出示例

输入show crypto isakmp sa命令，以查看在198.51.100.2和203.0.113.2之间形成的隧道：

ASA-2(config)# show crypto isakmp sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 203.0.113.2
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

输入show crypto ipsec sa命令以查看在192.168.10.0 255.255.255.0和172之间传递流量的隧道。18.124.0 255.255.255.0：

ASA-2(config)# show crypto ipsec sa
interface: outside
 Crypto map tag: vpn, seq num: 10, local addr: 198.51.100.2
 
  access-list 101 extended permit ip 192.168.10.0 255.255.255.0
   172.18.124.0 255.255.255.0
  local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
  remote ident (addr/mask/prot/port): (172.18.124.0/255.255.255.0/0/0)
  current_peer: 203.0.113.2

  #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
  #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
  #pkts compressed: 0, #pkts decompressed: 0
  #pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
  #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
  #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
  #TFC rcvd: 0, #TFC sent: 0
  #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
  #send errors: 0, #recv errors: 0
 
  local crypto endpt.: 198.51.100.2/0, remote crypto endpt.: 203.0.113.2/0
  path mtu 1500, ipsec overhead 58(36), media mtu 1500
  PMTU time remaining (sec): 0, DF policy: copy-df
  ICMP error validation: disabled, TFC packets: disabled
  current outbound spi: DDE6AD22
  current inbound spi : 92425FE5
 
 inbound esp sas:
  spi: 0x92425FE5 (2453823461)
   transform: esp-3des esp-md5-hmac no compression
   in use settings ={L2L, Tunnel, IKEv1, }
   slot: 0, conn_id: 28672, crypto-map: vpn
   sa timing: remaining key lifetime (kB/sec): (4373999/28658)
   IV size: 8 bytes
   replay detection support: Y
   Anti replay bitmap:
    0x00000000 0x0000003F
 outbound esp sas:
  spi: 0xDDE6AD22 (3722882338)
   transform: esp-3des esp-md5-hmac no compression
   in use settings ={L2L, Tunnel, IKEv1, }
   slot: 0, conn_id: 28672, crypto-map: vpn
   sa timing: remaining key lifetime (kB/sec): (4373999/28658)
   IV size: 8 bytes
   replay detection support: Y
   Anti replay bitmap:
    0x00000000 0x00000001

相关信息

• Cisco ASA 命令参考
• 技术支持和文档 - Cisco Systems