透過VPN隧道從內部介面訪問ASDM的ASA配置示例

簡介

本文檔介紹如何使用兩個思科自適應安全裝置(ASA)防火牆配置LAN到LAN VPN隧道。思科自適應安全裝置管理器(ASDM)透過公共端的外部介面在遠端ASA上運行，並對常規網路和ASDM流量進行加密。ASDM是基於瀏覽器的配置工具，旨在幫助您使用GUI設定、配置和監控ASA防火牆。您不需要對ASA防火牆CLI有豐富的知識。 

必要條件

需求

思科建議您瞭解以下主題：

• IPsec加密
• Cisco ASDM

注意：確保您的拓撲中使用的所有裝置都符合Cisco ASA 5500系列硬體安裝指南中描述的要求。

提示：請參閱IP安全(IPSec)加密簡介思科文章，以便熟悉基本IPsec加密。

採用元件

本文中的資訊係根據以下軟體和硬體版本：

• Cisco ASA防火牆軟體版本9.x。
  
  
• ASA-1和ASA-2均為Cisco ASA防火牆5520
  
  
• ASA 2使用ASDM版本7.2(1)

注意：當提示您輸入ASDM的使用者名稱和口令時，預設設定不需要使用者名稱。如果之前配置了啟用口令，請輸入該口令作為ASDM口令。如果沒有啟用口令，請將使用者名稱和口令條目都留空，然後按一下OK 繼續操作。

本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除（預設）的組態來啟動。如果您的網路正在作用，請確保您已瞭解任何指令可能造成的影響。

設定

使用本節所述的資訊來設定本檔案中所描述的功能。

網路圖表

組態

以下是在ASA-1上使用的配置：

ASA-1
 
ASA Version 9.1(5)
!
hostname ASA-1
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 203.0.113.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.18.124.1 255.255.255.0
!
 
!--- Traffic matching ACL 101 is punted to VPN
!--- Encrypt/Decrypt traffic matching ACL 101 

access-list 101 extended permit ip 172.18.124.0 255.255.255.0 192.168.10.0
 255.255.255.0

!--- Do not use NAT
!--- on traffic matching below Identity NAT

object network obj_192.168.10.0
subnet 192.168.10.0 255.255.255.0

object network obj_172.18.124.0
subnet 172.18.124.0 255.255.255.0

nat (inside,outside) source static obj_172.18.124.0 obj_172.18.124.0 destination
 static obj_192.168.10.0 obj_192.168.10.0 no-proxy-arp route-lookup

!--- Configures a default route towards the gateway router.

route outside 0.0.0.0 0.0.0.0 203.0.113.252 1

!--- Point the configuration to the appropriate version of ASDM in flash

asdm image asdm-722.bin

!--- Enable the HTTP server required to run ASDM.
 
http server enable
 
!--- This is the interface name and IP address of the host or 
!--- network that initiates the HTTP connection.
 
http 172.18.124.102 255.255.255.255 inside
 
!--- Implicitly permit any packet that came from an IPsec 
!--- tunnel and bypass the checking of an associated access-group
!--- command statement for IPsec connections.
 
sysopt connection permit-vpn
 
!--- Specify IPsec (phase 2) transform set.
!--- Specify IPsec (phase 2) attributes.

crypto ipsec ikev1 transform-set vpn esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map vpn 10 match address 101
crypto map vpn 10 set peer 198.51.100.2
crypto map vpn 10 set ikev1 transform-set vpn
crypto map vpn interface outside
 
!--- Specify ISAKMP (phase 1) attributes.
  
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
 
!--- Specify tunnel-group ipsec attributes.
 
tunnel-group 198.51.100.2 type ipsec-l2l
tunnel-group 198.51.100.2 ipsec-attributes
ikev1 pre-shared-key cisco

以下是在ASA-2上使用的配置：

ASA-2
 
ASA Version 9.1(5)
!
hostname ASA-2
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 198.51.100.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
  
!--- Traffic matching ACL 101 is punted to VPN
!--- Encrypt/Decrypt traffic matching ACL 101 

access-list 101 extended permit ip 192.168.10.0 255.255.255.0 172.18.124.0
 255.255.255.0
 
!--- Do not use NAT 
!--- on traffic matching below Identity NAT
 
object network obj_192.168.10.0
subnet 192.168.10.0 255.255.255.0
 
object network obj_172.18.124.0
subnet 172.18.124.0 255.255.255.0
 
nat (inside,outside) source static obj_192.168.10.0 obj_192.168.10.0 destination
 static obj_172.18.124.0 obj_172.18.124.0 no-proxy-arp route-lookup

!--- Configures a default route towards the gateway router.
 
route outside 0.0.0.0 0.0.0.0 198.51.100.252 1
 
!--- Point the configuration to the appropriate version of ASDM in flash

asdm image asdm-722.bin
 
!--- Enable the HTTP server required to run ASDM.
 
http server enable
 
!--- This is the interface name and IP address of the host or 
!--- network that initiates the HTTP connection.
 
http 192.168.10.102 255.255.255.255 inside

!--- Add an aditional 'http' configuration to allow the remote subnet
!--- to access ASDM over the VPN tunnel

http 172.18.124.0 255.255.255.0 outside
 
!--- Implicitly permit any packet that came from an IPsec 
!--- tunnel and bypass the checking of an associated access-group 
!--- command statement for IPsec connections.
 
sysopt connection permit-vpn
 
!--- Specify IPsec (phase 2) transform set.
!--- Specify IPsec (phase 2) attributes.

crypto ipsec ikev1 transform-set vpn esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map vpn 10 match address 101
crypto map vpn 10 set peer 203.0.113.2
crypto map vpn 10 set ikev1 transform-set vpn
crypto map vpn interface outside
 
!--- Specify ISAKMP (phase 1) attributes.
  
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
  
!--- Specify tunnel-group ipsec attributes.
 
tunnel-group 203.0.113.2 type ipsec-l2l
tunnel-group 203.0.113.2 ipsec-attributes
ikev1 pre-shared-key cisco

透過VPN隧道訪問ASDM/SSH

為了從ASA-1內部網路透過ASA-2的內部介面訪問ASDM，必須使用此處所述的命令。此命令只能用於一個介面。在ASA-2上，使用management-access inside命令配置management-access：

management-access 
       
       

驗證

本節提供的資訊可用於驗證組態是否正常運作。

注意：Cisco CLI Analyzer（僅供已註冊客戶使用）支援某些show指令。使用 Cisco CLI Analyzer 檢視 show 指令輸出的分析。

使用以下命令以驗證您的設定：

• 輸入show crypto isakmp sa/show isakmp sa命令以驗證第1階段是否正確建立。
• 輸入show crypto ipsec sa以驗證第2階段是否建立正確。

命令摘要

將VPN命令輸入ASA後，當流量在ASDM PC (172.18.124.102)和ASA-2的內部介面(192.168.10.1)之間傳遞時，會建立VPN隧道。此時，ASDM PC可以訪問https://192.168.10.1，並透過VPN隧道與ASA-2的ASDM介面通訊。

疑難排解

本節提供的資訊可用於對組態進行疑難排解。

注意：請參閱Cisco自適應安全裝置管理器Cisco文章的ASA連線問題，以對ASDM相關問題進行故障排除。

範例偵錯輸出

輸入show crypto isakmp sa命令以檢視在198.51.100.2和203.0.113.2之間形成的隧道：

ASA-2(config)# show crypto isakmp sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 203.0.113.2
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

輸入show crypto ipsec sa命令以檢視在192.168.10.0 255.255.255.0和172之間傳遞流量的隧道。 18.124.0 255.255.255.0：

ASA-2(config)# show crypto ipsec sa
interface: outside
 Crypto map tag: vpn, seq num: 10, local addr: 198.51.100.2
 
  access-list 101 extended permit ip 192.168.10.0 255.255.255.0
   172.18.124.0 255.255.255.0
  local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
  remote ident (addr/mask/prot/port): (172.18.124.0/255.255.255.0/0/0)
  current_peer: 203.0.113.2

  #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
  #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
  #pkts compressed: 0, #pkts decompressed: 0
  #pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
  #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
  #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
  #TFC rcvd: 0, #TFC sent: 0
  #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
  #send errors: 0, #recv errors: 0
 
  local crypto endpt.: 198.51.100.2/0, remote crypto endpt.: 203.0.113.2/0
  path mtu 1500, ipsec overhead 58(36), media mtu 1500
  PMTU time remaining (sec): 0, DF policy: copy-df
  ICMP error validation: disabled, TFC packets: disabled
  current outbound spi: DDE6AD22
  current inbound spi : 92425FE5
 
 inbound esp sas:
  spi: 0x92425FE5 (2453823461)
   transform: esp-3des esp-md5-hmac no compression
   in use settings ={L2L, Tunnel, IKEv1, }
   slot: 0, conn_id: 28672, crypto-map: vpn
   sa timing: remaining key lifetime (kB/sec): (4373999/28658)
   IV size: 8 bytes
   replay detection support: Y
   Anti replay bitmap:
    0x00000000 0x0000003F
 outbound esp sas:
  spi: 0xDDE6AD22 (3722882338)
   transform: esp-3des esp-md5-hmac no compression
   in use settings ={L2L, Tunnel, IKEv1, }
   slot: 0, conn_id: 28672, crypto-map: vpn
   sa timing: remaining key lifetime (kB/sec): (4373999/28658)
   IV size: 8 bytes
   replay detection support: Y
   Anti replay bitmap:
    0x00000000 0x00000001

相關資訊

• Cisco ASA命令參考
• 技術支援與文件 - Cisco Systems