安全 : Cisco Adaptive Security Device Manager

对ASDM的ASA访问从在VPN隧道配置示例的一个内部接口

2015 年 8 月 28 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 4 月 23 日) | 反馈

简介

本文描述如何配置有使用的一个LAN到LAN VPN隧道两思科可适应安全工具(ASA)防火墙。Cisco Adaptive Security Device Manager (ASDM)运作对远程ASA通过在公共侧的外部接口和此加密正常网络和ASDM流量。ASDM是设计为了帮助您设置,配置和监控您的与GUI的ASA防火墙的基于浏览器的配置工具。您不需要ASA防火墙CLI的广泛的知识。 

贡献用Dinkar夏尔马, Prashant Joshi和马格纳斯Mortensen, Cisco TAC工程师。

先决条件

要求

Cisco 建议您了解以下主题:

  • IPSec加密
  • 思科ASDM

注意:保证在您的拓扑方面使用的所有设备符合在Cisco ASA 5500系列硬件安装指南描述的要求。

提示:参考IP安全Cisco条款为了获取与基本IPSec加密的熟悉。

使用的组件

本文档中的信息基于以下软件和硬件版本:

  • Cisco ASA防火墙软件版本9.x。

  • ASA-1和ASA-2是思科ASA防火墙5520

  • ASA 2用途ASDM版本7.2(1)

注意:当提示对于ASDM的时一个用户名和密码,默认设置不要求用户名。如果特权密码以前配置,请输入该密码作为ASDM密码。如果没有特权密码,请留下两张用户名和密码报名表并且点击OK键继续为了。

本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您使用的是真实网络,请确保您已经了解所有命令的潜在影响。

配置

请使用在此部分描述为了配置功能在本文描述的信息。

注意:使用命令查找工具仅限注册用户)可获取有关本部分所使用命令的详细信息。

网络图

配置

这是在ASA-1使用的配置:

ASA-1

ASA Version 9.1(5)
!
hostname ASA-1
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 203.0.113.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.18.124.1 255.255.255.0
!

!--- Traffic matching ACL 101 is punted to VPN
!--- Encrypt/Decrypt traffic matching ACL 101


access-list 101 extended permit ip 172.18.124.0 255.255.255.0 192.168.10.0
255.255.255.0

!--- Do not use NAT
!--- on traffic matching below Identity NAT


object network obj_192.168.10.0
subnet 192.168.10.0 255.255.255.0

object network obj_172.18.124.0
subnet 172.18.124.0 255.255.255.0

nat (inside,outside) source static obj_172.18.124.0 obj_172.18.124.0 destination
static obj_192.168.10.0 obj_192.168.10.0 no-proxy-arp route-lookup

!--- Configures a default route towards the gateway router.

route outside 0.0.0.0 0.0.0.0 203.0.113.252 1

!--- Point the configuration to the appropriate version of ASDM in flash


asdm image asdm-722.bin

!--- Enable the HTTP server required to run ASDM.


http server enable

!--- This is the interface name and IP address of the host or
!--- network that initiates the HTTP connection.


http 172.18.124.102 255.255.255.255 inside

!--- Implicitly permit any packet that came from an IPsec
!--- tunnel and bypass the checking of an associated access-group
!--- command statement for IPsec connections.


sysopt connection permit-vpn

!--- Specify IPsec (phase 2) transform set.
!--- Specify IPsec (phase 2) attributes.


crypto ipsec ikev1 transform-set vpn esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map vpn 10 match address 101
crypto map vpn 10 set peer 198.51.100.2
crypto map vpn 10 set ikev1 transform-set vpn
crypto map vpn interface outside

!--- Specify ISAKMP (phase 1) attributes.


crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

!--- Specify tunnel-group ipsec attributes.

tunnel-group 198.51.100.2 type ipsec-l2l
tunnel-group 198.51.100.2 ipsec-attributes
ikev1 pre-shared-key cisco

这是在ASA-2使用的配置:

ASA-2

ASA Version 9.1(5)
!
hostname ASA-2
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 198.51.100.2 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!

!--- Traffic matching ACL 101 is punted to VPN
!--- Encrypt/Decrypt traffic matching ACL 101


access-list 101 extended permit ip 192.168.10.0 255.255.255.0 172.18.124.0
255.255.255.0

!--- Do not use NAT
!--- on traffic matching below Identity NAT


object network obj_192.168.10.0
subnet 192.168.10.0 255.255.255.0

object network obj_172.18.124.0
subnet 172.18.124.0 255.255.255.0

nat (inside,outside) source static obj_192.168.10.0 obj_192.168.10.0 destination
static obj_172.18.124.0 obj_172.18.124.0 no-proxy-arp route-lookup

!--- Configures a default route towards the gateway router.

route outside 0.0.0.0 0.0.0.0 198.51.100.252 1

!--- Point the configuration to the appropriate version of ASDM in flash

asdm image asdm-722.bin

!--- Enable the HTTP server required to run ASDM.

http server enable

!--- This is the interface name and IP address of the host or
!--- network that initiates the HTTP connection.


http 192.168.10.102 255.255.255.255 inside

!--- Add an aditional 'http' configuration to allow the remote subnet
!--- to access ASDM over the VPN tunnel


http 172.18.124.0 255.255.255.0 outside

!--- Implicitly permit any packet that came from an IPsec
!--- tunnel and bypass the checking of an associated access-group
!--- command statement for IPsec connections.


sysopt connection permit-vpn

!--- Specify IPsec (phase 2) transform set.
!--- Specify IPsec (phase 2) attributes.


crypto ipsec ikev1 transform-set vpn esp-3des esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto map vpn 10 match address 101
crypto map vpn 10 set peer 203.0.113.2
crypto map vpn 10 set ikev1 transform-set vpn
crypto map vpn interface outside

!--- Specify ISAKMP (phase 1) attributes.


crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

!--- Specify tunnel-group ipsec attributes.


tunnel-group 203.0.113.2 type ipsec-l2l
tunnel-group 203.0.113.2 ipsec-attributes
ikev1 pre-shared-key cisco

在VPN通道间的访问ASDM/SSH

为了通过ASA-2内部接口从ASA-1网络内部的访问ASDM,您必须使用描述此处的命令。此命令可能只用于一个接口。在ASA-2,请配置管理访问管理访问里面命令:

management-access <interface-name>

验证

此部分提供您能使用为了验证的信息您的配置适当地工作。

注意命令输出解释程序工具仅限注册用户)(OIT) 支持某些 show 命令。使用 OIT 可查看对 show 命令输出的分析。

请使用这些命令为了验证您的配置:

  • 输入show crypto isakmp sa/show isakmp sa命令为了验证阶段1正确地设立。

  • 输入show crypto ipsec sa为了验证第2阶段正确地设立。

命令汇总

一旦VPN命令被输入到ASA, VPN通道设立,当流量通过在ASDM PC (172.18.124.102)时和内部接口ASA-2之间(192.168.10.1)。这时, ASDM PC能到达https://192.168.10.1和通信与ASA-2 ASDM接口在VPN通道的。

故障排除

此部分提供您能使用为了排除故障您的配置的信息。

注意:参考ASA连接问题对Cisco Adaptive Security Device Manager Cisco条款为了排除故障ASDM相关问题。

调试输出示例

输入show crypto isakmp sa命令为了查看形成在198.51.100.2和203.0.113.2之间的通道:

ASA-2(config)# show crypto isakmp sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 203.0.113.2
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE

输入show crypto ipsec sa命令为了查看通过流量在192.168.10.0 255.255.255.0和172.18.124.0 255.255.255.0之间的通道:

ASA-2(config)# show crypto ipsec sa
interface: outside
Crypto map tag: vpn, seq num: 10, local addr: 198.51.100.2

access-list 101 extended permit ip 192.168.10.0 255.255.255.0
172.18.124.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.18.124.0/255.255.255.0/0/0)
current_peer: 203.0.113.2

#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 5, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0

local crypto endpt.: 198.51.100.2/0, remote crypto endpt.: 203.0.113.2/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: DDE6AD22
current inbound spi : 92425FE5

inbound esp sas:
spi: 0x92425FE5 (2453823461)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: vpn
sa timing: remaining key lifetime (kB/sec): (4373999/28658)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x0000003F
outbound esp sas:
spi: 0xDDE6AD22 (3722882338)
transform: esp-3des esp-md5-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: vpn
sa timing: remaining key lifetime (kB/sec): (4373999/28658)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001

相关信息


相关的思科支持社区讨论

思科支持社区是您提问、解答问题、分享建议以及与工作伙伴协作的论坛。


Document ID: 118092