This document describes how to configure a LAN-to-LAN VPN tunnel with the use of two Cisco Adaptive Security Appliance (ASA) Firewalls. The Cisco Adaptive Security Device Manager (ASDM) runs on the remote ASA through the outside interface on the public side, and it encrypts both regular network and ASDM traffic. The ASDM is a browser-based configuration tool that is designed in order to help you set up, configure, and monitor your ASA Firewall with a GUI. You do not need extensive knowledge of the ASA Firewall CLI.
Cisco recommends that you have knowledge of these topics:
The information in this document is based on these software and hardware versions:
Cisco ASA Firewall software Release 9.x.
ASA-1 and ASA-2 are Cisco ASA Firewall 5520
ASA 2 uses ASDM Version 7.2(1)
Note: When you are prompted for a username and password for the ASDM, the default settings do not require a username. If an enable password was previously configured, enter that password as the ASDM password. If there is no enable password, leave both the username and password entries blank and click OK in order to continue.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Use the information that is described in this section in order to configure the features that are described in this document.
This is the configuration that is used on ASA-1:
ASA Version 9.1(5) ! hostname ASA-1 ! interface GigabitEthernet0/0 nameif outside security-level 0 ip address 203.0.113.2 255.255.255.0 ! interface GigabitEthernet0/1 nameif inside security-level 100 ip address 172.18.124.1 255.255.255.0 !
!--- Traffic matching ACL 101 is punted to VPN !--- Encrypt/Decrypt traffic matching ACL 101
access-list 101 extended permit ip 172.18.124.0 255.255.255.0 192.168.10.0 255.255.255.0 !--- Do not use NAT !--- on traffic matching below Identity NAT
tunnel-group 203.0.113.2 type ipsec-l2l tunnel-group 203.0.113.2 ipsec-attributes ikev1 pre-shared-key cisco
Access ASDM/SSH Across a VPN Tunnel
In order to access ASDM via the inside interface of ASA-2 from the ASA-1 inside network, you must use the command that is described here. This command can only be used for one interface. On ASA-2, configure management-access with the management-access inside command:
This section provides information that you can use in order to verify that your configuration works properly.
Note: The Cisco CLI Analyzer (registered customers only) supports certain show commands. Use the Cisco CLI Analyzer in order to view an analysis of show command output.
Use these commands in order to verify your configuration:
Enter the show crypto isakmp sa/show isakmp sa command in order to verify that Phase 1 establishes correctly.
Enter the show crypto ipsec sa in order to verify that Phase 2 establishes correctly.
Once the VPN commands are entered into the ASAs, a VPN tunnel is established when traffic passes between the ASDM PC (172.18.124.102) and the inside interface of ASA-2 (192.168.10.1). At this point, the ASDM PC is able to reach https://192.168.10.1 and communicate with the ASDM interface of ASA-2 over the VPN tunnel.
This section provides information that you can use in order to troubleshoot your configuration.