access-list inside_access_in line 2 extended permit ip object-group all any

access-group inside_access_in in interface inside

6.配置sitetosite之VPN

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto map outside_map 20 match address outside_cryptomap_20_1

crypto map outside_map 20 set pfs

crypto map outside_map 20 set peer 218.16.105.48

crypto map outside_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map interface outside

isakmp identity address

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group 218.16.105.48 type ipsec-l2l

tunnel-group 218.16.105.48 ipsec-attributes

pre-shared-key *

peer-id-validate nocheck

tunnel-group-map enable rules

注：打打PFS并设定以IP地址作为peer名，一个接口只能有一个加密图

7.webvpn配置(ssl vpn)

webvpn

enable outside

character-encoding gb2312

csd image disk0:/securedesktop-asa-3.1.1.16.pkg

svc image disk0:/sslclient-win-1.1.0.154.pkg 1

svc enable

customization customization1

title text TEST WebVPN system

title style background-color:white;color: rgb(51,153,0);border-bottom:5px groo

ve #669999;font-size:larger;vertical-align:middle;text-align:left;font-weight:bold

tunnel-group-list enable

注：也可通过ASDM图形界面进行配置登录后，可访问内部资源，如下例：(客户端首先要安装Java插件jre-1_5_0-windows-i586.exe,并打开浏览器的ActiveX)

1)https://sslvpn.test.com.cn输入用户名和密码

2) 出现工具条

3) 在Enter Web Address内输入192.168.40.8即可访问内部网站

4)在browse network输入192.168.40.8即可访问共享文件

5)点击application access，即可查看端口转发设置，如使用putty访问本机的2023端口，则即可通过ssh登录192.168.40.8

8. 远程拨入VPN

相关的ASA配置命令如下：

access-list inside_access_in extended permit ip object-group remotegroup any

access-list inside_access_in extended permit icmp object-group remotegroup any

access-list remotevpn_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0

access-list vpnclient_splitTunnelAcl standard permit 192.168.100.0 255.255.255.0

ip local pool dialuserIP 192.168.101.1-192.168.101.254 mask 255.255.255.0

group-policy remotevpn attributes

dns-server value 202.96.128.68 192.168.40.16

default-domain value test.com.cn

username jiang password Csmep3VzvPQPCbkx encrypted privilege 15

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set pfs

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto dynamic-map outside_dyn_map 20 set reverse-route

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

tunnel-group remotevpn type ipsec-ra

tunnel-group remotevpn general-attributes

address-pool dialuserIP

default-group-policy remotevpn

tunnel-group remotevpn ipsec-attributes

pre-shared-key *

客户端设置如下：

9.日志服务器配置

logging enable

logging timestamp

logging emblem

logging trap informational

logging asdm warnings

logging host inside 192.168.40.115 format emblem

logging permit-hostdown

vpn-simultaneous-logins 3

10.Snmp网管配置

snmp-server host inside 192.168.40.47 community testsnmp

snmp-server location DG-GTEST

snmp-server contact jiangdaoyou:6162

snmp-server community testsnmp

snmp-server enable traps snmp authentication linkup linkdown coldstart

注：指定主机后，192.168.40.47才可能进行管理

11.ACS配置

安装后管理：http://ip:2002通过ACS可以进行授权、认证等等很多功能因内容太多，暂省略

12. AAA配置

Aaa服务器配置：

aaa-server radius_dg host dc03.xxxx.com

key dfdfdfdf146**U

authentication-port 1812

accounting-port 1813

radius-common-pw dfdfdfdf146**U

对于拨入vpn的配置

tunnel-group vg_testerp general-attributes

address-pool ciscovpnuser

authentication-server-group radius_dg

default-group-policy vg_testerp

13.升级IOS

copy tftp://192.168.40.180/asa/asa721-k8.bin disk0:/asa721-k8.bin

boot system disk0:/asa721-k8.bin (多个Image时使用)

14.疑难杂症

1) 在远程子网不能ping通过对方的网关，如在无锡格兰不能ping 192.168.40.251

输入命令：management-access inside (通过ASDM不能设置这一项)

2) NAT有时不能快速启作用

使用命令：clear xlate即可