cisco asa5520 和H3C SecPath做IPSEC VPN问题

Posted 2023-04-26

tags:

篇首语：本文由小常识网(cha138.com)小编为大家整理，主要介绍了cisco asa5520 和H3C SecPath做IPSEC VPN问题相关的知识，希望对你有一定的参考价值。

之前是总部和分公司的2个H3C SecPath做的IPSEC VPN 可以正常连接的,现在把总部的H3C SecPath换成ASA 5520, 由于对端分公司是H3C SecPath设备,而且对端分公司IP是动态IP,而且分公司H3C SecPath设备我是没有权利修改里面配置的, 最重要的我看不懂华三配置！求高人指点！

以下是H3C SecPath设备的ipsec vpn配置图
这图片是总部H3C SecPath设备的配置图

参考技术A 这个是总部H3C SecPath设备的配置命令,
因为输入字数超过了,所以我用小号补充问题！

#
sysname zongbu
#
l2tp enable
#
ike local-name zongbu
#
firewall packet-filter enable
firewall packet-filter default permit
#
insulate
#
firewall statistic system enable
#
radius scheme system
server-type extended
#
domain l2tp
ip pool 1 192.168.188.2 192.168.188.30
domain system
#
local-user admin
password simple *******
service-type telnet
level 3
local-user dini
password simple *********
service-type telnet
level 3
local-user dini001
password simple *******
service-type ppp
local-user dini002
password simple *******
service-type ppp
local-user dini003
password simple *******
service-type ppp
#
ike proposal 1
#
ike dpd 1
#
ike peer fz
exchange-mode aggressive
pre-shared-key ****************
id-type name
remote-name fenzhi
nat traversal
dpd 1
#
ipsec proposal 1
#
ipsec policy fz 10 isakmp
security acl 3001
ike-peer fz
proposal 1
#
acl number 3000
rule 0 deny ip source 192.168.10.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
rule 1 permit ip source 192.168.10.17 0
rule 2 permit ip source 192.168.10.18 0
rule 4 permit ip source 192.168.10.19 0
rule 5 permit ip source 192.168.10.20 0
rule 7 permit ip source 192.168.10.16 0
rule 9 permit ip source 192.168.10.15 0
rule 10 permit ip source 192.168.10.21 0
rule 12 permit ip source 192.168.10.14 0
rule 14 permit ip source 192.168.10.13 0
rule 15 permit ip source 192.168.10.22 0
rule 17 permit ip source 192.168.10.12 0
rule 19 permit ip source 192.168.10.11 0
rule 20 permit ip source 192.168.10.23 0
rule 22 permit ip source 192.168.10.10 0
rule 24 permit ip source 192.168.10.9 0
rule 25 permit ip source 192.168.10.24 0
rule 27 permit ip source 192.168.10.8 0
rule 29 permit ip source 192.168.10.7 0
rule 30 permit ip source 192.168.10.25 0
rule 32 permit ip source 192.168.10.6 0
rule 34 permit ip source 192.168.10.5 0
rule 35 permit ip source 192.168.10.26 0
rule 37 permit ip source 192.168.10.4 0
rule 39 permit ip source 192.168.10.3 0
rule 40 permit ip source 192.168.10.27 0
rule 42 permit ip source 192.168.10.2 0
rule 45 permit ip source 192.168.10.28 0
rule 46 permit ip source 192.168.10.29 0
rule 47 permit ip source 192.168.10.30 0
rule 48 permit ip source 192.168.188.0 0.0.0.255
rule 50 deny ip
acl number 3001
rule 0 permit ip source 192.168.10.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
acl number 3002
#
interface Virtual-Template0
ppp authentication-mode pap domain l2tp
ppp pap local-user test password simple test
ip address 192.168.188.1 255.255.255.0
remote address pool 1
#
interface Aux0
async mode flow
#
interface Ethernet0/0
ip address 192.168.10.1 255.255.255.0
firewall packet-filter 3001 outbound
#
interface Ethernet0/1
#
interface Ethernet0/2
#
interface Ethernet0/3
#
interface Ethernet1/0
ip address 1.85.4.162 255.255.255.248
firewall packet-filter 3001 outbound
nat outbound 3000
nat server protocol tcp global 1.85.4.162 11901 inside 192.168.10.28 11901
nat server protocol tcp global 1.85.4.162 11902 inside 192.168.10.28 11902
nat server protocol udp global 1.85.4.162 11901 inside 192.168.10.28 11901
nat server protocol udp global 1.85.4.162 11902 inside 192.168.10.28 11902
nat server protocol tcp global 1.85.4.162 9000 inside 192.168.10.27 9000
ipsec policy fz
#
interface Ethernet1/1
#
interface Ethernet1/2
#
interface Encrypt2/0
#
interface NULL0
#
firewall zone local
set priority 100
#
firewall zone trust
add interface Ethernet0/0
add interface Ethernet0/1
add interface Ethernet0/2
add interface Ethernet0/3
add interface Ethernet1/0
add interface Virtual-Template0
set priority 85
#
firewall zone untrust
set priority 5
#
firewall zone DMZ
set priority 50
#
firewall interzone local trust
#
firewall interzone local untrust
#
firewall interzone local DMZ
#
firewall interzone trust untrust
#
firewall interzone trust DMZ
#
firewall interzone DMZ untrust
#
l2tp-group 1
undo tunnel authentication
mandatory-lcp
allow l2tp virtual-template 0
#
ip route-static 0.0.0.0 0.0.0.0 1.85.4.161 preference 60
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
#
return 参考技术B 你哪些看不懂呢

cisco asa5505 web管理的配置

现在手头有个5505的防火墙，想配置一下，从而可以从web访问，在网上找到了如下设置方法：
——————————————————————————————
在串口下输入以下命令：
ciscoasa>
ciscoasa> en
Password:
ciscoasa# conf t 进入全局模式
ciscoasa(config)# webvpn 进入WEBVPN模式
ciscoasa(config-webvpn)# username cisco password cisco 新建一个用户和密码
ciscoasa(config)# int m 0/0 进入管理口
ciscoasa(config-if)# ip address 192.168.4.1 255.255.255.0 添加IP地址
ciscoasa(config-if)# nameif guanli 给管理口设个名字
ciscoasa(config-if)# no shutdown 激活接口
ciscoasa(config)#q 退出管理接口
ciscoasa(config)# http server enable 开启HTTP服务
ciscoasa(config)# http 192.168.4.0 255.255.255.0 guanli 在管理口设置可管理的IP地址
ciscoasa(config)# show run 查看一下配置
ciscoasa(config)# wr m 保存

经过以上配置就可以用ASDM配置防火墙了。

首先用交叉线把电脑和防火墙的管理口相连，把电脑设成和管理口段的IP地址,本例中设为192.168.4.0 段的IP打开浏览器在地址栏中输入管理口的IP地址:
https://192.168.4.1
————————————————————————————
请问，我的5505怎么不认识这个m0/0端口，貌似只有e端口

参考技术A 你把那个管理IP配置在ethernet端口也可以呀,方法一样的!
还要配置vty和console密码,和特权密码! 参考技术B 用 show ip
就能看到是什么类型的端口了

以上是关于cisco asa5520 和H3C SecPath做IPSEC VPN问题的主要内容，如果未能解决你的问题，请参考以下文章

cisco asa5520 防火墙如何配置路由，希望大虾帮忙！

浅谈Cisco ASA的基础

用Cisco Packet Tracer 如何添加Cisco ASA 防火墙设备

ASA 5520 内网互访实验

基于GNS3的ASA 5520虚拟防火墙功能测试

思科---防火墙asa5520配置笔记