A cikin wannan labarin, Ina so in ba da umarnin mataki-mataki kan yadda zaku iya hanzarta tura mafi girman makirci a yanzu. VPN mai nisa tushen samun dama AnyConnect da Cisco ASA - Taguwar Ma'auni na Load na VPN.
Gabatarwa: Kamfanoni da yawa a duniya, bisa la'akari da halin da ake ciki yanzu tare da COVID-19, suna ƙoƙarin canja wurin ma'aikatansu zuwa aiki mai nisa. Saboda yawan canjin aiki zuwa aiki mai nisa, nauyin da ke kan ƙofofin VPN na kamfanoni yana ƙaruwa sosai kuma ana buƙatar ikon haɓaka su cikin sauri. A gefe guda kuma, ana tilasta wa kamfanoni da yawa yin gaggawar ƙware manufar aikin nesa daga karce.
Na shirya jagorar mataki-mataki don sauƙaƙe jigilar VPN Load-Balancing Cluster azaman mafi girman fasahar VPN.
Misalin da ke ƙasa zai kasance mai sauƙi cikin sharuddan tabbatarwa da kuma izini algorithms da aka yi amfani da su, amma zai zama zaɓi mai kyau don farawa mai sauri (wanda a halin yanzu bai isa ba ga mutane da yawa) tare da yuwuwar daidaitawa mai zurfi zuwa buƙatun ku yayin turawa. tsari.
Takaitaccen bayani: VPN Load Daidaita fasahar Cluster ba gazawa ba ce kuma ba aikin tari ba ne a ma'anarta ta asali, wannan fasaha na iya haɗa nau'ikan ASA daban-daban (tare da wasu hane-hane) don ɗaukar ma'auni na haɗin yanar gizo na Nesa-Access VPN. Babu aiki tare na zaman da daidaitawa tsakanin nodes na irin wannan gungu, amma yana yiwuwa a ɗora ma'auni ta atomatik haɗin haɗin VPN da tabbatar da haƙƙin haƙƙin haɗin gwiwar VPN har sai aƙalla kumburin aiki ya rage a cikin tari. Ana daidaita nauyin da ke cikin gungu ta atomatik dangane da nauyin aikin nodes ta adadin zaman VPN.
Don gazawar takamaiman nodes na gungu (idan an buƙata), ana iya amfani da mai fayil, don haka haɗin da ke aiki za a sarrafa shi ta kumburin Firamare na mai fayil ɗin. Fayil ɗin ba wani yanayin da ya dace don tabbatar da haƙurin kuskure a cikin gungu na Load-Balancing, gungu kanta, a cikin yanayin rashin gazawar kumburi, za ta canja wurin zaman mai amfani zuwa wani kumburi mai rai, amma ba tare da adana matsayin haɗin gwiwa ba, wanda yake daidai. mai fayil ya bayar. Saboda haka, yana yiwuwa, idan ya cancanta, don haɗa waɗannan fasahohin biyu.
Tarin ma'auni na Load na VPN na iya ƙunsar nodes sama da biyu.
VPN Load-Balancing Cluster ana tallafawa akan ASA 5512-X da sama.
Tunda kowane ASA a cikin rukunin Load-Balancing na VPN yanki ne mai zaman kansa dangane da saiti, muna aiwatar da duk matakan daidaitawa daban-daban akan kowace na'ura.
Muna tura misalan ASAv na samfuran da muke buƙata (ASAv5/10/30/50) daga hoton.
Muna ba da musaya na CIKI / WAJE zuwa VLANs iri ɗaya (Waje a cikin VLAN ɗin sa, CIKI a cikin nasa, amma gabaɗaya a cikin gungu, duba topology), yana da mahimmanci cewa musaya iri ɗaya suna cikin ɓangaren L2 iri ɗaya.
Lasisi:
A halin yanzu shigarwar ASAv ba zai sami lasisi ba kuma za a iyakance shi zuwa 100kbps.
Don shigar da lasisi, kuna buƙatar ƙirƙirar alama a cikin Smart-Account ɗin ku: https://software.cisco.com/ -> Lasisi na Smart Software
A cikin taga da ya buɗe, danna maɓallin Sabon Alama
Tabbatar cewa a cikin taga da ke buɗe akwai filin aiki kuma an duba alamar bincike Bada aikin sarrafa fitarwa zuwa fitarwaIdan ba tare da wannan filin yana aiki ba, ba za ku iya amfani da ayyukan ɓoye mai ƙarfi ba kuma, daidai da haka, VPN. Idan wannan filin ba ya aiki, tuntuɓi ƙungiyar asusun ku tare da buƙatar kunnawa.
Bayan danna maɓallin Ƙirƙiri Token, za a ƙirƙiri alamar da za mu yi amfani da ita don samun lasisi don ASAv, kwafi shi:
Maimaita matakai C,D,E ga kowane ASAv da aka tura.
Don sauƙaƙa kwafin alamar, bari mu ƙyale telnet na ɗan lokaci. Bari mu saita kowane ASA (misali na ƙasa yana kwatanta saitunan akan ASA-1). telnet baya aiki da waje, idan da gaske kuke buƙata, canza matakin tsaro zuwa 100 zuwa waje, sannan mayar da shi.
!
ciscoasa(config)# int gi0/0
ciscoasa(config)# nameif outside
ciscoasa(config)# ip address 192.168.31.30 255.255.255.0
ciscoasa(config)# no shut
!
ciscoasa(config)# int gi0/1
ciscoasa(config)# nameif inside
ciscoasa(config)# ip address 192.168.255.2 255.255.255.0
ciscoasa(config)# no shut
!
ciscoasa(config)# telnet 0 0 inside
ciscoasa(config)# username admin password cisco priv 15
ciscoasa(config)# ena password cisco
ciscoasa(config)# aaa authentication telnet console LOCAL
!
ciscoasa(config)# route outside 0 0 192.168.31.1
!
ciscoasa(config)# wr
!
Don yin rijistar alama a cikin gajimaren Smart-Account, dole ne ku samar da hanyar Intanet don ASA, cikakkun bayanai a nan.
A takaice, ana buƙatar ASA:
samun dama ta hanyar HTTPS zuwa Intanet;
aiki tare lokaci (mafi daidai, ta hanyar NTP);
uwar garken DNS mai rijista;
Muna yin waya zuwa ga ASA kuma muna yin saiti don kunna lasisi ta Smart-Account.
!
ciscoasa(config)# clock set 19:21:00 Mar 18 2020
ciscoasa(config)# clock timezone MSK 3
ciscoasa(config)# ntp server 192.168.99.136
!
ciscoasa(config)# dns domain-lookup outside
ciscoasa(config)# DNS server-group DefaultDNS
ciscoasa(config-dns-server-group)# name-server 192.168.99.132
!
! Проверим работу DNS:
!
ciscoasa(config-dns-server-group)# ping ya.ru
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 87.250.250.242, timeout is 2 seconds:
!!!!!
!
! Проверим синхронизацию NTP:
!
ciscoasa(config)# show ntp associations
address ref clock st when poll reach delay offset disp
*~192.168.99.136 91.189.94.4 3 63 64 1 36.7 1.85 17.5
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
!
! Установим конфигурацию нашей ASAv для Smart-Licensing (в соответствии с Вашим профилем, в моем случае 100М для примера)
!
ciscoasa(config)# license smart
ciscoasa(config-smart-lic)# feature tier standard
ciscoasa(config-smart-lic)# throughput level 100M
!
! В случае необходимости можно настроить доступ в Интернет через прокси используйте следующий блок команд:
!call-home
! http-proxy ip_address port port
!
! Далее мы вставляем скопированный из портала Smart-Account токен (<token>) и регистрируем лицензию
!
ciscoasa(config)# end
ciscoasa# license smart register idtoken <token>
Mun bincika cewa na'urar ta yi nasarar yin rijistar lasisi kuma akwai zaɓuɓɓukan ɓoyewa:
Saita asali SSL-VPN akan kowace ƙofa
Na gaba, saita hanyar shiga ta hanyar SSH da ASDM:
ciscoasa(config)# ssh ver 2
ciscoasa(config)# aaa authentication ssh console LOCAL
ciscoasa(config)# aaa authentication http console LOCAL
ciscoasa(config)# hostname vpn-demo-1
vpn-demo-1(config)# domain-name ashes.cc
vpn-demo-1(config)# cry key gen rsa general-keys modulus 4096
vpn-demo-1(config)# ssh 0 0 inside
vpn-demo-1(config)# http 0 0 inside
!
! Поднимем сервер HTTPS для ASDM на порту 445 чтобы не пересекаться с SSL-VPN порталом
!
vpn-demo-1(config)# http server enable 445
!
Don ASDM ta yi aiki, dole ne ka fara zazzage shi daga gidan yanar gizon cisco.com, a cikin akwati na shine fayil mai zuwa:
Don abokin ciniki na AnyConnect ya yi aiki, kuna buƙatar loda hoto zuwa kowane ASA don kowane abokin ciniki na OS da aka yi amfani da shi (wanda aka shirya don amfani da Linux / Windows / MAC), kuna buƙatar fayil tare da Kunshin Aiwatar da Kai A cikin take:
Ana iya loda fayilolin da aka sauke, misali, zuwa uwar garken FTP kuma a loda su zuwa kowane ASA:
Muna saita ASDM da Takaddun Sa hannu don SSL-VPN (an ba da shawarar yin amfani da amintaccen takaddun shaida a samarwa). Saitin FQDN na Virtual Cluster Address (vpn-demo.ashes.cc), da kowane FQDN da ke da alaƙa da adireshin waje na kowane kullin gungu, dole ne a warware shi a yankin DNS na waje zuwa adireshin IP na cibiyar sadarwa ta WAJE (ko zuwa adireshin taswira idan ana amfani da tura tashar jiragen ruwa udp/443 (DTLS) da tcp/443(TLS)). An ƙayyade cikakken bayani game da buƙatun takaddun shaida a cikin sashin Tabbatar da Takaddun shaida takardun shaida.
!
vpn-demo-1(config)# crypto ca trustpoint SELF
vpn-demo-1(config-ca-trustpoint)# enrollment self
vpn-demo-1(config-ca-trustpoint)# fqdn vpn-demo.ashes.cc
vpn-demo-1(config-ca-trustpoint)# subject-name cn=*.ashes.cc, ou=ashes-lab, o=ashes, c=ru
vpn-demo-1(config-ca-trustpoint)# serial-number
vpn-demo-1(config-ca-trustpoint)# crl configure
vpn-demo-1(config-ca-crl)# cry ca enroll SELF
% The fully-qualified domain name in the certificate will be: vpn-demo.ashes.cc
Generate Self-Signed Certificate? [yes/no]: yes
vpn-demo-1(config)#
!
vpn-demo-1(config)# sh cry ca certificates
Certificate
Status: Available
Certificate Serial Number: 4d43725e
Certificate Usage: General Purpose
Public Key Type: RSA (4096 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:
serialNumber=9A439T02F95
hostname=vpn-demo.ashes.cc
cn=*.ashes.cc
ou=ashes-lab
o=ashes
c=ru
Subject Name:
serialNumber=9A439T02F95
hostname=vpn-demo.ashes.cc
cn=*.ashes.cc
ou=ashes-lab
o=ashes
c=ru
Validity Date:
start date: 00:16:17 MSK Mar 19 2020
end date: 00:16:17 MSK Mar 17 2030
Storage: config
Associated Trustpoints: SELF
CA Certificate
Status: Available
Certificate Serial Number: 0509
Certificate Usage: General Purpose
Public Key Type: RSA (4096 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=QuoVadis Root CA 2
o=QuoVadis Limited
c=BM
Subject Name:
cn=QuoVadis Root CA 2
o=QuoVadis Limited
c=BM
Validity Date:
start date: 21:27:00 MSK Nov 24 2006
end date: 21:23:33 MSK Nov 24 2031
Storage: config
Associated Trustpoints: _SmartCallHome_ServerCA
Kar a manta a saka tashar jiragen ruwa don duba ASDM yana aiki, misali:
Bari mu aiwatar da ainihin saitunan ramin:
Bari mu samar da hanyar sadarwar kamfanoni ta hanyar rami, kuma bari Intanet ta tafi kai tsaye (ba hanya mafi aminci ba idan babu kariya akan mai haɗawa, yana yiwuwa a shiga ta hanyar mai cutar da kuma nuna bayanan kamfani, zaɓi. Tsaga-tunnel-manufofin tunnelall zai bar duk zirga-zirgar ababen hawa zuwa cikin rami. Duk da haka tsaga rami yana ba da damar saukar da ƙofar VPN kuma ba aiwatar da zirga-zirgar Intanet ba)
Bari mu fitar da adireshi daga 192.168.20.0/24 subnet zuwa runduna a cikin rami (pool daga adiresoshin 10 zuwa 30 (don kumburi #1)). Kowane kulli na gungu na VPN dole ne ya kasance yana da tafkinsa.
Za mu aiwatar da ingantaccen tabbaci tare da mai amfani na gida akan ASA (Wannan ba a ba da shawarar ba, wannan ita ce hanya mafi sauƙi), yana da kyau a yi tabbaci ta hanyar LDAP/RADIUS, ko mafi kyau tukuna, kunnen doki Bayanin Bayanai da yawa (MFA)misali Cisco DUO.
(ZABI): A cikin misalin da ke sama, mun yi amfani da mai amfani na gida akan ITU don tabbatar da masu amfani da nesa, wanda ba shakka, sai a cikin dakin gwaje-gwaje, ba shi da amfani sosai. Zan ba da misalin yadda ake saurin daidaita saitin don tantancewa radius uwar garke, misali amfani Kamfanin Injiniya na Asali na Cisco:
Wannan haɗin kai ya ba da damar ba kawai don haɗa tsarin tantancewa da sabis ɗin adireshi na AD ba, har ma don bambance ko kwamfutar da aka haɗa na AD ne, don fahimtar ko wannan na'urar ta kamfani ce ko ta sirri, da kuma tantance matsayin na'urar da aka haɗa. .
Bari mu saita Transparent NAT don kada zirga-zirga tsakanin abokin ciniki da albarkatun cibiyar sadarwar kamfanoni ba a rubuta su ba:
vpn-demo-1(config-network-object)# subnet 192.168.20.0 255.255.255.0
!
vpn-demo-1(config)# nat (inside,outside) source static any any destination static vpn-users vpn-users no-proxy-arp
(ZABI): Don fallasa abokan cinikinmu zuwa Intanet ta hanyar ASA (lokacin amfani da tunnelall zažužžukan) ta amfani da PAT, kazalika da fita ta hanyar waje guda na waje wanda aka haɗa su, kuna buƙatar yin saitunan masu zuwa.
Lokacin amfani da gungu, yana da mahimmanci don ba da damar cibiyar sadarwa ta ciki don fahimtar wane ASA zai dawo da zirga-zirgar ababen hawa zuwa masu amfani, don haka kuna buƙatar sake rarraba hanyoyin / adiresoshin 32 da aka bayar ga abokan ciniki.
A halin yanzu, har yanzu ba mu daidaita tarin ba, amma mun riga mun sami ƙofofin VPN masu aiki waɗanda za a iya haɗa su daban-daban ta hanyar FQDN ko IP.
Muna ganin abokin ciniki da aka haɗa a cikin tebur mai tuƙi na ASA na farko:
Domin dukan ƙungiyarmu ta VPN da duk hanyar sadarwar kamfanoni su san hanyar zuwa abokin cinikinmu, za mu sake rarraba prefix na abokin ciniki zuwa ƙa'idar aiki mai ƙarfi, misali OSPF:
Yanzu muna da hanya zuwa abokin ciniki daga ƙofar ASA-2 na biyu kuma masu amfani da aka haɗa zuwa ƙofofin VPN daban-daban a cikin gungu na iya, alal misali, sadarwa kai tsaye ta hanyar wayar salula ta kamfani, da kuma dawo da zirga-zirga daga albarkatun da mai amfani ya nema. zo zuwa ƙofar VPN da ake so:
Bari mu ci gaba zuwa daidaita gungun Load-Balancing.
Adireshin 192.168.31.40 za a yi amfani da shi azaman Virtual IP (VIP - duk abokan ciniki na VPN za su fara haɗawa da shi), daga wannan adireshin babban gungu zai yi SAUKI zuwa kullin gungu mai ƙasa da lodi. Kar a manta rubutawa gaba da baya rikodin DNS duka ga kowane adireshin waje / FQDN na kowane kumburi na tari, kuma na VIP.
Muna duba aikin gungu tare da abokan ciniki guda biyu da aka haɗa:
Bari mu sanya ƙwarewar abokin ciniki mafi dacewa tare da bayanan AnyConnect da aka ɗora ta atomatik ta hanyar ASDM.
Muna sanya sunan bayanin martaba ta hanya mai dacewa kuma muna danganta manufofin ƙungiyarmu da ita:
Bayan haɗin na gaba na abokin ciniki, wannan bayanin martaba za a sauke ta atomatik kuma a shigar dashi a cikin AnyConnect abokin ciniki, don haka idan kuna buƙatar haɗi, kawai zaɓi shi daga jerin:
Tunda mun ƙirƙiri wannan bayanin martaba akan ASA ɗaya kawai ta amfani da ASDM, kar a manta da maimaita matakan akan sauran ASAs a cikin tari.
Kammalawa: Don haka, da sauri muka tura gungu na ƙofofin VPN da yawa tare da daidaita nauyi ta atomatik. Ƙara sababbin nodes zuwa gungu abu ne mai sauƙi, tare da sauƙi a kwance ta hanyar tura sabbin injunan kama-da-wane na ASAv ko amfani da ASAs hardware. Abokin ciniki na AnyConnect mai arziƙi yana iya haɓaka amintaccen haɗin nesa ta amfani da Matsayi (ƙididdigar jiha), mafi inganci da aka yi amfani da su tare da tsarin tsarin kulawa na tsakiya da samun damar lissafin kuɗi Injin Sabis na Identity.