A cikin wannan labarin, Ina so in ba da umarnin mataki-mataki kan yadda zaku iya hanzarta tura mafi girman makirci a yanzu. VPN mai nisa tushen samun dama AnyConnect da Cisco ASA - Taguwar Ma'auni na Load na VPN.
Gabatarwa: Kamfanoni da yawa a duniya, bisa la'akari da halin da ake ciki yanzu tare da COVID-19, suna ƙoƙarin canja wurin ma'aikatansu zuwa aiki mai nisa. Saboda yawan canjin aiki zuwa aiki mai nisa, nauyin da ke kan ƙofofin VPN na kamfanoni yana ƙaruwa sosai kuma ana buƙatar ikon haɓaka su cikin sauri. A gefe guda kuma, ana tilasta wa kamfanoni da yawa yin gaggawar ƙware manufar aikin nesa daga karce.
Don taimakawa kasuwancin samun dacewa, amintacce, da ma'auni na samun damar VPN ga ma'aikata a cikin mafi ƙanƙancin lokaci mai yuwuwa, Cisco yana ba da lasisin abokin ciniki na AnyConnect mai arzikin SSL VPN abokin ciniki har zuwa makonni 13. .
.
Na shirya jagorar mataki-mataki don sauƙaƙe jigilar VPN Load-Balancing Cluster azaman mafi girman fasahar VPN.
Misalin da ke ƙasa zai kasance mai sauƙi cikin sharuddan tabbatarwa da kuma izini algorithms da aka yi amfani da su, amma zai zama zaɓi mai kyau don farawa mai sauri (wanda a halin yanzu bai isa ba ga mutane da yawa) tare da yuwuwar daidaitawa mai zurfi zuwa buƙatun ku yayin turawa. tsari.
Takaitaccen bayani: VPN Load Daidaita fasahar Cluster ba gazawa ba ce kuma ba aikin tari ba ne a ma'anarta ta asali, wannan fasaha na iya haɗa nau'ikan ASA daban-daban (tare da wasu hane-hane) don ɗaukar ma'auni na haɗin yanar gizo na Nesa-Access VPN. Babu aiki tare na zaman da daidaitawa tsakanin nodes na irin wannan gungu, amma yana yiwuwa a ɗora ma'auni ta atomatik haɗin haɗin VPN da tabbatar da haƙƙin haƙƙin haɗin gwiwar VPN har sai aƙalla kumburin aiki ya rage a cikin tari. Ana daidaita nauyin da ke cikin gungu ta atomatik dangane da nauyin aikin nodes ta adadin zaman VPN.
Don gazawar takamaiman nodes na gungu (idan an buƙata), ana iya amfani da mai fayil, don haka haɗin da ke aiki za a sarrafa shi ta kumburin Firamare na mai fayil ɗin. Fayil ɗin ba wani yanayin da ya dace don tabbatar da haƙurin kuskure a cikin gungu na Load-Balancing, gungu kanta, a cikin yanayin rashin gazawar kumburi, za ta canja wurin zaman mai amfani zuwa wani kumburi mai rai, amma ba tare da adana matsayin haɗin gwiwa ba, wanda yake daidai. mai fayil ya bayar. Saboda haka, yana yiwuwa, idan ya cancanta, don haɗa waɗannan fasahohin biyu.
Tarin ma'auni na Load na VPN na iya ƙunsar nodes sama da biyu.
VPN Load-Balancing Cluster ana tallafawa akan ASA 5512-X da sama.
Tunda kowane ASA a cikin rukunin Load-Balancing na VPN yanki ne mai zaman kansa dangane da saiti, muna aiwatar da duk matakan daidaitawa daban-daban akan kowace na'ura.
Ma'anar topology na misalin da aka bayar:
Aiki na Farko:
-
Muna tura misalan ASAv na samfuran da muke buƙata (ASAv5/10/30/50) daga hoton.
-
Muna ba da musaya na CIKI / WAJE zuwa VLANs iri ɗaya (Waje a cikin VLAN ɗin sa, CIKI a cikin nasa, amma gabaɗaya a cikin gungu, duba topology), yana da mahimmanci cewa musaya iri ɗaya suna cikin ɓangaren L2 iri ɗaya.
-
Lasisi:
- A halin yanzu shigarwar ASAv ba zai sami lasisi ba kuma za a iyakance shi zuwa 100kbps.
- Don shigar da lasisi, kuna buƙatar ƙirƙirar alama a cikin Smart-Account ɗin ku: -> Lasisi na Smart Software
- A cikin taga da ya buɗe, danna maɓallin Sabon Alama
- Tabbatar cewa a cikin taga da ke buɗe akwai filin aiki kuma an duba alamar bincike Bada aikin sarrafa fitarwa zuwa fitarwaIdan ba tare da wannan filin yana aiki ba, ba za ku iya amfani da ayyukan ɓoye mai ƙarfi ba kuma, daidai da haka, VPN. Idan wannan filin ba ya aiki, tuntuɓi ƙungiyar asusun ku tare da buƙatar kunnawa.
- Bayan danna maɓallin Ƙirƙiri Token, za a ƙirƙiri alamar da za mu yi amfani da ita don samun lasisi don ASAv, kwafi shi:
- Maimaita matakai C,D,E ga kowane ASAv da aka tura.
- Don sauƙaƙa kwafin alamar, bari mu ƙyale telnet na ɗan lokaci. Bari mu saita kowane ASA (misali na ƙasa yana kwatanta saitunan akan ASA-1). telnet baya aiki da waje, idan da gaske kuke buƙata, canza matakin tsaro zuwa 100 zuwa waje, sannan mayar da shi.
! ciscoasa(config)# int gi0/0 ciscoasa(config)# nameif outside ciscoasa(config)# ip address 192.168.31.30 255.255.255.0 ciscoasa(config)# no shut ! ciscoasa(config)# int gi0/1 ciscoasa(config)# nameif inside ciscoasa(config)# ip address 192.168.255.2 255.255.255.0 ciscoasa(config)# no shut ! ciscoasa(config)# telnet 0 0 inside ciscoasa(config)# username admin password cisco priv 15 ciscoasa(config)# ena password cisco ciscoasa(config)# aaa authentication telnet console LOCAL ! ciscoasa(config)# route outside 0 0 192.168.31.1 ! ciscoasa(config)# wr !- Don yin rijistar alama a cikin gajimaren Smart-Account, dole ne ku samar da hanyar Intanet don ASA, .
A takaice, ana buƙatar ASA:
- samun dama ta hanyar HTTPS zuwa Intanet;
- aiki tare lokaci (mafi daidai, ta hanyar NTP);
- uwar garken DNS mai rijista;
- Muna yin waya zuwa ga ASA kuma muna yin saiti don kunna lasisi ta Smart-Account.
! ciscoasa(config)# clock set 19:21:00 Mar 18 2020 ciscoasa(config)# clock timezone MSK 3 ciscoasa(config)# ntp server 192.168.99.136 ! ciscoasa(config)# dns domain-lookup outside ciscoasa(config)# DNS server-group DefaultDNS ciscoasa(config-dns-server-group)# name-server 192.168.99.132 ! ! Проверим работу DNS: ! ciscoasa(config-dns-server-group)# ping ya.ru Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 87.250.250.242, timeout is 2 seconds: !!!!! ! ! Проверим синхронизацию NTP: ! ciscoasa(config)# show ntp associations address ref clock st when poll reach delay offset disp *~192.168.99.136 91.189.94.4 3 63 64 1 36.7 1.85 17.5 * master (synced), # master (unsynced), + selected, - candidate, ~ configured ! ! Установим конфигурацию нашей ASAv для Smart-Licensing (в соответствии с Вашим профилем, в моем случае 100М для примера) ! ciscoasa(config)# license smart ciscoasa(config-smart-lic)# feature tier standard ciscoasa(config-smart-lic)# throughput level 100M ! ! В случае необходимости можно настроить доступ в Интернет через прокси используйте следующий блок команд: !call-home ! http-proxy ip_address port port ! ! Далее мы вставляем скопированный из портала Smart-Account токен (<token>) и регистрируем лицензию ! ciscoasa(config)# end ciscoasa# license smart register idtoken <token>- Mun bincika cewa na'urar ta yi nasarar yin rijistar lasisi kuma akwai zaɓuɓɓukan ɓoyewa:
-
Saita asali SSL-VPN akan kowace ƙofa
- Na gaba, saita hanyar shiga ta hanyar SSH da ASDM:
ciscoasa(config)# ssh ver 2 ciscoasa(config)# aaa authentication ssh console LOCAL ciscoasa(config)# aaa authentication http console LOCAL ciscoasa(config)# hostname vpn-demo-1 vpn-demo-1(config)# domain-name ashes.cc vpn-demo-1(config)# cry key gen rsa general-keys modulus 4096 vpn-demo-1(config)# ssh 0 0 inside vpn-demo-1(config)# http 0 0 inside ! ! Поднимем сервер HTTPS для ASDM на порту 445 чтобы не пересекаться с SSL-VPN порталом ! vpn-demo-1(config)# http server enable 445 !- Don ASDM ta yi aiki, dole ne ka fara zazzage shi daga gidan yanar gizon cisco.com, a cikin akwati na shine fayil mai zuwa:
- Don abokin ciniki na AnyConnect ya yi aiki, kuna buƙatar loda hoto zuwa kowane ASA don kowane abokin ciniki na OS da aka yi amfani da shi (wanda aka shirya don amfani da Linux / Windows / MAC), kuna buƙatar fayil tare da Kunshin Aiwatar da Kai A cikin take:
- Ana iya loda fayilolin da aka sauke, misali, zuwa uwar garken FTP kuma a loda su zuwa kowane ASA:
- Muna saita ASDM da Takaddun Sa hannu don SSL-VPN (an ba da shawarar yin amfani da amintaccen takaddun shaida a samarwa). Saitin FQDN na Virtual Cluster Address (vpn-demo.ashes.cc), da kowane FQDN da ke da alaƙa da adireshin waje na kowane kullin gungu, dole ne a warware shi a yankin DNS na waje zuwa adireshin IP na cibiyar sadarwa ta WAJE (ko zuwa adireshin taswira idan ana amfani da tura tashar jiragen ruwa udp/443 (DTLS) da tcp/443(TLS)). An ƙayyade cikakken bayani game da buƙatun takaddun shaida a cikin sashin Tabbatar da Takaddun shaida takardun shaida.
! vpn-demo-1(config)# crypto ca trustpoint SELF vpn-demo-1(config-ca-trustpoint)# enrollment self vpn-demo-1(config-ca-trustpoint)# fqdn vpn-demo.ashes.cc vpn-demo-1(config-ca-trustpoint)# subject-name cn=*.ashes.cc, ou=ashes-lab, o=ashes, c=ru vpn-demo-1(config-ca-trustpoint)# serial-number vpn-demo-1(config-ca-trustpoint)# crl configure vpn-demo-1(config-ca-crl)# cry ca enroll SELF % The fully-qualified domain name in the certificate will be: vpn-demo.ashes.cc Generate Self-Signed Certificate? [yes/no]: yes vpn-demo-1(config)# ! vpn-demo-1(config)# sh cry ca certificates Certificate Status: Available Certificate Serial Number: 4d43725e Certificate Usage: General Purpose Public Key Type: RSA (4096 bits) Signature Algorithm: SHA256 with RSA Encryption Issuer Name: serialNumber=9A439T02F95 hostname=vpn-demo.ashes.cc cn=*.ashes.cc ou=ashes-lab o=ashes c=ru Subject Name: serialNumber=9A439T02F95 hostname=vpn-demo.ashes.cc cn=*.ashes.cc ou=ashes-lab o=ashes c=ru Validity Date: start date: 00:16:17 MSK Mar 19 2020 end date: 00:16:17 MSK Mar 17 2030 Storage: config Associated Trustpoints: SELF CA Certificate Status: Available Certificate Serial Number: 0509 Certificate Usage: General Purpose Public Key Type: RSA (4096 bits) Signature Algorithm: SHA1 with RSA Encryption Issuer Name: cn=QuoVadis Root CA 2 o=QuoVadis Limited c=BM Subject Name: cn=QuoVadis Root CA 2 o=QuoVadis Limited c=BM Validity Date: start date: 21:27:00 MSK Nov 24 2006 end date: 21:23:33 MSK Nov 24 2031 Storage: config Associated Trustpoints: _SmartCallHome_ServerCA- Kar a manta a saka tashar jiragen ruwa don duba ASDM yana aiki, misali:
- Bari mu aiwatar da ainihin saitunan ramin:
- Bari mu samar da hanyar sadarwar kamfanoni ta hanyar rami, kuma bari Intanet ta tafi kai tsaye (ba hanya mafi aminci ba idan babu kariya akan mai haɗawa, yana yiwuwa a shiga ta hanyar mai cutar da kuma nuna bayanan kamfani, zaɓi. Tsaga-tunnel-manufofin tunnelall zai bar duk zirga-zirgar ababen hawa zuwa cikin rami. Duk da haka tsaga rami yana ba da damar saukar da ƙofar VPN kuma ba aiwatar da zirga-zirgar Intanet ba)
- Bari mu fitar da adireshi daga 192.168.20.0/24 subnet zuwa runduna a cikin rami (pool daga adiresoshin 10 zuwa 30 (don kumburi #1)). Kowane kulli na gungu na VPN dole ne ya kasance yana da tafkinsa.
- Za mu aiwatar da ingantaccen tabbaci tare da mai amfani na gida akan ASA (Wannan ba a ba da shawarar ba, wannan ita ce hanya mafi sauƙi), yana da kyau a yi tabbaci ta hanyar LDAP/RADIUS, ko mafi kyau tukuna, kunnen doki Bayanin Bayanai da yawa (MFA)misali Cisco DUO.
! vpn-demo-1(config)# ip local pool vpn-pool 192.168.20.10-192.168.20.30 mask 255.255.255.0 ! vpn-demo-1(config)# access-list split-tunnel standard permit 192.168.0.0 255.255.0.0 ! vpn-demo-1(config)# group-policy SSL-VPN-GROUP-POLICY internal vpn-demo-1(config)# group-policy SSL-VPN-GROUP-POLICY attributes vpn-demo-1(config-group-policy)# vpn-tunnel-protocol ssl-client vpn-demo-1(config-group-policy)# split-tunnel-policy tunnelspecified vpn-demo-1(config-group-policy)# split-tunnel-network-list value split-tunnel vpn-demo-1(config-group-policy)# dns-server value 192.168.99.132 vpn-demo-1(config-group-policy)# default-domain value ashes.cc vpn-demo-1(config)# tunnel-group DefaultWEBVPNGroup general-attributes vpn-demo-1(config-tunnel-general)# default-group-policy SSL-VPN-GROUP-POLICY vpn-demo-1(config-tunnel-general)# address-pool vpn-pool ! vpn-demo-1(config)# username dkazakov password cisco vpn-demo-1(config)# username dkazakov attributes vpn-demo-1(config-username)# service-type remote-access ! vpn-demo-1(config)# ssl trust-point SELF vpn-demo-1(config)# webvpn vpn-demo-1(config-webvpn)# enable outside vpn-demo-1(config-webvpn)# anyconnect image disk0:/anyconnect-win-4.8.03036-webdeploy-k9.pkg vpn-demo-1(config-webvpn)# anyconnect enable !- (ZABI): A cikin misalin da ke sama, mun yi amfani da mai amfani na gida akan ITU don tabbatar da masu amfani da nesa, wanda ba shakka, sai a cikin dakin gwaje-gwaje, ba shi da amfani sosai. Zan ba da misalin yadda ake saurin daidaita saitin don tantancewa radius uwar garke, misali amfani Kamfanin Injiniya na Asali na Cisco:
vpn-demo-1(config-aaa-server-group)# dynamic-authorization vpn-demo-1(config-aaa-server-group)# interim-accounting-update vpn-demo-1(config-aaa-server-group)# aaa-server RADIUS (outside) host 192.168.99.134 vpn-demo-1(config-aaa-server-host)# key cisco vpn-demo-1(config-aaa-server-host)# exit vpn-demo-1(config)# tunnel-group DefaultWEBVPNGroup general-attributes vpn-demo-1(config-tunnel-general)# authentication-server-group RADIUS !Wannan haɗin kai ya ba da damar ba kawai don haɗa tsarin tantancewa da sabis ɗin adireshi na AD ba, har ma don bambance ko kwamfutar da aka haɗa na AD ne, don fahimtar ko wannan na'urar ta kamfani ce ko ta sirri, da kuma tantance matsayin na'urar da aka haɗa. .
- Bari mu saita Transparent NAT don kada zirga-zirga tsakanin abokin ciniki da albarkatun cibiyar sadarwar kamfanoni ba a rubuta su ba:
vpn-demo-1(config-network-object)# subnet 192.168.20.0 255.255.255.0 ! vpn-demo-1(config)# nat (inside,outside) source static any any destination static vpn-users vpn-users no-proxy-arp- (ZABI): Don fallasa abokan cinikinmu zuwa Intanet ta hanyar ASA (lokacin amfani da tunnelall zažužžukan) ta amfani da PAT, kazalika da fita ta hanyar waje guda na waje wanda aka haɗa su, kuna buƙatar yin saitunan masu zuwa.
vpn-demo-1(config-network-object)# nat (outside,outside) source dynamic vpn-users interface vpn-demo-1(config)# nat (inside,outside) source dynamic any interface vpn-demo-1(config)# same-security-traffic permit intra-interface !- Lokacin amfani da gungu, yana da mahimmanci don ba da damar cibiyar sadarwa ta ciki don fahimtar wane ASA zai dawo da zirga-zirgar ababen hawa zuwa masu amfani, don haka kuna buƙatar sake rarraba hanyoyin / adiresoshin 32 da aka bayar ga abokan ciniki.
A halin yanzu, har yanzu ba mu daidaita tarin ba, amma mun riga mun sami ƙofofin VPN masu aiki waɗanda za a iya haɗa su daban-daban ta hanyar FQDN ko IP.
Muna ganin abokin ciniki da aka haɗa a cikin tebur mai tuƙi na ASA na farko:
Domin dukan ƙungiyarmu ta VPN da duk hanyar sadarwar kamfanoni su san hanyar zuwa abokin cinikinmu, za mu sake rarraba prefix na abokin ciniki zuwa ƙa'idar aiki mai ƙarfi, misali OSPF:
! vpn-demo-1(config)# route-map RMAP-VPN-REDISTRIBUTE permit 1 vpn-demo-1(config-route-map)# match ip address VPN-REDISTRIBUTE ! vpn-demo-1(config)# router ospf 1 vpn-demo-1(config-router)# network 192.168.255.0 255.255.255.0 area 0 vpn-demo-1(config-router)# log-adj-changes vpn-demo-1(config-router)# redistribute static metric 5000 subnets route-map RMAP-VPN-REDISTRIBUTEYanzu muna da hanya zuwa abokin ciniki daga ƙofar ASA-2 na biyu kuma masu amfani da aka haɗa zuwa ƙofofin VPN daban-daban a cikin gungu na iya, alal misali, sadarwa kai tsaye ta hanyar wayar salula ta kamfani, da kuma dawo da zirga-zirga daga albarkatun da mai amfani ya nema. zo zuwa ƙofar VPN da ake so:
-
Bari mu ci gaba zuwa daidaita gungun Load-Balancing.
Adireshin 192.168.31.40 za a yi amfani da shi azaman Virtual IP (VIP - duk abokan ciniki na VPN za su fara haɗawa da shi), daga wannan adireshin babban gungu zai yi SAUKI zuwa kullin gungu mai ƙasa da lodi. Kar a manta rubutawa gaba da baya rikodin DNS duka ga kowane adireshin waje / FQDN na kowane kumburi na tari, kuma na VIP.
vpn-demo-1(config)# vpn load-balancing vpn-demo-1(config-load-balancing)# interface lbpublic outside vpn-demo-1(config-load-balancing)# interface lbprivate inside vpn-demo-1(config-load-balancing)# priority 10 vpn-demo-1(config-load-balancing)# cluster ip address 192.168.31.40 vpn-demo-1(config-load-balancing)# cluster port 4000 vpn-demo-1(config-load-balancing)# redirect-fqdn enable vpn-demo-1(config-load-balancing)# cluster key cisco vpn-demo-1(config-load-balancing)# cluster encryption vpn-demo-1(config-load-balancing)# cluster port 9023 vpn-demo-1(config-load-balancing)# participate vpn-demo-1(config-load-balancing)#- Muna duba aikin gungu tare da abokan ciniki guda biyu da aka haɗa:
- Bari mu sanya ƙwarewar abokin ciniki mafi dacewa tare da bayanan AnyConnect da aka ɗora ta atomatik ta hanyar ASDM.
Muna sanya sunan bayanin martaba ta hanya mai dacewa kuma muna danganta manufofin ƙungiyarmu da ita:
Bayan haɗin na gaba na abokin ciniki, wannan bayanin martaba za a sauke ta atomatik kuma a shigar dashi a cikin AnyConnect abokin ciniki, don haka idan kuna buƙatar haɗi, kawai zaɓi shi daga jerin:
Tunda mun ƙirƙiri wannan bayanin martaba akan ASA ɗaya kawai ta amfani da ASDM, kar a manta da maimaita matakan akan sauran ASAs a cikin tari.
Kammalawa: Don haka, da sauri muka tura gungu na ƙofofin VPN da yawa tare da daidaita nauyi ta atomatik. Ƙara sababbin nodes zuwa gungu abu ne mai sauƙi, tare da sauƙi a kwance ta hanyar tura sabbin injunan kama-da-wane na ASAv ko amfani da ASAs hardware. Abokin ciniki na AnyConnect mai arziƙi yana iya haɓaka amintaccen haɗin nesa ta amfani da Matsayi (ƙididdigar jiha), mafi inganci da aka yi amfani da su tare da tsarin tsarin kulawa na tsakiya da samun damar lissafin kuɗi Injin Sabis na Identity.
source: www.habr.com