Ke hoʻolālā nei i kahi ASA VPN Load-Blancing Cluster
Ma kēia ʻatikala, makemake wau e hāʻawi i nā ʻōlelo aʻoaʻo i kēlā me kēia ʻanuʻu pehea e hiki ai iā ʻoe ke hoʻonohonoho wikiwiki i ka hoʻolālā hiki ke hoʻonui ʻia i kēia manawa. Loaʻa mamao VPN e pili ana i ke komo ʻO AnyConnect a me Cisco ASA - ʻO ka hui pū ʻana o ka hoʻouka ʻana VPN.
Hoʻolauna: Nui nā ʻoihana a puni ka honua, i ka nānā ʻana i ke kūlana o kēia manawa me COVID-19, ke hana nei i nā hana e hoʻoneʻe i kā lākou limahana i ka hana mamao. Ma muli o ka hoʻololi nui ʻana i ka hana mamao, ke piʻi nui nei ka ukana ma nā ʻīpuka VPN o nā ʻoihana i kēia manawa a koi ʻia ka wikiwiki wikiwiki e hoʻonui iā lākou. Ma ka ʻaoʻao ʻē aʻe, koi ʻia nā ʻoihana he nui e haku wikiwiki i ka manaʻo o ka hana mamao mai ka wā ʻōpio.
Ua hoʻomākaukau wau i kahi alakaʻi i kēlā me kēia ʻanuʻu no kahi hoʻonohonoho maʻalahi o VPN Load-Balancing Cluster e like me ka ʻenehana VPN hiki ke hoʻonui ʻia.
ʻO ka laʻana ma lalo nei e maʻalahi loa e pili ana i ka hōʻoia a me ka ʻae ʻana i nā algorithms i hoʻohana ʻia, akā he koho maikaʻi ia no ka hoʻomaka wikiwiki (ʻaʻole lawa i kēia manawa no nā mea he nui) me ka hiki ke hoʻololi hohonu i kāu mau pono i ka wā o ka hoʻolaha. kaʻina hana.
ʻIke pōkole: ʻO ka ʻenehana VPN Load Balancing Cluster ʻaʻole ia he failover a ʻaʻole ia he hana clustering i kona ʻano maoli, hiki i kēia ʻenehana ke hoʻohui i nā hiʻohiʻona ASA ʻokoʻa loa (me kekahi mau palena) i mea e hoʻouka ai i nā pilina Remote-Access VPN. ʻAʻohe hoʻonohonoho ʻana o nā kau a me nā hoʻonohonoho ʻana ma waena o nā node o ia pūʻulu, akā hiki ke hoʻouka ʻokoʻa i ke kaulike VPN pili a hōʻoia i ka hoʻomanawanui hewa ʻana o nā pilina VPN a hiki i ka liʻiliʻi o hoʻokahi node ikaika e noho i loko o ka pūʻulu. Hoʻohālikelike ʻia ka ukana i loko o ka puʻupuʻu ma muli o ka hana o nā nodes e ka helu o nā kau VPN.
No ka hemahema o nā node kiko'ī o ka pūʻulu (inā makemake ʻia), hiki ke hoʻohana ʻia kahi faila, no laila e mālama ʻia ka pilina ikaika e ka node Primary o ka faila. ʻAʻole pono ka fileover no ka hōʻoia ʻana i ka ʻae ʻana i ka hewa i loko o ka puʻupuʻu Load-Balancing, ʻo ka pūʻulu ponoʻī, i ka wā o ka hemahema o ka node, e hoʻoneʻe i ka mea hoʻohana i kahi node ola ʻē aʻe, akā me ka mālama ʻole ʻana i ke kūlana pili, ʻo ia ka pololei. hāʻawi ʻia e ka mea faila. No laila, hiki, inā pono, e hoʻohui i kēia mau ʻenehana ʻelua.
Hiki i kahi hui VPN Load-Balancing ke loaʻa ma mua o ʻelua mau node.
Kākoʻo ʻia ʻo VPN Load-Balancing Cluster ma ASA 5512-X a ma luna.
No ka mea, ʻo kēlā me kēia ASA i loko o ka hui VPN Load-Balancing kahi ʻāpana kūʻokoʻa e pili ana i nā hoʻonohonoho, hana mākou i nā pae hoʻonohonoho āpau i kēlā me kēia mea.
Hoʻolālā mākou i nā manawa ASAv o nā mamana e pono ai mākou (ASAv5/10/30/50) mai ke kiʻi.
Hāʻawi mākou i nā kikowaena INSIDE / OUTSIDE i nā VLAN like (Ma waho o kāna VLAN ponoʻī, INSIDE i kāna iho, akā ma ka maʻamau i loko o ka pūʻulu, e ʻike i ka topology), he mea nui ka pilina o nā ʻano like i ka māhele L2 like.
Nā laikini:
I kēia manawa ʻaʻohe laikini o ka hoʻokomo ʻana o ASAv a e kaupalena ʻia i 100kbps.
No ka hoʻokomo ʻana i kahi laikini, pono ʻoe e hana i kahi hōʻailona ma kāu Smart-Account: https://software.cisco.com/ -> Laikini lako polokalamu akamai
Ma ka puka aniani e wehe ai, kaomi i ke pihi Hōʻailona Hou
E hōʻoia i loko o ka puka makani e wehe ana he kahua hana a nānā ʻia kahi māka E ʻae i ka hana hoʻokele i waho… Me ka ʻole o kēia kahua, ʻaʻole hiki iā ʻoe ke hoʻohana i nā hana o ka hoʻopunipuni ikaika a, no laila, VPN. Inā ʻaʻole ikaika kēia kahua, e ʻoluʻolu e kelepona i kāu hui moʻokāki me kahi noi hoʻāla.
Ma hope o ke kaomi ʻana i ke pihi Hana i ka hōʻailona, e hana ʻia kahi hōʻailona e hoʻohana ai mākou no ka loaʻa ʻana o kahi laikini no ASAv, kope iā ia:
E hana hou i nā ʻanuʻu C, D, E no kēlā me kēia ASAv i kau ʻia.
I mea e maʻalahi ai ke kope ʻana i ka hōʻailona, e ʻae kākou i ka telnet no kekahi manawa. E hoʻonohonoho i kēlā me kēia ASA (e hōʻike ana ka laʻana ma lalo nei i nā hoʻonohonoho ma ASA-1). ʻAʻole hana ʻo telnet me waho, inā pono ʻoe, e hoʻololi i ka pae palekana i 100 i waho, a laila e hoʻihoʻi.
!
ciscoasa(config)# int gi0/0
ciscoasa(config)# nameif outside
ciscoasa(config)# ip address 192.168.31.30 255.255.255.0
ciscoasa(config)# no shut
!
ciscoasa(config)# int gi0/1
ciscoasa(config)# nameif inside
ciscoasa(config)# ip address 192.168.255.2 255.255.255.0
ciscoasa(config)# no shut
!
ciscoasa(config)# telnet 0 0 inside
ciscoasa(config)# username admin password cisco priv 15
ciscoasa(config)# ena password cisco
ciscoasa(config)# aaa authentication telnet console LOCAL
!
ciscoasa(config)# route outside 0 0 192.168.31.1
!
ciscoasa(config)# wr
!
No ka hoʻopaʻa inoa ʻana i kahi hōʻailona ma ke ao Smart-Account, pono ʻoe e hāʻawi i ka ʻike pūnaewele no ASA, kikoʻī maanei.
I ka pōkole, pono ʻo ASA:
komo ma o HTTPS i ka Pūnaewele;
ka hoʻonohonoho manawa (ʻoi aku ka pololei, ma o NTP);
hoʻopaʻa inoa DNS server;
Telnet mākou i kā mākou ASA a hana i nā hoʻonohonoho e hoʻāla i ka laikini ma o Smart-Account.
!
ciscoasa(config)# clock set 19:21:00 Mar 18 2020
ciscoasa(config)# clock timezone MSK 3
ciscoasa(config)# ntp server 192.168.99.136
!
ciscoasa(config)# dns domain-lookup outside
ciscoasa(config)# DNS server-group DefaultDNS
ciscoasa(config-dns-server-group)# name-server 192.168.99.132
!
! Проверим работу DNS:
!
ciscoasa(config-dns-server-group)# ping ya.ru
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 87.250.250.242, timeout is 2 seconds:
!!!!!
!
! Проверим синхронизацию NTP:
!
ciscoasa(config)# show ntp associations
address ref clock st when poll reach delay offset disp
*~192.168.99.136 91.189.94.4 3 63 64 1 36.7 1.85 17.5
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
!
! Установим конфигурацию нашей ASAv для Smart-Licensing (в соответствии с Вашим профилем, в моем случае 100М для примера)
!
ciscoasa(config)# license smart
ciscoasa(config-smart-lic)# feature tier standard
ciscoasa(config-smart-lic)# throughput level 100M
!
! В случае необходимости можно настроить доступ в Интернет через прокси используйте следующий блок команд:
!call-home
! http-proxy ip_address port port
!
! Далее мы вставляем скопированный из портала Smart-Account токен (<token>) и регистрируем лицензию
!
ciscoasa(config)# end
ciscoasa# license smart register idtoken <token>
Nānā mākou ua hoʻopaʻa inoa ʻia ka hāmeʻa i kahi laikini a loaʻa nā koho hoʻopunipuni:
E hoʻonohonoho i kahi SSL-VPN kumu ma kēlā me kēia puka
A laila, hoʻonohonoho i ke komo ma o SSH a me ASDM:
ciscoasa(config)# ssh ver 2
ciscoasa(config)# aaa authentication ssh console LOCAL
ciscoasa(config)# aaa authentication http console LOCAL
ciscoasa(config)# hostname vpn-demo-1
vpn-demo-1(config)# domain-name ashes.cc
vpn-demo-1(config)# cry key gen rsa general-keys modulus 4096
vpn-demo-1(config)# ssh 0 0 inside
vpn-demo-1(config)# http 0 0 inside
!
! Поднимем сервер HTTPS для ASDM на порту 445 чтобы не пересекаться с SSL-VPN порталом
!
vpn-demo-1(config)# http server enable 445
!
No ka hana ʻana o ASDM, pono ʻoe e hoʻoiho iā ia mai ka pūnaewele cisco.com, i koʻu hihia, ʻo ia ka faila penei:
No ka hana ʻana o ka mea kūʻai aku ʻo AnyConnect, pono ʻoe e hoʻouka i kahi kiʻi i kēlā me kēia ASA no kēlā me kēia desktop client OS i hoʻohana ʻia (i hoʻolālā ʻia e hoʻohana i Linux / Windows / MAC), pono ʻoe i kahi faila me Poʻo Hoʻolaha Pāke Ma ke poʻo inoa:
Hiki ke hoʻouka ʻia nā faila i hoʻoiho ʻia, no ka laʻana, i kahi kikowaena FTP a hoʻouka ʻia i kēlā me kēia ASA:
Hoʻonohonoho mākou i ka palapala hōʻoia ASDM a me Self-Signed no SSL-VPN (pono ʻia e hoʻohana i kahi palapala hilinaʻi i ka hana ʻana). ʻO ka FQDN hoʻonohonoho o ka Virtual Cluster Address (vpn-demo.ashes.cc), a me kēlā me kēia FQDN e pili ana me ka helu waho o kēlā me kēia puʻupuʻu puʻupuʻu, pono e hoʻoholo i ka wahi DNS waho i ka IP address o ka interface OUTSIDE (a i ʻole. i ka helu kuhi henua inā hoʻohana ʻia ka port forwarding udp/443 (DTLS) a me tcp/443(TLS)). Hōʻike ʻia ka ʻike kikoʻī e pili ana i nā koi no ka palapala hōʻoia ma ka ʻāpana Hōʻoia hōʻoia palapala palapala.
!
vpn-demo-1(config)# crypto ca trustpoint SELF
vpn-demo-1(config-ca-trustpoint)# enrollment self
vpn-demo-1(config-ca-trustpoint)# fqdn vpn-demo.ashes.cc
vpn-demo-1(config-ca-trustpoint)# subject-name cn=*.ashes.cc, ou=ashes-lab, o=ashes, c=ru
vpn-demo-1(config-ca-trustpoint)# serial-number
vpn-demo-1(config-ca-trustpoint)# crl configure
vpn-demo-1(config-ca-crl)# cry ca enroll SELF
% The fully-qualified domain name in the certificate will be: vpn-demo.ashes.cc
Generate Self-Signed Certificate? [yes/no]: yes
vpn-demo-1(config)#
!
vpn-demo-1(config)# sh cry ca certificates
Certificate
Status: Available
Certificate Serial Number: 4d43725e
Certificate Usage: General Purpose
Public Key Type: RSA (4096 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:
serialNumber=9A439T02F95
hostname=vpn-demo.ashes.cc
cn=*.ashes.cc
ou=ashes-lab
o=ashes
c=ru
Subject Name:
serialNumber=9A439T02F95
hostname=vpn-demo.ashes.cc
cn=*.ashes.cc
ou=ashes-lab
o=ashes
c=ru
Validity Date:
start date: 00:16:17 MSK Mar 19 2020
end date: 00:16:17 MSK Mar 17 2030
Storage: config
Associated Trustpoints: SELF
CA Certificate
Status: Available
Certificate Serial Number: 0509
Certificate Usage: General Purpose
Public Key Type: RSA (4096 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=QuoVadis Root CA 2
o=QuoVadis Limited
c=BM
Subject Name:
cn=QuoVadis Root CA 2
o=QuoVadis Limited
c=BM
Validity Date:
start date: 21:27:00 MSK Nov 24 2006
end date: 21:23:33 MSK Nov 24 2031
Storage: config
Associated Trustpoints: _SmartCallHome_ServerCA
Mai poina e kuhikuhi i ke awa e nānā i ka hana ʻana o ASDM, no ka laʻana:
E hoʻokō kākou i nā hoʻonohonoho kumu o ka tunnel:
E hoʻolako i ka ʻoihana pūnaewele ma o ka tunnel, a e hoʻokuʻu pololei i ka Pūnaewele (ʻaʻole ke ala palekana inā ʻaʻohe pale o ka mea hoʻopili hoʻopili, hiki ke komo i loko o kahi host maʻi a hōʻike i ka ʻikepili hui, koho. split-tunnel-policy tunnelall e hoʻokuʻu i nā kaʻa hoʻokipa a pau i loko o ka tunnel. Eia naʻe ʻāwīwī hiki iā ia ke hoʻokuʻu i ka ʻīpuka VPN a ʻaʻole e hana i ka hoʻokele pūnaewele hoʻokipa)
E hoʻopuka i nā ʻōlelo mai ka subnet 192.168.20.0/24 i nā mea hoʻokipa ma ka tunnel (wai mai 10 a 30 mau helu (no ka node #1)). Pono e loaʻa i kēlā me kēia node o ka puʻupuʻu VPN kona loko ponoʻī.
E hoʻokō mākou i ka hōʻoia kumu me kahi mea hoʻohana i hana ʻia ma ka ASA (ʻAʻole ʻōlelo ʻia kēia, ʻo ia ke ala maʻalahi), ʻoi aku ka maikaʻi o ka hana ʻana i ka hōʻoia ma o LDAP/RADIUS, a ʻoi aku ka maikaʻi, nakinaki Hōʻoiaʻiʻo Nui-Factor (MFA)e laʻana Cisco DUO.
(KOHO): Ma ka laʻana ma luna, ua hoʻohana mākou i kahi mea hoʻohana kūloko ma ka ITU e hōʻoia i nā mea hoʻohana mamao, ʻoiaʻiʻo, koe wale nō i loko o ka hale hana, ʻaʻole kūpono. E hāʻawi wau i kahi laʻana o ka hoʻololi wikiwiki ʻana i ka hoʻonohonoho no ka hōʻoia ʻana i RADIUS server, hoʻohana ʻia ma ke ʻano he laʻana ʻEnekini lawelawe ʻike ʻike Cisco:
ʻAʻole hiki i kēia hoʻohui ke hoʻohui koke i ke kaʻina hana hōʻoia me ka lawelawe papa kuhikuhi AD, akā no ka ʻike ʻana inā no AD ka kamepiula pili, e hoʻomaopopo inā he hui a pilikino paha kēia mea, a e loiloi i ke kūlana o ka mea pili. .
E hoʻonohonoho mākou i ka Transparent NAT i ʻole e kākau ʻia ka huakaʻi ma waena o ka mea kūʻai aku a me nā kumuwaiwai o ka ʻoihana pūnaewele:
vpn-demo-1(config-network-object)# subnet 192.168.20.0 255.255.255.0
!
vpn-demo-1(config)# nat (inside,outside) source static any any destination static vpn-users vpn-users no-proxy-arp
(KOLOHE): I mea e hōʻike aku ai i kā mākou mea kūʻai aku i ka Pūnaewele ma o ka ASA (ke hoʻohana nei tunnelall nā koho) me ka hoʻohana ʻana i ka PAT, a me ka puka ʻana ma o ka mea like OUTSIDE kahi i hoʻopili ʻia ai lākou, pono ʻoe e hana i kēia mau hoʻonohonoho.
I ka hoʻohana ʻana i kahi puʻupuʻu, he mea koʻikoʻi loa ia e hiki ai i ka ʻenehana kūloko ke hoʻomaopopo i ka ASA e hoʻihoʻi ai i nā kaʻa i nā mea hoʻohana, no kēia pono ʻoe e hoʻohele i nā ala / 32 mau ʻōlelo i hāʻawi ʻia i nā mea kūʻai aku.
I kēia manawa, ʻaʻole mākou i hoʻonohonoho i ka pūʻulu, akā ua hana mākou i nā ʻīpuka VPN hiki ke hoʻopili ʻia ma o FQDN a i ʻole IP.
ʻIke mākou i ka mea kūʻai aku i pili i ka papa kuhikuhi o ka ASA mua:
I mea e ʻike ai kā mākou hui VPN holoʻokoʻa a me ka ʻoihana hui holoʻokoʻa i ke ala i kā mākou mea kūʻai aku, e hāʻawi hou mākou i ka prefix o ka mea kūʻai aku i kahi protocol routing dynamic, no ka laʻana OSPF:
I kēia manawa, loaʻa iā mākou kahi ala i ka mea kūʻai mai ka lua o ka ʻīpuka ASA-2 a me nā mea hoʻohana e pili ana i nā ʻīpuka VPN ʻokoʻa i loko o ka puʻupuʻu, no ka laʻana, e kamaʻilio pololei ma o ka softphone hui, a me ka hoʻihoʻi ʻana mai nā kumuwaiwai i noi ʻia e ka mea hoʻohana. hele mai i ka ʻīpuka VPN makemake ʻia:
E neʻe kākou i ka hoʻonohonoho ʻana i ka pūʻulu Load-Balancing.
E hoʻohana ʻia ka helu helu 192.168.31.40 ma ke ʻano he IP Virtual (VIP - e hoʻopili mua nā mea kūʻai VPN āpau iā ia), mai kēia helu wahi e hana ka pūʻulu Master i REDIRECT i kahi puʻupuʻu puʻupuʻu liʻiliʻi. Mai poina e kākau i mua a hoʻohuli i ka moʻolelo DNS ʻelua no kēlā me kēia helu waho / FQDN o kēlā me kēia node o ka hui, a no VIP.
Nānā mākou i ka hana o ka pūʻulu me ʻelua mau mea hoʻohana pili:
E hoʻonui i ka ʻike o ka mea kūʻai aku me ka hoʻouka ʻana i ka profile AnyConnect ma o ASDM.
Kapa mākou i ka ʻaoʻao ma kahi ala kūpono a hoʻopili i kā mākou kulekele hui me ia:
Ma hope o ka pili ʻana o ka mea kūʻai aku, e hoʻoiho koke ʻia kēia ʻaoʻao a hoʻokomo ʻia i ka mea kūʻai aku ʻo AnyConnect, no laila inā pono ʻoe e hoʻopili, koho wale iā ia mai ka papa inoa:
No ka mea ua hana mākou i kēia ʻaoʻao ma hoʻokahi ASA me ka hoʻohana ʻana i ka ASDM, mai poina e hana hou i nā ʻanuʻu ma nā ASA ʻē aʻe i ka hui.
Panina: No laila, ua hoʻonohonoho koke mākou i kahi pūʻulu o nā ʻīpuka VPN me ka hoʻohālikelike ʻana i ka ukana. He mea maʻalahi ka hoʻohui ʻana i nā nodes hou i ka hui, me ka hoʻonui ʻana i ka pae ākea ma o ka hoʻohana ʻana i nā mīkini virtual ASAv hou a i ʻole ka hoʻohana ʻana i nā ASA lako. Hiki i ka mea kūʻai aku ʻo AnyConnect waiwai nui ke hoʻonui i ka pilina mamao paʻa me ka hoʻohana ʻana i ka Kūlana (manaʻo mokuʻāina), hoʻohana maikaʻi loa i ka hui pū me ka ʻōnaehana o ka mana kikowaena a me ka loaʻa kālā ʻEnekini lawelawe ʻike.