Hauv tsab xov xwm no kuv xav muab cov lus qhia step-by-step ntawm yuav ua li cas koj tuaj yeem siv sai tshaj plaws scalable tswvyim tam sim no Chaw taws teeb-Access VPN nkag mus raws AnyConnect thiab Cisco ASA - VPN Load Balancing Cluster.
Taw qhia: Ntau lub tuam txhab thoob ntiaj teb, vim qhov xwm txheej tam sim no nrog COVID-19, tab tom siv zog hloov lawv cov neeg ua haujlwm mus ua haujlwm nyob deb. Vim muaj kev hloov pauv mus rau qhov chaw ua haujlwm nyob deb, qhov thauj khoom ntawm lub rooj vag VPN uas twb muaj lawm ntawm cov tuam txhab nce siab thiab muaj peev xwm nrawm heev los ntsuas lawv yuav tsum tau ua. Ntawm qhov tod tes, ntau lub tuam txhab raug yuam kom maj nrawm lub tswv yim ntawm kev ua haujlwm nyob deb ntawm kos.
Thaum lub sijhawm teeb tsa, ASAv yuav tsis muaj ntawv tso cai thiab yuav raug txwv rau 100kbit / sec.
Txhawm rau txhim kho daim ntawv tso cai, koj yuav tsum tsim kom muaj tus token hauv koj tus lej Smart-Account: https://software.cisco.com/ -> Smart Software Licensing
Hauv qhov rai uas qhib, nyem lub pob Tshiab Token
Nco ntsoov tias daim teb nyob rau hauv lub qhov rais uas qhib yog nquag thiab checkbox Tso cai export-tswj functionality... Yog tias tsis muaj qhov chaw ua haujlwm no, koj yuav tsis tuaj yeem siv lub zog encryption thiab, raws li, VPN. Yog tias daim teb no tsis ua haujlwm, thov hu rau koj pab neeg ua haujlwm account kom thov kom qhib.
Tom qab nias lub pob Tsim Token, ib tug token yuav raug tsim uas peb yuav siv tau daim ntawv tso cai rau ASAv, luam nws:
Cia peb rov ua cov kauj ruam C, D, E rau txhua tus xa tawm ASAv.
Txhawm rau ua kom yooj yim rau luam cov token, cia peb ua haujlwm ib ntus telnet. Cia peb teeb tsa txhua ASA (qhov piv txwv hauv qab no qhia txog qhov chaw ntawm ASA-1). telnet los ntawm sab nraud tsis ua haujlwm, yog tias koj xav tau tiag tiag, hloov qhov kev ruaj ntseg-theem rau 100 rau sab nraud, ces hloov nws rov qab.
!
ciscoasa(config)# int gi0/0
ciscoasa(config)# nameif outside
ciscoasa(config)# ip address 192.168.31.30 255.255.255.0
ciscoasa(config)# no shut
!
ciscoasa(config)# int gi0/1
ciscoasa(config)# nameif inside
ciscoasa(config)# ip address 192.168.255.2 255.255.255.0
ciscoasa(config)# no shut
!
ciscoasa(config)# telnet 0 0 inside
ciscoasa(config)# username admin password cisco priv 15
ciscoasa(config)# ena password cisco
ciscoasa(config)# aaa authentication telnet console LOCAL
!
ciscoasa(config)# route outside 0 0 192.168.31.1
!
ciscoasa(config)# wr
!
Txhawm rau sau npe tus lej cim hauv huab Smart-Account, koj yuav tsum muab Is Taws Nem nkag mus rau ASA, paub meej ntawm no.
Hauv ntej, ASA xav tau:
Kev nkag tau hauv Internet ntawm HTTPS;
lub sij hawm synchronization (ntau raug ntawm NTP);
sau npe DNS server;
Peb mus ntawm telnet rau peb ASA thiab teeb tsa kom qhib daim ntawv tso cai los ntawm Smart-Account.
Peb yuav ua kom lub tuam txhab network nkag tau los ntawm lub qhov, thiab txuas Is Taws Nem ncaj qha (tsis yog txoj hauv kev nyab xeeb tshaj plaws thaum tsis muaj kev ntsuas kev nyab xeeb ntawm tus tswv tsev sib txuas, nws tuaj yeem nkag mus los ntawm tus tswv tsev muaj tus kab mob thiab tso tawm cov ntaub ntawv koom nrog, kev xaiv split-tunnel-txoj cai tunnelall yuav tso cai rau tag nrho cov tswv tsheb mus rau hauv lub qhov. Txawm li cas los xij Split-Tunnel ua rau nws muaj peev xwm txo tau lub rooj vag VPN thiab tsis ua tus tswv tsev Internet tsheb)
Peb yuav muab cov tswv hauv lub qhov nrog qhov chaw nyob los ntawm subnet 192.168.20.0/24 (lub pas dej ua ke ntawm 10 txog 30 qhov chaw nyob (rau ntawm node #1)). Txhua tus ntawm hauv pawg yuav tsum muaj nws tus kheej VPN pas dej.
Cia peb ua qhov kev lees paub qhov tseeb nrog tus neeg siv hauv zos tsim ntawm ASA (Qhov no tsis pom zoo, qhov no yog txoj kev yooj yim tshaj plaws), nws yog qhov zoo dua los ua qhov kev lees paub los ntawm LDAP/RADIUS, los yog zoo dua, khi Multi-Factor Authentication (MFA)muab ua piv txwv Cisco DUO.
(Yeem xaiv tau): Hauv qhov piv txwv saum toj no, peb tau siv cov neeg siv hauv zos ntawm lub firewall los txheeb xyuas cov neeg siv cov chaw taws teeb, uas tau siv tsawg tshwj tsis yog hauv chav kuaj. Kuv mam li muab ib qho piv txwv ntawm yuav ua li cas kom sai hloov lub teeb rau authentication rau voos kheej-kheej server, siv piv txwv Cisco Identity Services Engine:
Nws yog ib qho tseem ceeb heev thaum siv ib pawg los ua kom lub network sab hauv kom nkag siab qhov twg ASA kom xa rov qab mus rau cov neeg siv; rau qhov no nws yog ib qho tsim nyog los faib cov kev / 32 chaw nyob rau cov neeg siv khoom.
Tam sim no, peb tseem tsis tau teeb tsa pawg, tab sis peb twb tau ua haujlwm VPN gateways uas koj tuaj yeem txuas tus kheej ntawm FQDN lossis IP.
Peb pom cov neeg siv khoom sib txuas hauv lub rooj sib tham ntawm thawj ASA:
Yog li ntawd peb tag nrho VPN pawg thiab tag nrho cov neeg koom tes paub txog txoj hauv kev rau peb cov neeg siv khoom, peb yuav rov faib cov neeg siv khoom ua ntej rau hauv cov txheej txheem dynamic routing, piv txwv li OSPF:
Tam sim no peb muaj txoj hauv kev mus rau tus neeg siv khoom los ntawm lub rooj vag ASA-2 thib ob thiab cov neeg siv txuas nrog lub rooj vag VPN sib txawv hauv pawg tuaj yeem, piv txwv li, sib txuas lus ncaj qha los ntawm lub tuam txhab softphone, ib yam li kev xa rov qab los ntawm cov peev txheej thov los ntawm tus neeg siv yuav tuaj txog. ntawm qhov xav tau VPN rooj vag:
Cia peb mus rau qhov teeb tsa Load-Balancing pawg.
Qhov chaw nyob 192.168.31.40 yuav siv los ua tus IP Virtual (VIP - txhua tus neeg siv VPN yuav pib txuas rau nws), los ntawm qhov chaw nyob no Cluster Master yuav REDIRECT mus rau ib qho kev thauj khoom tsawg dua. Tsis txhob hnov ββqab sau npe xa mus thiab thim rov qab DNS cov ntaub ntawv ob qho tib si rau txhua qhov chaw nyob sab nraud / FQDN ntawm txhua pawg ntawm pawg, thiab rau VIP.