ProHoster > Π‘Π»ΠΎΠ³ > Kev tswj hwm > Deploying ASA VPN Load-Balancing Cluster

Deploying ASA VPN Load-Balancing Cluster

Hauv tsab xov xwm no kuv xav muab cov lus qhia step-by-step ntawm yuav ua li cas koj tuaj yeem siv sai tshaj plaws scalable tswvyim tam sim no Chaw taws teeb-Access VPN nkag mus raws AnyConnect thiab Cisco ASA - VPN Load Balancing Cluster.

Taw qhia: Ntau lub tuam txhab thoob ntiaj teb, vim qhov xwm txheej tam sim no nrog COVID-19, tab tom siv zog hloov lawv cov neeg ua haujlwm mus ua haujlwm nyob deb. Vim muaj kev hloov pauv mus rau qhov chaw ua haujlwm nyob deb, qhov thauj khoom ntawm lub rooj vag VPN uas twb muaj lawm ntawm cov tuam txhab nce siab thiab muaj peev xwm nrawm heev los ntsuas lawv yuav tsum tau ua. Ntawm qhov tod tes, ntau lub tuam txhab raug yuam kom maj nrawm lub tswv yim ntawm kev ua haujlwm nyob deb ntawm kos.

Txhawm rau pab cov lag luam sai sai ua kom yooj yim, ruaj ntseg, thiab muaj peev xwm nkag tau VPN rau cov neeg ua haujlwm, Cisco muab cov ntawv tso cai txog li 13 lub lis piam rau cov neeg siv khoom muaj txiaj ntsig AnyConnect SSL-VPN. Koj tseem tuaj yeem nqa ASAv rau kev sim (Virtual ASA rau VMWare/Hyper-V/KVM hypervisors thiab AWS/Azure cloud platforms) los ntawm cov neeg koom tes tso cai lossis hu rau Cisco cov neeg sawv cev ua haujlwm nrog koj.

Cov txheej txheem rau kev muab daim ntawv tso cai AnyConnect COVID-19 tau piav qhia ntawm no.

Kuv tau npaj cov lus qhia ib qib zuj zus rau qhov kev xaiv yooj yim rau kev xa tawm VPN Load-Balancing pawg raws li qhov ua tau zoo tshaj plaws VPN thev naus laus zis.

Cov piv txwv hauv qab no yuav yooj yim heev los ntawm qhov pom ntawm qhov kev lees paub thiab kev tso cai algorithms siv, tab sis nws yuav yog qhov kev xaiv zoo rau kev pib sai (uas yog ib yam dab tsi uas ntau tus neeg tsis muaj tam sim no) nrog rau qhov muaj peev xwm ntawm kev hloov pauv mus rau qhov tob. koj cov kev xav tau thaum lub sijhawm xa tawm.

Cov ntaub ntawv luv luv: VPN Load Balancing Cluster thev naus laus zis tsis yog qhov ua tsis tiav lossis kev ua haujlwm sib koom ua ke hauv nws qhov kev xav; cov thev naus laus zis no tuaj yeem ua ke cov qauv ASA sib txawv kiag li (nrog qee qhov kev txwv) txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau txhawm rau nws, cov txheej txheem nws muaj nws cov cuab yeej siv cuab yeej technology. Tsis muaj kev sib koom ua ke ntawm cov kev sib tham thiab kev teeb tsa ntawm cov nodes ntawm pawg xws li, tab sis nws muaj peev xwm ua kom tau txais qhov sib npaug ntawm VPN kev sib txuas thiab xyuas kom muaj kev ua txhaum cai ntawm VPN kev sib txuas kom txog rau thaum tsawg kawg ib qho kev ua haujlwm tseem nyob hauv pawg. Kev thauj khoom hauv pawg yog sib npaug tau nyob ntawm qhov ua haujlwm ntawm cov nodes los ntawm tus lej ntawm VPN ntu.

Rau kev ua txhaum cai ntawm cov pawg nodes tshwj xeeb (yog tias xav tau), koj tuaj yeem siv lub filer, yog li kev sib txuas ua haujlwm yuav raug ua tiav los ntawm Thawj qhov ntawm cov filer. Lub fileover tsis yog ib qho tsim nyog rau kev ua kom muaj kev ua txhaum cai nyob rau hauv pawg Load-Balancing; nyob rau hauv qhov kev tshwm sim ntawm qhov tsis ua hauj lwm ntawm lub node, pawg nws tus kheej yuav hloov cov neeg siv kev sib ntsib mus rau lwm qhov nyob, tab sis tsis muaj kev tswj hwm qhov kev sib txuas, uas yog qhov tseeb. tus filer muab. Yog li, ob lub thev naus laus zis no tuaj yeem ua ke yog tias tsim nyog.

Ib qho VPN Load-Balancing pawg tuaj yeem muaj ntau dua ob lub nodes.

VPN Load-Balancing pawg tau txais kev txhawb nqa ntawm ASA 5512-X thiab siab dua.

Txij li txhua ASA nyob rau hauv VPN Load-Balancing pawg yog ib qho kev ywj pheej nyob rau hauv cov nqe lus ntawm kev teeb tsa, peb ua tag nrho cov txheej txheem teeb tsa ntawm tus kheej ntawm txhua tus neeg siv khoom.

Cov ntsiab lus ntawm thev naus laus zis ntawm no

Lub logic topology ntawm qhov piv txwv muab yog:

Deploying ASA VPN Load-Balancing Cluster

Kev xa tawm thawj zaug:

  1. Peb xa ASAv piv txwv ntawm cov qauv peb xav tau (ASAv5/10/30/50) los ntawm daim duab.

  2. Peb muab INSIDE / OUTSIDE interfaces rau tib VLAN (Sab nraum hauv nws tus kheej VLAN, INSIDE hauv nws tus kheej, tab sis feem ntau nyob rau hauv pawg, saib topology), nws yog ib qho tseem ceeb uas interfaces ntawm tib hom nyob rau hauv tib L2 ntu.

  3. Daim ntawv tso cai:

    • Thaum lub sijhawm teeb tsa, ASAv yuav tsis muaj ntawv tso cai thiab yuav raug txwv rau 100kbit / sec.
    • Txhawm rau txhim kho daim ntawv tso cai, koj yuav tsum tsim kom muaj tus token hauv koj tus lej Smart-Account: https://software.cisco.com/ -> Smart Software Licensing
    • Hauv qhov rai uas qhib, nyem lub pob Tshiab Token

    Deploying ASA VPN Load-Balancing Cluster

    • Nco ntsoov tias daim teb nyob rau hauv lub qhov rais uas qhib yog nquag thiab checkbox Tso cai export-tswj functionality... Yog tias tsis muaj qhov chaw ua haujlwm no, koj yuav tsis tuaj yeem siv lub zog encryption thiab, raws li, VPN. Yog tias daim teb no tsis ua haujlwm, thov hu rau koj pab neeg ua haujlwm account kom thov kom qhib.

    Deploying ASA VPN Load-Balancing Cluster

    • Tom qab nias lub pob Tsim Token, ib tug token yuav raug tsim uas peb yuav siv tau daim ntawv tso cai rau ASAv, luam nws:

    Deploying ASA VPN Load-Balancing Cluster

    • Cia peb rov ua cov kauj ruam C, D, E rau txhua tus xa tawm ASAv.
    • Txhawm rau ua kom yooj yim rau luam cov token, cia peb ua haujlwm ib ntus telnet. Cia peb teeb tsa txhua ASA (qhov piv txwv hauv qab no qhia txog qhov chaw ntawm ASA-1). telnet los ntawm sab nraud tsis ua haujlwm, yog tias koj xav tau tiag tiag, hloov qhov kev ruaj ntseg-theem rau 100 rau sab nraud, ces hloov nws rov qab.

    !
ciscoasa(config)# int gi0/0
ciscoasa(config)# nameif outside
ciscoasa(config)# ip address 192.168.31.30 255.255.255.0
ciscoasa(config)# no shut
!
ciscoasa(config)# int gi0/1
ciscoasa(config)# nameif inside
ciscoasa(config)# ip address 192.168.255.2 255.255.255.0
ciscoasa(config)# no shut
!
ciscoasa(config)# telnet 0 0 inside
ciscoasa(config)# username admin password cisco priv 15
ciscoasa(config)# ena password cisco
ciscoasa(config)# aaa authentication telnet console LOCAL
!
ciscoasa(config)# route outside 0 0 192.168.31.1
!
ciscoasa(config)# wr
!

    • Txhawm rau sau npe tus lej cim hauv huab Smart-Account, koj yuav tsum muab Is Taws Nem nkag mus rau ASA, paub meej ntawm no.

    Hauv ntej, ASA xav tau:

    • Kev nkag tau hauv Internet ntawm HTTPS;
    • lub sij hawm synchronization (ntau raug ntawm NTP);
    • sau npe DNS server;
      • Peb mus ntawm telnet rau peb ASA thiab teeb tsa kom qhib daim ntawv tso cai los ntawm Smart-Account.

    !
ciscoasa(config)# clock set 19:21:00 Mar 18 2020
ciscoasa(config)# clock timezone MSK 3
ciscoasa(config)# ntp server 192.168.99.136
!
ciscoasa(config)# dns domain-lookup outside
ciscoasa(config)# DNS server-group DefaultDNS
ciscoasa(config-dns-server-group)# name-server 192.168.99.132 
!
! ΠŸΡ€ΠΎΠ²Π΅Ρ€ΠΈΠΌ Ρ€Π°Π±ΠΎΡ‚Ρƒ DNS:
!
ciscoasa(config-dns-server-group)# ping ya.ru
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 87.250.250.242, timeout is 2 seconds:
!!!!!
!
! ΠŸΡ€ΠΎΠ²Π΅Ρ€ΠΈΠΌ ΡΠΈΠ½Ρ…Ρ€ΠΎΠ½ΠΈΠ·Π°Ρ†ΠΈΡŽ NTP:
!
ciscoasa(config)# show ntp associations 
  address         ref clock     st  when  poll reach  delay  offset    disp
*~192.168.99.136   91.189.94.4       3    63    64    1    36.7    1.85    17.5
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
!
! Установим ΠΊΠΎΠ½Ρ„ΠΈΠ³ΡƒΡ€Π°Ρ†ΠΈΡŽ нашСй ASAv для Smart-Licensing (Π² соотвСтствии с Π’Π°ΡˆΠΈΠΌ ΠΏΡ€ΠΎΡ„ΠΈΠ»Π΅ΠΌ, Π² ΠΌΠΎΠ΅ΠΌ случаС 100М для ΠΏΡ€ΠΈΠΌΠ΅Ρ€Π°)
!
ciscoasa(config)# license smart
ciscoasa(config-smart-lic)# feature tier standard
ciscoasa(config-smart-lic)# throughput level 100M
!
! Π’ случаС нСобходимости ΠΌΠΎΠΆΠ½ΠΎ Π½Π°ΡΡ‚Ρ€ΠΎΠΈΡ‚ΡŒ доступ Π² Π˜Π½Ρ‚Π΅Ρ€Π½Π΅Ρ‚ Ρ‡Π΅Ρ€Π΅Π· прокси ΠΈΡΠΏΠΎΠ»ΡŒΠ·ΡƒΠΉΡ‚Π΅ ΡΠ»Π΅Π΄ΡƒΡŽΡ‰ΠΈΠΉ Π±Π»ΠΎΠΊ ΠΊΠΎΠΌΠ°Π½Π΄:
!call-home
!  http-proxy ip_address port port
!
! Π”Π°Π»Π΅Π΅ ΠΌΡ‹ вставляСм скопированный ΠΈΠ· ΠΏΠΎΡ€Ρ‚Π°Π»Π° Smart-Account Ρ‚ΠΎΠΊΠ΅Π½ (<token>) ΠΈ рСгистрируСм Π»ΠΈΡ†Π΅Π½Π·ΠΈΡŽ
!
ciscoasa(config)# end
ciscoasa# license smart register idtoken <token>

    • Peb xyuas tias lub cuab yeej tau ua tiav daim ntawv tso cai thiab kev xaiv encryption muaj:

    Deploying ASA VPN Load-Balancing Cluster

    Deploying ASA VPN Load-Balancing Cluster

  4. Configuring yooj yim SSL-VPN ntawm txhua lub rooj vag

    • Tom ntej no, peb teeb tsa kev nkag los ntawm SSH thiab ASDM:

    ciscoasa(config)# ssh ver 2
ciscoasa(config)# aaa authentication ssh console LOCAL
ciscoasa(config)# aaa authentication http console LOCAL
ciscoasa(config)# hostname vpn-demo-1
vpn-demo-1(config)# domain-name ashes.cc
vpn-demo-1(config)# cry key gen rsa general-keys modulus 4096 
vpn-demo-1(config)# ssh 0 0 inside  
vpn-demo-1(config)# http 0 0 inside
!
! ПоднимСм сСрвСр HTTPS для ASDM Π½Π° ΠΏΠΎΡ€Ρ‚Ρƒ 445 Ρ‡Ρ‚ΠΎΠ±Ρ‹ Π½Π΅ ΠΏΠ΅Ρ€Π΅ΡΠ΅ΠΊΠ°Ρ‚ΡŒΡΡ с SSL-VPN ΠΏΠΎΡ€Ρ‚Π°Π»ΠΎΠΌ
!
vpn-demo-1(config)# http server enable 445 
!

    • Rau ASDM ua haujlwm, koj yuav tsum xub rub tawm los ntawm cisco.com, hauv kuv rooj plaub nws yog cov ntaub ntawv hauv qab no:

    Deploying ASA VPN Load-Balancing Cluster

    • Rau cov neeg siv AnyConnect ua haujlwm, koj yuav tsum rub tawm ib daim duab rau txhua ASA rau txhua tus neeg siv khoom siv OS siv ( npaj siv Linux / Windows / MAC), koj yuav xav tau cov ntaub ntawv nrog Headend Deployment Package Hauv lub npe:

    Deploying ASA VPN Load-Balancing Cluster

    • Cov ntaub ntawv rub tawm tuaj yeem rub tawm, piv txwv li, mus rau FTP server thiab xa mus rau txhua tus neeg ASA:

    Deploying ASA VPN Load-Balancing Cluster

    • Peb teeb tsa ASDM thiab Daim Ntawv Pov Thawj Tus Kheej rau SSL-VPN (nws raug nquahu kom siv daim ntawv pov thawj ntseeg siab hauv kev tsim khoom). Cov tsim FQDN ntawm pawg Virtual Chaw nyob (vpn-demo.ashes.cc), nrog rau txhua FQDN cuam tshuam nrog qhov chaw nyob sab nraud ntawm txhua pawg ntawm pawg yuav tsum raug daws hauv thaj tsam DNS sab nraud rau IP chaw nyob ntawm OUTSIDE interface (lossis mus rau qhov chaw nyob yog siv udp/443 chaw nres nkoj xa mus (DTLS) thiab tcp/443 (TLS)). Cov ncauj lus kom ntxaws txog qhov yuav tsum tau ua rau daim ntawv pov thawj yog teev nyob rau hauv ntu Ntawv Pov Thawj cov ntaub ntawv.

    !
vpn-demo-1(config)# crypto ca trustpoint SELF
vpn-demo-1(config-ca-trustpoint)# enrollment self
vpn-demo-1(config-ca-trustpoint)# fqdn vpn-demo.ashes.cc
vpn-demo-1(config-ca-trustpoint)# subject-name cn=*.ashes.cc, ou=ashes-lab, o=ashes, c=ru
vpn-demo-1(config-ca-trustpoint)# serial-number             
vpn-demo-1(config-ca-trustpoint)# crl configure
vpn-demo-1(config-ca-crl)# cry ca enroll SELF
% The fully-qualified domain name in the certificate will be: vpn-demo.ashes.cc
Generate Self-Signed Certificate? [yes/no]: yes
vpn-demo-1(config)# 
!
vpn-demo-1(config)# sh cry ca certificates 
Certificate
Status: Available
Certificate Serial Number: 4d43725e
Certificate Usage: General Purpose
Public Key Type: RSA (4096 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name: 
serialNumber=9A439T02F95
hostname=vpn-demo.ashes.cc
cn=*.ashes.cc
ou=ashes-lab
o=ashes
c=ru
Subject Name:
serialNumber=9A439T02F95
hostname=vpn-demo.ashes.cc
cn=*.ashes.cc
ou=ashes-lab
o=ashes
c=ru
Validity Date: 
start date: 00:16:17 MSK Mar 19 2020
end   date: 00:16:17 MSK Mar 17 2030
Storage: config
Associated Trustpoints: SELF 

CA Certificate
Status: Available
Certificate Serial Number: 0509
Certificate Usage: General Purpose
Public Key Type: RSA (4096 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name: 
cn=QuoVadis Root CA 2
o=QuoVadis Limited
c=BM
Subject Name: 
cn=QuoVadis Root CA 2
o=QuoVadis Limited
c=BM
Validity Date: 
start date: 21:27:00 MSK Nov 24 2006
end   date: 21:23:33 MSK Nov 24 2031
Storage: config
Associated Trustpoints: _SmartCallHome_ServerCA

    • Txhawm rau txheeb xyuas cov haujlwm ntawm ASDM, tsis txhob hnov ​​​​qab qhia qhov chaw nres nkoj, piv txwv li:

    Deploying ASA VPN Load-Balancing Cluster

    • Cia peb ua cov txheej txheem tunnel yooj yim:
    • Peb yuav ua kom lub tuam txhab network nkag tau los ntawm lub qhov, thiab txuas Is Taws Nem ncaj qha (tsis yog txoj hauv kev nyab xeeb tshaj plaws thaum tsis muaj kev ntsuas kev nyab xeeb ntawm tus tswv tsev sib txuas, nws tuaj yeem nkag mus los ntawm tus tswv tsev muaj tus kab mob thiab tso tawm cov ntaub ntawv koom nrog, kev xaiv split-tunnel-txoj cai tunnelall yuav tso cai rau tag nrho cov tswv tsheb mus rau hauv lub qhov. Txawm li cas los xij Split-Tunnel ua rau nws muaj peev xwm txo tau lub rooj vag VPN thiab tsis ua tus tswv tsev Internet tsheb)
    • Peb yuav muab cov tswv hauv lub qhov nrog qhov chaw nyob los ntawm subnet 192.168.20.0/24 (lub pas dej ua ke ntawm 10 txog 30 qhov chaw nyob (rau ntawm node #1)). Txhua tus ntawm hauv pawg yuav tsum muaj nws tus kheej VPN pas dej.
    • Cia peb ua qhov kev lees paub qhov tseeb nrog tus neeg siv hauv zos tsim ntawm ASA (Qhov no tsis pom zoo, qhov no yog txoj kev yooj yim tshaj plaws), nws yog qhov zoo dua los ua qhov kev lees paub los ntawm LDAP/RADIUS, los yog zoo dua, khi Multi-Factor Authentication (MFA)muab ua piv txwv Cisco DUO.

    !
vpn-demo-1(config)# ip local pool vpn-pool 192.168.20.10-192.168.20.30 mask 255.255.255.0
!
vpn-demo-1(config)# access-list split-tunnel standard permit 192.168.0.0 255.255.0.0
!
vpn-demo-1(config)# group-policy SSL-VPN-GROUP-POLICY internal
vpn-demo-1(config)# group-policy SSL-VPN-GROUP-POLICY attributes
vpn-demo-1(config-group-policy)# vpn-tunnel-protocol ssl-client 
vpn-demo-1(config-group-policy)# split-tunnel-policy tunnelspecified
vpn-demo-1(config-group-policy)# split-tunnel-network-list value split-tunnel
vpn-demo-1(config-group-policy)# dns-server value 192.168.99.132
vpn-demo-1(config-group-policy)# default-domain value ashes.cc
vpn-demo-1(config)# tunnel-group DefaultWEBVPNGroup general-attributes
vpn-demo-1(config-tunnel-general)#  default-group-policy SSL-VPN-GROUP-POLICY
vpn-demo-1(config-tunnel-general)#  address-pool vpn-pool
!
vpn-demo-1(config)# username dkazakov password cisco
vpn-demo-1(config)# username dkazakov attributes
vpn-demo-1(config-username)# service-type remote-access
!
vpn-demo-1(config)# ssl trust-point SELF
vpn-demo-1(config)# webvpn
vpn-demo-1(config-webvpn)#  enable outside
vpn-demo-1(config-webvpn)#  anyconnect image disk0:/anyconnect-win-4.8.03036-webdeploy-k9.pkg
vpn-demo-1(config-webvpn)#  anyconnect enable
!

    • (Yeem xaiv tau): Hauv qhov piv txwv saum toj no, peb tau siv cov neeg siv hauv zos ntawm lub firewall los txheeb xyuas cov neeg siv cov chaw taws teeb, uas tau siv tsawg tshwj tsis yog hauv chav kuaj. Kuv mam li muab ib qho piv txwv ntawm yuav ua li cas kom sai hloov lub teeb rau authentication rau voos kheej-kheej server, siv piv txwv Cisco Identity Services Engine:

    vpn-demo-1(config-aaa-server-group)# dynamic-authorization
vpn-demo-1(config-aaa-server-group)# interim-accounting-update
vpn-demo-1(config-aaa-server-group)# aaa-server RADIUS (outside) host 192.168.99.134
vpn-demo-1(config-aaa-server-host)# key cisco
vpn-demo-1(config-aaa-server-host)# exit
vpn-demo-1(config)# tunnel-group DefaultWEBVPNGroup general-attributes
vpn-demo-1(config-tunnel-general)# authentication-server-group  RADIUS 
!

    Qhov kev sib koom ua ke no ua rau nws muaj peev xwm tsis tsuas yog ua kom nrawm nrawm nrog cov txheej txheem kev lees paub nrog cov kev pabcuam AD, tab sis kuj kom paub qhov txawv ntawm lub khoos phis tawj txuas nrog AD, nkag siab seb nws puas yog cov cuab yeej koom nrog lossis tus kheej, thiab ntsuas lub xeev ntawm kev sib txuas. ntaus ntawv.

    Deploying ASA VPN Load-Balancing Cluster

    Deploying ASA VPN Load-Balancing Cluster

    • Cia peb teeb tsa Transparent NAT kom cov tsheb khiav ntawm cov neeg siv khoom thiab cov peev txheej ntawm lub tuam txhab network tsis cuam tshuam nrog:

    vpn-demo-1(config-network-object)#  subnet 192.168.20.0 255.255.255.0
!
vpn-demo-1(config)# nat (inside,outside) source static any any destination static vpn-users vpn-users no-proxy-arp

    • (Yeem xaiv): Txhawm rau nthuav tawm peb cov neeg siv khoom hauv Is Taws Nem ntawm ASA (thaum siv tunnelall kev xaiv) siv PAT, thiab tseem tawm los ntawm tib qho chaw sab nraud los ntawm qhov chaw uas lawv tau txuas nrog, koj yuav tsum ua cov chaw hauv qab no

    vpn-demo-1(config-network-object)# nat (outside,outside) source dynamic vpn-users interface
vpn-demo-1(config)# nat (inside,outside) source dynamic any interface
vpn-demo-1(config)# same-security-traffic permit intra-interface 
!

    • Nws yog ib qho tseem ceeb heev thaum siv ib pawg los ua kom lub network sab hauv kom nkag siab qhov twg ASA kom xa rov qab mus rau cov neeg siv; rau qhov no nws yog ib qho tsim nyog los faib cov kev / 32 chaw nyob rau cov neeg siv khoom.
      Tam sim no, peb tseem tsis tau teeb tsa pawg, tab sis peb twb tau ua haujlwm VPN gateways uas koj tuaj yeem txuas tus kheej ntawm FQDN lossis IP.

    Deploying ASA VPN Load-Balancing Cluster

    Peb pom cov neeg siv khoom sib txuas hauv lub rooj sib tham ntawm thawj ASA:

    Deploying ASA VPN Load-Balancing Cluster

    Yog li ntawd peb tag nrho VPN pawg thiab tag nrho cov neeg koom tes paub txog txoj hauv kev rau peb cov neeg siv khoom, peb yuav rov faib cov neeg siv khoom ua ntej rau hauv cov txheej txheem dynamic routing, piv txwv li OSPF:

    !
vpn-demo-1(config)# route-map RMAP-VPN-REDISTRIBUTE permit 1
vpn-demo-1(config-route-map)#  match ip address VPN-REDISTRIBUTE
!
vpn-demo-1(config)# router ospf 1
vpn-demo-1(config-router)#  network 192.168.255.0 255.255.255.0 area 0
vpn-demo-1(config-router)#  log-adj-changes
vpn-demo-1(config-router)#  redistribute static metric 5000 subnets route-map RMAP-VPN-REDISTRIBUTE

    Tam sim no peb muaj txoj hauv kev mus rau tus neeg siv khoom los ntawm lub rooj vag ASA-2 thib ob thiab cov neeg siv txuas nrog lub rooj vag VPN sib txawv hauv pawg tuaj yeem, piv txwv li, sib txuas lus ncaj qha los ntawm lub tuam txhab softphone, ib yam li kev xa rov qab los ntawm cov peev txheej thov los ntawm tus neeg siv yuav tuaj txog. ntawm qhov xav tau VPN rooj vag:

    Deploying ASA VPN Load-Balancing Cluster

  5. Cia peb mus rau qhov teeb tsa Load-Balancing pawg.

    Qhov chaw nyob 192.168.31.40 yuav siv los ua tus IP Virtual (VIP - txhua tus neeg siv VPN yuav pib txuas rau nws), los ntawm qhov chaw nyob no Cluster Master yuav REDIRECT mus rau ib qho kev thauj khoom tsawg dua. Tsis txhob hnov ​​qab sau npe xa mus thiab thim rov qab DNS cov ntaub ntawv ob qho tib si rau txhua qhov chaw nyob sab nraud / FQDN ntawm txhua pawg ntawm pawg, thiab rau VIP.

    vpn-demo-1(config)# vpn load-balancing
vpn-demo-1(config-load-balancing)# interface lbpublic outside
vpn-demo-1(config-load-balancing)# interface lbprivate inside
vpn-demo-1(config-load-balancing)# priority 10
vpn-demo-1(config-load-balancing)# cluster ip address 192.168.31.40
vpn-demo-1(config-load-balancing)# cluster port 4000
vpn-demo-1(config-load-balancing)# redirect-fqdn enable
vpn-demo-1(config-load-balancing)# cluster key cisco
vpn-demo-1(config-load-balancing)# cluster encryption
vpn-demo-1(config-load-balancing)# cluster port 9023
vpn-demo-1(config-load-balancing)# participate
vpn-demo-1(config-load-balancing)#

    • Peb txheeb xyuas cov haujlwm ntawm pawg nrog ob tus neeg siv khoom sib txuas:

    Deploying ASA VPN Load-Balancing Cluster

    • Cia peb ua kom cov neeg siv khoom tau yooj yim dua nrog kev rub tawm AnyConnect profile ntawm ASDM.

    Deploying ASA VPN Load-Balancing Cluster

    Peb sau npe rau qhov profile hauv txoj hauv kev yooj yim thiab koom nrog peb pawg neeg txoj cai nrog nws:

    Deploying ASA VPN Load-Balancing Cluster

    Tom qab tus neeg siv khoom txuas ntxiv, qhov profile no yuav raug rub tawm thiab nruab rau hauv AnyConnect tus neeg siv khoom, yog li yog tias koj xav tau txuas, koj tsuas yog yuav tsum xaiv nws los ntawm cov npe:

    Deploying ASA VPN Load-Balancing Cluster

    Txij li thaum siv ASDM peb tsim qhov profile ntawm ib qho ASA nkaus xwb, tsis txhob hnov ​​​​qab rov ua cov kauj ruam ntawm ASAs ntxiv hauv pawg.

Xaus: Yog li, peb sai sai xa ib pawg ntawm ntau lub rooj vag VPN nrog tsis siv neeg thauj khoom ntsuas. Ntxiv cov nodes tshiab rau pawg yog ib qho yooj yim, ua tiav cov kab rov tav yooj yim scaling los ntawm deploying tshiab ASAv virtual machines los yog siv hardware ASAs. Lub feature-nplua nuj AnyConnect tus neeg siv tuaj yeem txhim kho koj qhov kev nyab xeeb kev sib txuas ntawm cov chaw taws teeb muaj peev xwm siv cov Posture (kev ntsuam xyuas hauv xeev), feem ntau zoo siv ua ke nrog ib tug centralized nkag mus tswj thiab accounting system Identity Services Engine.

Tau qhov twg los: www.hab.com

Ntxiv ib saib