ãã®èšäºã§ã¯ãçŸæç¹ã§æãã¹ã±ãŒã©ãã«ãªã¹ããŒã ãè¿ éã«å°å ¥ããæ¹æ³ã«ã€ããŠæ®µéçã«èª¬æããããšæããŸãã ãªã¢ãŒãã¢ã¯ã»ã¹VPN ã¢ã¯ã»ã¹ããŒã¹ AnyConnect ãš Cisco ASA â VPN ããŒã ãã©ã³ã·ã³ã° ã¯ã©ã¹ã¿ãŒ.
ÐÐ²ÐµÐŽÐµÐœÐžÐµïŒ æ°åã³ãããŠã€ã«ã¹ææçã®çŸåšã®ç¶æ³ãéã¿ãäžçäžã®å€ãã®äŒæ¥ãåŸæ¥å¡ã®ãªã¢ãŒãã¯ãŒã¯ãžã®ç§»è¡ã«åãçµãã§ããŸãã ãªã¢ãŒãã¯ãŒã¯ãžã®å€§èŠæš¡ãªç§»è¡ã«ãããäŒæ¥ã®æ¢åã® VPN ã²ãŒããŠã§ã€ã®è² è·ãå€§å¹ ã«å¢å ããŠãããããããè¿ éã«æ¡åŒµããèœåãå¿ èŠãšãããŠããŸãã äžæ¹ã§ãå€ãã®äŒæ¥ã¯ãªã¢ãŒãã¯ãŒã¯ã®æŠå¿µãäžããç¿åŸããããšãæ¥ãã§ããã
äŒæ¥ãåŸæ¥å¡ã«äŸ¿å©ã§å®å
šãã€ã¹ã±ãŒã©ãã«ãª VPN ã¢ã¯ã»ã¹ãã§ããã ãçæéã§å®çŸã§ããããã«ããããã«ãã·ã¹ã³ã¯ AnyConnect æ©èœãè±å¯ãª SSL VPN ã¯ã©ã€ã¢ã³ããæé· 13 é±éã©ã€ã»ã³ã¹ããŸãã
æãã¹ã±ãŒã©ãã«ãª VPN ãã¯ãããžãŒãšã㊠VPN è² è·åæ£ã¯ã©ã¹ã¿ãŒãç°¡åã«å°å ¥ããããã®ã¹ããããã€ã¹ããã ã¬ã€ããçšæããŸããã
以äžã®äŸã¯ã䜿çšãããèªèšŒããã³èªå¯ã¢ã«ãŽãªãºã ã®ç¹ã§ã¯éåžžã«åçŽã§ãããå±éäžã«ããŒãºã«åŸ¹åºçã«é©å¿ã§ããå¯èœæ§ããããã¯ã€ã㯠ã¹ã¿ãŒã (çŸæç¹ã§ã¯å€ãã®äººã«ãšã£ãŠååã§ã¯ãããŸãã) ãšããŠã¯è¯ããªãã·ã§ã³ã«ãªããŸããããã»ã¹ã
ç°¡åãªæ å ±: VPN ããŒã ãã©ã³ã·ã³ã° ã¯ã©ã¹ã¿ ãã¯ãããžã¯ããã€ãã£ããªæå³ã§ã®ãã§ãŒã«ãªãŒããŒãã¯ã©ã¹ã¿ãªã³ã°æ©èœã§ã¯ãããŸããããã®ãã¯ãããžã¯ããªã¢ãŒã ã¢ã¯ã»ã¹ VPN æ¥ç¶ã®ããŒã ãã©ã³ã·ã³ã°ãè¡ãããã«ãå®å šã«ç°ãªã ASA ã¢ãã«ãïŒç¹å®ã®å¶éä»ãã§ïŒçµã¿åãããããšãã§ããŸãã ãã®ãããªã¯ã©ã¹ã¿ãŒã®ããŒãéã§ã¯ã»ãã·ã§ã³ãšæ§æã®åæã¯è¡ãããŸããããã¯ã©ã¹ã¿ãŒå ã«å°ãªããšã XNUMX ã€ã®ã¢ã¯ãã£ããªããŒããæ®ããŸã§ãVPN æ¥ç¶ã®è² è·ãèªåçã«åæ£ããVPN æ¥ç¶ã®ãã©ãŒã«ã ãã¬ã©ã³ã¹ã確ä¿ããããšãã§ããŸãã ã¯ã©ã¹ã¿å ã®è² è·ã¯ãVPN ã»ãã·ã§ã³ã®æ°ã«ããããŒãã®ã¯ãŒã¯ããŒãã«å¿ããŠèªåçã«ãã©ã³ã¹ãããŸãã
ã¯ã©ã¹ã¿ãŒã®ç¹å®ã®ããŒãã®ãã§ã€ã«ãªãŒã㌠(å¿ èŠãªå Žå) ã«ã¯ããã¡ã€ã©ãŒã䜿çšã§ãããããã¢ã¯ãã£ããªæ¥ç¶ã¯ãã¡ã€ã©ãŒã®ãã©ã€ã㪠ããŒãã«ãã£ãŠåŠçãããŸãã ãã¡ã€ã«ãªãŒããŒã¯ãããŒã ãã©ã³ã·ã³ã° ã¯ã©ã¹ã¿ãŒå ã®ãã©ãŒã«ã ãã¬ã©ã³ã¹ã確ä¿ããããã«å¿ èŠãªæ¡ä»¶ã§ã¯ãããŸãããã¯ã©ã¹ã¿ãŒèªäœã¯ãããŒãé害ãçºçããå ŽåããŠãŒã¶ãŒ ã»ãã·ã§ã³ãå¥ã®ã©ã€ã ããŒãã«è»¢éããŸãããæ¥ç¶ã¹ããŒã¿ã¹ã¯ä¿åãããŸããããã¡ã€ã©ãŒã«ãã£ãŠæäŸãããŸãã ãããã£ãŠãå¿ èŠã«å¿ããŠãããã XNUMX ã€ã®æè¡ãçµã¿åãããããšãå¯èœã§ãã
VPN è² è·åæ£ã¯ã©ã¹ã¿ãŒã«ã¯ XNUMX ã€ä»¥äžã®ããŒããå«ããããšãã§ããŸãã
VPN ããŒããã©ã³ã·ã³ã° ã¯ã©ã¹ã¿ã¯ãASA 5512-X 以éã§ãµããŒããããŠããŸãã
VPN ããŒããã©ã³ã·ã³ã° ã¯ã©ã¹ã¿å ã®å ASA ã¯èšå®ã®ç¹ã§ç¬ç«ãããŠãããã§ããããããã¹ãŠã®èšå®æé ãåã ã®ããã€ã¹ã§åå¥ã«å®è¡ããŸãã
æå®ãããäŸã®è«çããããžã¯æ¬¡ã®ãšããã§ãã
ãã©ã€ããªå±é:
-
å¿ èŠãªãã³ãã¬ãŒãïŒASAv5/10/30/50ïŒã® ASAv ã€ã³ã¹ã¿ã³ã¹ãã€ã¡ãŒãžããå±éããŸãã
-
INSIDE / OUTSIDE ã€ã³ã¿ãŒãã§ã€ã¹ãåã VLAN ã«å²ãåœãŠãŸã (å€éšã¯ç¬èªã® VLANãINSIDE ã¯ç¬èªã® VLAN ã«å²ãåœãŠãŸãããéåžžã¯ã¯ã©ã¹ã¿ãŒå ã«ãããŸããããããžãåç §)ãåãã¿ã€ãã®ã€ã³ã¿ãŒãã§ã€ã¹ãåã L2 ã»ã°ã¡ã³ãã«ããããšãéèŠã§ãã
-
ã©ã€ã»ã³ã¹:
- çŸæç¹ã§ã¯ãASAv ã€ã³ã¹ããŒã«ã«ã¯ã©ã€ã»ã³ã¹ããªããå¶é㯠100kbps ã«å¶éãããŸãã
- ã©ã€ã»ã³ã¹ãã€ã³ã¹ããŒã«ããã«ã¯ãã¹ããŒã ã¢ã«ãŠã³ãã§ããŒã¯ã³ãçæããå¿
èŠããããŸãã
https://software.cisco.com/ -> ã¹ããŒããªãœãããŠã§ã¢ã©ã€ã»ã³ã¹ - éãããŠã£ã³ããŠã§ ãã¿ã³ãã¯ãªãã¯ããŸã æ°ããããŒã¯ã³
- éãããŠã£ã³ããŠã«ã¢ã¯ãã£ããªãã£ãŒã«ããããããã§ãã¯ããŒã¯ããªã³ã«ãªã£ãŠããããšã確èªããŸãã 茞åºèŠå¶æ©èœãèš±å¯ãã⊠ãã®ãã£ãŒã«ããã¢ã¯ãã£ãã«ããªããšã匷åãªæå·åã®æ©èœãããã³ããã«å¿ã㊠VPN ã®æ©èœã䜿çšã§ããªããªããŸãã ãã®ãã£ãŒã«ããã¢ã¯ãã£ãã§ãªãå Žåã¯ãã¢ã«ãŠã³ã ããŒã ã«ã¢ã¯ãã£ããŒã·ã§ã³ ãªã¯ãšã¹ããéä¿¡ããŠãã ããã
- ãã¿ã³ãæŒããåŸ Create TokenãASAv ã®ã©ã€ã»ã³ã¹ãååŸããããã«äœ¿çšããããŒã¯ã³ãäœæãããŸãããããã³ããŒããŸãã
- å°å ¥ããã ASAv ããšã«æé CãDãE ãç¹°ãè¿ããŸãã
- ããŒã¯ã³ã®ã³ããŒã容æã«ããããã«ãäžæçã« Telnet ãèš±å¯ããŸãããã å ASA ãèšå®ããŸãããïŒä»¥äžã®äŸã¯ ASA-1 ã®èšå®ã瀺ããŠããŸãïŒã Telnet ã¯å€éšãšã¯æ©èœããŸãããæ¬åœã«å¿ èŠãªå Žåã¯ãã»ãã¥ãªã㣠ã¬ãã«ãå€éšã«å¯Ÿã㊠100 ã«å€æŽããŠããå ã«æ»ããŠãã ããã
! ciscoasa(config)# int gi0/0 ciscoasa(config)# nameif outside ciscoasa(config)# ip address 192.168.31.30 255.255.255.0 ciscoasa(config)# no shut ! ciscoasa(config)# int gi0/1 ciscoasa(config)# nameif inside ciscoasa(config)# ip address 192.168.255.2 255.255.255.0 ciscoasa(config)# no shut ! ciscoasa(config)# telnet 0 0 inside ciscoasa(config)# username admin password cisco priv 15 ciscoasa(config)# ena password cisco ciscoasa(config)# aaa authentication telnet console LOCAL ! ciscoasa(config)# route outside 0 0 192.168.31.1 ! ciscoasa(config)# wr !
- ã¹ããŒã ã¢ã«ãŠã³ã ã¯ã©ãŠãã«ããŒã¯ã³ãç»é²ããã«ã¯ãASA ã«ã€ã³ã¿ãŒããã ã¢ã¯ã»ã¹ãæäŸããå¿
èŠããããŸãã
詳现ã¯ãã¡ã .
ã€ãŸããASA ãå¿ èŠã§ãã
- HTTPS çµç±ã§ã€ã³ã¿ãŒãããã«ã¢ã¯ã»ã¹ããŸãã
- æå»åæ (ããæ£ç¢ºã«ã¯ãNTP çµç±);
- ç»é²ãããDNSãµãŒããŒã
- ASA ã« Telnet ã§æ¥ç¶ããã¹ããŒã ã¢ã«ãŠã³ãçµç±ã§ã©ã€ã»ã³ã¹ãã¢ã¯ãã£ãåããèšå®ãè¡ããŸãã
! ciscoasa(config)# clock set 19:21:00 Mar 18 2020 ciscoasa(config)# clock timezone MSK 3 ciscoasa(config)# ntp server 192.168.99.136 ! ciscoasa(config)# dns domain-lookup outside ciscoasa(config)# DNS server-group DefaultDNS ciscoasa(config-dns-server-group)# name-server 192.168.99.132 ! ! ÐÑПвеÑОЌ ÑабПÑÑ DNS: ! ciscoasa(config-dns-server-group)# ping ya.ru Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 87.250.250.242, timeout is 2 seconds: !!!!! ! ! ÐÑПвеÑОЌ ÑÐžÐœÑ ÑПМОзаÑÐžÑ NTP: ! ciscoasa(config)# show ntp associations address ref clock st when poll reach delay offset disp *~192.168.99.136 91.189.94.4 3 63 64 1 36.7 1.85 17.5 * master (synced), # master (unsynced), + selected, - candidate, ~ configured ! ! УÑÑаМПвОЌ кПМÑОгÑÑаÑÐžÑ ÐœÐ°Ñей ASAv ÐŽÐ»Ñ Smart-Licensing (в ÑППÑвеÑÑÑвОО Ñ ÐаÑОЌ пÑПÑОлеЌ, в ЌПеЌ ÑлÑÑае 100Ð ÐŽÐ»Ñ Ð¿ÑОЌеÑа) ! ciscoasa(config)# license smart ciscoasa(config-smart-lic)# feature tier standard ciscoasa(config-smart-lic)# throughput level 100M ! ! Ð ÑлÑÑае ÐœÐµÐŸÐ±Ñ ÐŸÐŽÐžÐŒÐŸÑÑО ЌПжМП МаÑÑÑПОÑÑ ÐŽÐŸÑÑÑп в ÐÐœÑеÑÐœÐµÑ ÑеÑез пÑПкÑО ОÑпПлÑзÑйÑе ÑлеЎÑÑÑОй блПк кПЌаМЎ: !call-home ! http-proxy ip_address port port ! ! Ðалее ÐŒÑ Ð²ÑÑавлÑеЌ ÑкПпОÑПваММÑй Оз пПÑÑала Smart-Account ÑПкеМ (<token>) О ÑегОÑÑÑОÑÑеЌ лОÑÐµÐœÐ·ÐžÑ ! ciscoasa(config)# end ciscoasa# license smart register idtoken <token>
- ããã€ã¹ãã©ã€ã»ã³ã¹ãæ£åžžã«ç»é²ããæå·åãªãã·ã§ã³ãå©çšå¯èœã§ããããšã確èªããŸãã
-
åã²ãŒããŠã§ã€ã§åºæ¬ç㪠SSL-VPN ãã»ããã¢ãããã
- 次ã«ãSSH ããã³ ASDM çµç±ã®ã¢ã¯ã»ã¹ãèšå®ããŸãã
ciscoasa(config)# ssh ver 2 ciscoasa(config)# aaa authentication ssh console LOCAL ciscoasa(config)# aaa authentication http console LOCAL ciscoasa(config)# hostname vpn-demo-1 vpn-demo-1(config)# domain-name ashes.cc vpn-demo-1(config)# cry key gen rsa general-keys modulus 4096 vpn-demo-1(config)# ssh 0 0 inside vpn-demo-1(config)# http 0 0 inside ! ! ÐПЎМОЌеЌ ÑеÑÐ²ÐµÑ HTTPS ÐŽÐ»Ñ ASDM Ма пПÑÑÑ 445 ÑÑÐŸÐ±Ñ ÐœÐµ пеÑеÑекаÑÑÑÑ Ñ SSL-VPN пПÑÑалПЌ ! vpn-demo-1(config)# http server enable 445 !
- ASDM ãæ©èœããã«ã¯ããŸã cisco.com Web ãµã€ããã ASDM ãããŠã³ããŒãããå¿ èŠããããŸããç§ã®å Žåã¯æ¬¡ã®ãã¡ã€ã«ã§ãã
- AnyConnect ã¯ã©ã€ã¢ã³ããæ©èœããã«ã¯ã䜿çšããåãã¹ã¯ããã ã¯ã©ã€ã¢ã³ã OSïŒLinux/Windows/MAC ã䜿çšããäºå®ïŒã®ã€ã¡ãŒãžãå ASA ã«ã¢ããããŒãããå¿ èŠããããŸãã ããããšã³ãå±éããã±ãŒãž ã¿ã€ãã«ã§:
- ããŠã³ããŒããããã¡ã€ã«ã¯ãããšãã° FTP ãµãŒãã«ã¢ããããŒãããããåã ã® ASA ã«ã¢ããããŒããããã§ããŸãã
- ASDM ãš SSL-VPN çšã®èªå·±çœ²å蚌ææžãèšå®ããŸãïŒéçšç°å¢ã§ã¯ä¿¡é Œã§ãã蚌ææžã䜿çšããããšããå§ãããŸãïŒã ä»®æ³ã¯ã©ã¹ã¿ãŒ ã¢ãã¬ã¹ (vpn-demo.ashes.cc) ã®èšå®ããã FQDNãããã³åã¯ã©ã¹ã¿ãŒ ããŒãã®å€éšã¢ãã¬ã¹ã«é¢é£ä»ããããå FQDN ã¯ãå€éš DNS ãŸãŒã³ã§ OUTSIDE ã€ã³ã¿ãŒãã§ã€ã¹ (ãŸãã¯ããŒã転é udp/443 (DTLS) ããã³ tcp/443(TLS) ã䜿çšãããŠããå Žåã¯ãããããããã¢ãã¬ã¹ã«ã 蚌ææžã®èŠä»¶ã«é¢ãã詳现æ å ±ã¯ãã»ã¯ã·ã§ã³ã«èšèŒãããŠããŸãã 蚌ææžã®æ€èšŒ ããã¥ã¡ã³ããŒã·ã§ã³ã
! vpn-demo-1(config)# crypto ca trustpoint SELF vpn-demo-1(config-ca-trustpoint)# enrollment self vpn-demo-1(config-ca-trustpoint)# fqdn vpn-demo.ashes.cc vpn-demo-1(config-ca-trustpoint)# subject-name cn=*.ashes.cc, ou=ashes-lab, o=ashes, c=ru vpn-demo-1(config-ca-trustpoint)# serial-number vpn-demo-1(config-ca-trustpoint)# crl configure vpn-demo-1(config-ca-crl)# cry ca enroll SELF % The fully-qualified domain name in the certificate will be: vpn-demo.ashes.cc Generate Self-Signed Certificate? [yes/no]: yes vpn-demo-1(config)# ! vpn-demo-1(config)# sh cry ca certificates Certificate Status: Available Certificate Serial Number: 4d43725e Certificate Usage: General Purpose Public Key Type: RSA (4096 bits) Signature Algorithm: SHA256 with RSA Encryption Issuer Name: serialNumber=9A439T02F95 hostname=vpn-demo.ashes.cc cn=*.ashes.cc ou=ashes-lab o=ashes c=ru Subject Name: serialNumber=9A439T02F95 hostname=vpn-demo.ashes.cc cn=*.ashes.cc ou=ashes-lab o=ashes c=ru Validity Date: start date: 00:16:17 MSK Mar 19 2020 end date: 00:16:17 MSK Mar 17 2030 Storage: config Associated Trustpoints: SELF CA Certificate Status: Available Certificate Serial Number: 0509 Certificate Usage: General Purpose Public Key Type: RSA (4096 bits) Signature Algorithm: SHA1 with RSA Encryption Issuer Name: cn=QuoVadis Root CA 2 o=QuoVadis Limited c=BM Subject Name: cn=QuoVadis Root CA 2 o=QuoVadis Limited c=BM Validity Date: start date: 21:27:00 MSK Nov 24 2006 end date: 21:23:33 MSK Nov 24 2031 Storage: config Associated Trustpoints: _SmartCallHome_ServerCA
- ASDM ãåäœããŠããããšã確èªããã«ã¯ã次ã®ããã«ããŒããæå®ããããšãå¿ããªãã§ãã ããã
- ãã³ãã«ã®åºæ¬èšå®ãå®è¡ããŠã¿ãŸãããã
- äŒæ¥ãããã¯ãŒã¯ããã³ãã«çµç±ã§å©çšã§ããããã«ããã€ã³ã¿ãŒããããçŽæ¥æ¥ç¶ããŸããã (æ¥ç¶ãã¹ãã«ä¿è·ããªãå Žåãæãå®å šãªæ¹æ³ã§ã¯ãããŸãããææãããã¹ããééããŠäŒæ¥ããŒã¿ã衚瀺ããå¯èœæ§ããããŸãããªãã·ã§ã³) ã¹ããªãããã³ãã«ããªã·ãŒãã³ãã«ãªãŒã« ãã¹ãŠã®ãã¹ã ãã©ãã£ãã¯ããã³ãã«ã«å ¥ãããã«ããŸãã ããã§ããªãã ã¹ããªãããã³ãã« VPN ã²ãŒããŠã§ã€ããªãããŒããããã¹ãã®ã€ã³ã¿ãŒããã ãã©ãã£ãã¯ãåŠçããªãããã«ããããšãã§ããŸã)
- 192.168.20.0/24 ãµãããããããã³ãã«å ã®ãã¹ãã«ã¢ãã¬ã¹ãçºè¡ããŸããã (10 ïœ 30 åã®ã¢ãã¬ã¹ã®ããŒã« (ããŒã #1))ã VPN ã¯ã©ã¹ã¿ãŒã®åããŒãã«ã¯ç¬èªã®ããŒã«ãå¿ èŠã§ãã
- ASA äžã§ããŒã«ã«ã«äœæããããŠãŒã¶ã䜿çšããŠåºæ¬èªèšŒãå®è¡ããŸãïŒããã¯æšå¥šãããŸããããããæãç°¡åãªæ¹æ³ã§ãïŒã LDAP/RADIUSããããã¯ããã«è¯ãã®ã¯ããã¯ã¿ã€ã§ãã å€èŠçŽ èªèšŒ(MFA)äŸãã° ã·ã¹ã³ ãã¥ãª.
! vpn-demo-1(config)# ip local pool vpn-pool 192.168.20.10-192.168.20.30 mask 255.255.255.0 ! vpn-demo-1(config)# access-list split-tunnel standard permit 192.168.0.0 255.255.0.0 ! vpn-demo-1(config)# group-policy SSL-VPN-GROUP-POLICY internal vpn-demo-1(config)# group-policy SSL-VPN-GROUP-POLICY attributes vpn-demo-1(config-group-policy)# vpn-tunnel-protocol ssl-client vpn-demo-1(config-group-policy)# split-tunnel-policy tunnelspecified vpn-demo-1(config-group-policy)# split-tunnel-network-list value split-tunnel vpn-demo-1(config-group-policy)# dns-server value 192.168.99.132 vpn-demo-1(config-group-policy)# default-domain value ashes.cc vpn-demo-1(config)# tunnel-group DefaultWEBVPNGroup general-attributes vpn-demo-1(config-tunnel-general)# default-group-policy SSL-VPN-GROUP-POLICY vpn-demo-1(config-tunnel-general)# address-pool vpn-pool ! vpn-demo-1(config)# username dkazakov password cisco vpn-demo-1(config)# username dkazakov attributes vpn-demo-1(config-username)# service-type remote-access ! vpn-demo-1(config)# ssl trust-point SELF vpn-demo-1(config)# webvpn vpn-demo-1(config-webvpn)# enable outside vpn-demo-1(config-webvpn)# anyconnect image disk0:/anyconnect-win-4.8.03036-webdeploy-k9.pkg vpn-demo-1(config-webvpn)# anyconnect enable !
- (ãªãã·ã§ã³): äžèšã®äŸã§ã¯ãITU ã®ããŒã«ã« ãŠãŒã¶ãŒã䜿çšããŠãªã¢ãŒã ãŠãŒã¶ãŒãèªèšŒããŸãããããã¡ãããããã¯ç 究宀ãé€ããŠããŸãé©çšã§ããŸããã èªèšŒã®èšå®ããã°ããé©å¿ãããæ¹æ³ã®äŸã瀺ããŸãã ååŸ ãµãŒããŒãããšãã°äœ¿çš Cisco ã¢ã€ãã³ãã£ã㣠ãµãŒãã¹ ãšã³ãžã³:
vpn-demo-1(config-aaa-server-group)# dynamic-authorization vpn-demo-1(config-aaa-server-group)# interim-accounting-update vpn-demo-1(config-aaa-server-group)# aaa-server RADIUS (outside) host 192.168.99.134 vpn-demo-1(config-aaa-server-host)# key cisco vpn-demo-1(config-aaa-server-host)# exit vpn-demo-1(config)# tunnel-group DefaultWEBVPNGroup general-attributes vpn-demo-1(config-tunnel-general)# authentication-server-group RADIUS !
ãã®çµ±åã«ãããAD ãã£ã¬ã¯ã㪠ãµãŒãã¹ãšã®èªèšŒæé ãè¿ éã«çµ±åã§ããã ãã§ãªããæ¥ç¶ãããã³ã³ãã¥ãŒã¿ã AD ã«å±ããŠãããã©ãããåºå¥ãããã®ããã€ã¹ãæ³äººãå人ããææ¡ããæ¥ç¶ãããããã€ã¹ã®ç¶æ ãææ¡ããããšãå¯èœã«ãªããŸããã ã
- ã¯ã©ã€ã¢ã³ããšäŒæ¥ãããã¯ãŒã¯ã®ãªãœãŒã¹éã®ãã©ãã£ãã¯ãèœæžããããªãããã«ãéé NAT ãæ§æããŸãããã
vpn-demo-1(config-network-object)# subnet 192.168.20.0 255.255.255.0 ! vpn-demo-1(config)# nat (inside,outside) source static any any destination static vpn-users vpn-users no-proxy-arp
- (ãªãã·ã§ã³): ASA ãä»ããŠã¯ã©ã€ã¢ã³ããã€ã³ã¿ãŒãããã«å ¬éããããïŒäœ¿çšæïŒ ãã³ãã«ãªãŒã« ãªãã·ã§ã³ïŒPAT ã䜿çšããå Žåãããã³æ¥ç¶å ãšåã OUTSIDE ã€ã³ã¿ãŒãã§ã€ã¹ãä»ããŠçµäºããå Žåã¯ã次ã®èšå®ãè¡ãå¿ èŠããããŸãã
vpn-demo-1(config-network-object)# nat (outside,outside) source dynamic vpn-users interface vpn-demo-1(config)# nat (inside,outside) source dynamic any interface vpn-demo-1(config)# same-security-traffic permit intra-interface !
- ã¯ã©ã¹ã¿ã䜿çšããå Žåãå
éšãããã¯ãŒã¯ãã©ã® ASA ã«ãªã¿ãŒã³ ãã©ãã£ãã¯ãã«ãŒãã£ã³ã°ããããèªèã§ããããã«ããããšãéåžžã«éèŠã§ãããã®ããã«ã¯ãã¯ã©ã€ã¢ã³ãã«çºè¡ãããã«ãŒã / 32 åã®ã¢ãã¬ã¹ãåé
åžããå¿
èŠããããŸãã
çŸæç¹ã§ã¯ãŸã ã¯ã©ã¹ã¿ãŒãæ§æããŠããŸããããFQDN ãŸã㯠IP çµç±ã§åå¥ã«æ¥ç¶ã§ãã VPN ã²ãŒããŠã§ã€ããã§ã«æ©èœããŠããŸãã
æåã® ASA ã®ã«ãŒãã£ã³ã° ããŒãã«ã«æ¥ç¶ãããã¯ã©ã€ã¢ã³ãã衚瀺ãããŸãã
VPN ã¯ã©ã¹ã¿ãŒå šäœãšäŒæ¥ãããã¯ãŒã¯å šäœãã¯ã©ã€ã¢ã³ããžã®ã«ãŒããèªèã§ããããã«ããããã«ãã¯ã©ã€ã¢ã³ã ãã¬ãã£ãã¯ã¹ãåçã«ãŒãã£ã³ã° ãããã³ã« (OSPF ãªã©) ã«åé åžããŸãã
! vpn-demo-1(config)# route-map RMAP-VPN-REDISTRIBUTE permit 1 vpn-demo-1(config-route-map)# match ip address VPN-REDISTRIBUTE ! vpn-demo-1(config)# router ospf 1 vpn-demo-1(config-router)# network 192.168.255.0 255.255.255.0 area 0 vpn-demo-1(config-router)# log-adj-changes vpn-demo-1(config-router)# redistribute static metric 5000 subnets route-map RMAP-VPN-REDISTRIBUTE
ããã§ã2 çªç®ã® ASA-XNUMX ã²ãŒããŠã§ã€ããã¯ã©ã€ã¢ã³ããžã®ã«ãŒãã確ç«ãããã¯ã©ã¹ã¿å ã®å¥ã® VPN ã²ãŒããŠã§ã€ã«æ¥ç¶ããŠãããŠãŒã¶ã¯ãããšãã°äŒæ¥ã®ãœãããã©ã³ãä»ããŠçŽæ¥éä¿¡ã§ããã»ãããŠãŒã¶ãèŠæ±ãããªãœãŒã¹ãããã©ãã£ãã¯ãè¿ãããšãã§ããŸããç®çã® VPN ã²ãŒããŠã§ã€ã«å°éããŸãã
-
è² è·åæ£ã¯ã©ã¹ã¿ãŒã®æ§æã«é²ã¿ãŸãããã
ã¢ãã¬ã¹ 192.168.31.40 ã¯ä»®æ³ IP (VIP - ãã¹ãŠã® VPN ã¯ã©ã€ã¢ã³ããæåã«æ¥ç¶ããŸã) ãšããŠäœ¿çšããããã¹ã¿ãŒ ã¯ã©ã¹ã¿ãŒã¯ãã®ã¢ãã¬ã¹ããè² è·ã®äœãã¯ã©ã¹ã¿ãŒ ããŒããžã®ãªãã€ã¬ã¯ããè¡ããŸãã å¿ããã«æžããŠãã ãã é æ¹åããã³éæ¹åã® DNS ã¬ã³ãŒã ã¯ã©ã¹ã¿ãŒã®åããŒãã®åå€éšã¢ãã¬ã¹/FQDN ãš VIP ã®äž¡æ¹ã
vpn-demo-1(config)# vpn load-balancing vpn-demo-1(config-load-balancing)# interface lbpublic outside vpn-demo-1(config-load-balancing)# interface lbprivate inside vpn-demo-1(config-load-balancing)# priority 10 vpn-demo-1(config-load-balancing)# cluster ip address 192.168.31.40 vpn-demo-1(config-load-balancing)# cluster port 4000 vpn-demo-1(config-load-balancing)# redirect-fqdn enable vpn-demo-1(config-load-balancing)# cluster key cisco vpn-demo-1(config-load-balancing)# cluster encryption vpn-demo-1(config-load-balancing)# cluster port 9023 vpn-demo-1(config-load-balancing)# participate vpn-demo-1(config-load-balancing)#
- XNUMX ã€ã®ã¯ã©ã€ã¢ã³ããæ¥ç¶ãããŠããã¯ã©ã¹ã¿ãŒã®åäœã確èªããŸãã
- ASDM çµç±ã§èªåçã«ããŒãããã AnyConnect ãããã¡ã€ã«ã䜿çšããŠãã«ã¹ã¿ã㌠ãšã¯ã¹ããªãšã³ã¹ãããã«äŸ¿å©ã«ããŠã¿ãŸãããã
ãããã¡ã€ã«ã«ããããããååãä»ããã°ã«ãŒã ããªã·ãŒãããã«é¢é£ä»ããŸãã
ã¯ã©ã€ã¢ã³ãã®æ¬¡åã®æ¥ç¶åŸããã®ãããã¡ã€ã«ã¯èªåçã«ããŠã³ããŒããããAnyConnect ã¯ã©ã€ã¢ã³ãã«ã€ã³ã¹ããŒã«ããããããæ¥ç¶ããå¿ èŠãããå Žåã¯ããªã¹ãããéžæããã ãã§ãã
ãã®ãããã¡ã€ã«ã¯ ASDM ã䜿çšã㊠XNUMX ã€ã® ASA ã«ã®ã¿äœæãããããã¯ã©ã¹ã¿å ã®ä»ã® ASA ã«å¯ŸããŠãå¿ããã«æé ãç¹°ãè¿ããŠãã ããã
çµè«ïŒ ããã§ãèªåè² è·åæ£ãåããè€æ°ã® VPN ã²ãŒããŠã§ã€ã®ã¯ã©ã¹ã¿ãŒãè¿ éã«å±éããŸããã ã¯ã©ã¹ã¿ãžã®æ°ããããŒãã®è¿œå ã¯ç°¡åã§ãæ°ãã ASAv ä»®æ³ãã·ã³ãå°å ¥ããããããŒããŠã§ã¢ ASA ã䜿çšããããšã§ç°¡åã«æ°Žå¹³ã¹ã±ãŒãªã³ã°ãè¡ãããšãã§ããŸãã æ©èœãè±å¯ãª AnyConnect ã¯ã©ã€ã¢ã³ãã¯ã 姿å¢ïŒç¶æ æšå®ïŒéäžå¶åŸ¡ããã³ã¢ã¯ã»ã¹ ã¢ã«ãŠã³ãã£ã³ã°ã®ã·ã¹ãã ãšçµã¿åãããŠäœ¿çšââãããšæãå¹æçã§ãã ã¢ã€ãã³ãã£ãã£ãµãŒãã¹ãšã³ãžã³.
åºæïŒ habr.com