ProHoster > Π‘Π»ΠΎΠ³ > Administrasi > Nyebarake Kluster Load-Balancing ASA VPN

Nyebarake Kluster Load-Balancing ASA VPN

Ing artikel iki, aku pengin menehi pandhuan langkah-langkah babagan carane sampeyan bisa kanthi cepet masang skema sing paling bisa diukur saiki. VPN Akses Remote akses dhasar AnyConnect lan Cisco ASA - Kluster Load Balancing VPN.

Pambuka: Akeh perusahaan ing saindenging jagad, amarga kahanan saiki karo COVID-19, ngupayakake transfer karyawan menyang kerja sing adoh. Amarga transisi massa menyang karya remot, beban ing gateway VPN perusahaan sing wis ana saya tambah akeh lan mbutuhake kemampuan sing cepet banget kanggo skala kasebut. Ing sisih liya, akeh perusahaan sing kepeksa cepet-cepet nguwasani konsep kerja jarak jauh saka awal.

Kanggo mbantu bisnis entuk akses VPN sing trep, aman, lan bisa diukur kanggo karyawan ing wektu sing paling cendhak, Cisco menehi lisensi kanggo klien SSL-VPN sing sugih fitur AnyConnect nganti 13 minggu. Sampeyan uga bisa njupuk ASAv kanggo tes (Virtual ASA kanggo hypervisors VMWare/Hyper-V/KVM lan platform awan AWS/Azure) saka mitra sing sah utawa ngubungi perwakilan Cisco sing nggarap sampeyan..

Prosedur kanggo nerbitake lisensi AnyConnect COVID-19 diterangake ing kene.

Aku wis nyiapake pandhuan langkah-langkah kanggo panyebaran VPN Load-Balancing Cluster minangka teknologi VPN sing paling bisa diukur.

Conto ing ngisor iki bakal cukup prasaja babagan algoritma otentikasi lan wewenang sing digunakake, nanging bakal dadi pilihan sing apik kanggo wiwitan cepet (sing saiki ora cukup kanggo akeh) kanthi kamungkinan adaptasi sing jero kanggo kabutuhan sampeyan sajrone panyebaran. proses.

Informasi singkat: VPN Load Balancing Cluster teknologi ora failover lan ora fungsi clustering ing pangertèn native, teknologi iki bisa gabungke model ASA temen beda (karo Watesan tartamtu) kanggo mbukak imbangan sambungan Remote-Access VPN. Ora ana sinkronisasi sesi lan konfigurasi ing antarane simpul kluster kasebut, nanging bisa kanthi otomatis mbukak imbangan sambungan VPN lan njamin toleransi kesalahan sambungan VPN nganti paling sethithik siji simpul aktif tetep ing kluster. Beban ing kluster kanthi otomatis imbang gumantung saka beban kerja kelenjar kanthi jumlah sesi VPN.

Kanggo failover saka kelenjar tartamtu saka kluster (yen dibutuhake), filer bisa digunakake, supaya sambungan aktif bakal ditangani dening simpul utami filer. Fileover dudu syarat sing dibutuhake kanggo njamin toleransi kesalahan ing kluster Load-Balancing, kluster kasebut dhewe, yen ana kegagalan simpul, bakal nransfer sesi pangguna menyang simpul urip liyane, nanging tanpa nyimpen status sambungan, sing tepat. diwenehake dening filer. Patut, bisa, yen perlu, kanggo nggabungake rong teknologi kasebut.

Kluster Load-Balancing VPN bisa ngemot luwih saka rong simpul.

Kluster Load-Balancing VPN didhukung ing ASA 5512-X lan ndhuwur.

Amarga saben ASA ing kluster Load-Balancing VPN minangka unit mandiri ing babagan setelan, kita nindakake kabeh langkah konfigurasi kanthi individu ing saben piranti.

Rincian teknologi ing kene

Topologi logis saka conto sing diwenehake:

Nyebarake Kluster Load-Balancing ASA VPN

Panyebaran Utama:

  1. Kita nyebarake conto ASAv saka template sing dibutuhake (ASAv5/10/30/50) saka gambar kasebut.

  2. We nemtokake INSIDE / Njaba antarmuka kanggo VLAN padha (Njaba ing VLAN dhewe, nang dhewe, nanging umume ing kluster, ndeleng topologi), iku penting sing antarmuka saka jinis padha ing babagan L2 padha.

  3. Lisensi:

    • Saiki instalasi ASAv ora duwe lisensi lan bakal diwatesi nganti 100kbps.
    • Kanggo nginstal lisensi, sampeyan kudu nggawe token ing Smart-Account: https://software.cisco.com/ -> Lisensi Piranti Lunak Smart
    • Ing jendhela sing mbukak, klik tombol kasebut Token Anyar

    Nyebarake Kluster Load-Balancing ASA VPN

    • Priksa manawa ing jendhela sing mbukak ana kolom aktif lan tandha mriksa dicenthang Ngidini fungsi sing dikontrol ekspor… Tanpa lapangan iki aktif, sampeyan ora bakal bisa nggunakake fungsi enkripsi kuwat lan, patut, VPN. Yen kolom iki ora aktif, hubungi tim akun sampeyan kanthi panjaluk aktivasi.

    Nyebarake Kluster Load-Balancing ASA VPN

    • Sawise pencet tombol Nggawe Token, token bakal digawe sing bakal digunakake kanggo entuk lisensi kanggo ASAv, nyalin:

    Nyebarake Kluster Load-Balancing ASA VPN

    • Baleni langkah C, D, E kanggo saben ASAv disebarake.
    • Kanggo nggampangake nyalin token, ayo ngidini telnet kanggo sementara. Ayo konfigurasi saben ASA (conto ing ngisor iki nggambarake setelan ing ASA-1). telnet ora bisa digunakake karo njaba, yen sampeyan pancene perlu, ngganti tingkat keamanan kanggo 100 kanggo njaba, banjur bali maneh.

    !
ciscoasa(config)# int gi0/0
ciscoasa(config)# nameif outside
ciscoasa(config)# ip address 192.168.31.30 255.255.255.0
ciscoasa(config)# no shut
!
ciscoasa(config)# int gi0/1
ciscoasa(config)# nameif inside
ciscoasa(config)# ip address 192.168.255.2 255.255.255.0
ciscoasa(config)# no shut
!
ciscoasa(config)# telnet 0 0 inside
ciscoasa(config)# username admin password cisco priv 15
ciscoasa(config)# ena password cisco
ciscoasa(config)# aaa authentication telnet console LOCAL
!
ciscoasa(config)# route outside 0 0 192.168.31.1
!
ciscoasa(config)# wr
!

    • Kanggo ndhaptar token ing awan Smart-Account, sampeyan kudu menehi akses Internet kanggo ASA, rincian kene.

    Ing cendhak, ASA dibutuhake:

    • akses liwat HTTPS menyang Internet;
    • sinkronisasi wektu (luwih bener, liwat NTP);
    • server DNS kadhaptar;
      • Kita telnet menyang ASA lan nggawe setelan kanggo ngaktifake lisensi liwat Smart-Account.

    !
ciscoasa(config)# clock set 19:21:00 Mar 18 2020
ciscoasa(config)# clock timezone MSK 3
ciscoasa(config)# ntp server 192.168.99.136
!
ciscoasa(config)# dns domain-lookup outside
ciscoasa(config)# DNS server-group DefaultDNS
ciscoasa(config-dns-server-group)# name-server 192.168.99.132 
!
! ΠŸΡ€ΠΎΠ²Π΅Ρ€ΠΈΠΌ Ρ€Π°Π±ΠΎΡ‚Ρƒ DNS:
!
ciscoasa(config-dns-server-group)# ping ya.ru
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 87.250.250.242, timeout is 2 seconds:
!!!!!
!
! ΠŸΡ€ΠΎΠ²Π΅Ρ€ΠΈΠΌ ΡΠΈΠ½Ρ…Ρ€ΠΎΠ½ΠΈΠ·Π°Ρ†ΠΈΡŽ NTP:
!
ciscoasa(config)# show ntp associations 
  address         ref clock     st  when  poll reach  delay  offset    disp
*~192.168.99.136   91.189.94.4       3    63    64    1    36.7    1.85    17.5
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
!
! Установим ΠΊΠΎΠ½Ρ„ΠΈΠ³ΡƒΡ€Π°Ρ†ΠΈΡŽ нашСй ASAv для Smart-Licensing (Π² соотвСтствии с Π’Π°ΡˆΠΈΠΌ ΠΏΡ€ΠΎΡ„ΠΈΠ»Π΅ΠΌ, Π² ΠΌΠΎΠ΅ΠΌ случаС 100М для ΠΏΡ€ΠΈΠΌΠ΅Ρ€Π°)
!
ciscoasa(config)# license smart
ciscoasa(config-smart-lic)# feature tier standard
ciscoasa(config-smart-lic)# throughput level 100M
!
! Π’ случаС нСобходимости ΠΌΠΎΠΆΠ½ΠΎ Π½Π°ΡΡ‚Ρ€ΠΎΠΈΡ‚ΡŒ доступ Π² Π˜Π½Ρ‚Π΅Ρ€Π½Π΅Ρ‚ Ρ‡Π΅Ρ€Π΅Π· прокси ΠΈΡΠΏΠΎΠ»ΡŒΠ·ΡƒΠΉΡ‚Π΅ ΡΠ»Π΅Π΄ΡƒΡŽΡ‰ΠΈΠΉ Π±Π»ΠΎΠΊ ΠΊΠΎΠΌΠ°Π½Π΄:
!call-home
!  http-proxy ip_address port port
!
! Π”Π°Π»Π΅Π΅ ΠΌΡ‹ вставляСм скопированный ΠΈΠ· ΠΏΠΎΡ€Ρ‚Π°Π»Π° Smart-Account Ρ‚ΠΎΠΊΠ΅Π½ (<token>) ΠΈ рСгистрируСм Π»ΠΈΡ†Π΅Π½Π·ΠΈΡŽ
!
ciscoasa(config)# end
ciscoasa# license smart register idtoken <token>

    • Priksa manawa piranti wis kasil ndhaptar lisensi lan opsi enkripsi kasedhiya:

    Nyebarake Kluster Load-Balancing ASA VPN

    Nyebarake Kluster Load-Balancing ASA VPN

  4. Nggawe SSL-VPN dhasar ing saben gateway

    • Sabanjure, konfigurasi akses liwat SSH lan ASDM:

    ciscoasa(config)# ssh ver 2
ciscoasa(config)# aaa authentication ssh console LOCAL
ciscoasa(config)# aaa authentication http console LOCAL
ciscoasa(config)# hostname vpn-demo-1
vpn-demo-1(config)# domain-name ashes.cc
vpn-demo-1(config)# cry key gen rsa general-keys modulus 4096 
vpn-demo-1(config)# ssh 0 0 inside  
vpn-demo-1(config)# http 0 0 inside
!
! ПоднимСм сСрвСр HTTPS для ASDM Π½Π° ΠΏΠΎΡ€Ρ‚Ρƒ 445 Ρ‡Ρ‚ΠΎΠ±Ρ‹ Π½Π΅ ΠΏΠ΅Ρ€Π΅ΡΠ΅ΠΊΠ°Ρ‚ΡŒΡΡ с SSL-VPN ΠΏΠΎΡ€Ρ‚Π°Π»ΠΎΠΌ
!
vpn-demo-1(config)# http server enable 445 
!

    • Kanggo ASDM bisa digunakake, sampeyan kudu ngundhuh dhisik saka situs web cisco.com, ing kasusku, file ing ngisor iki:

    Nyebarake Kluster Load-Balancing ASA VPN

    • Kanggo klien AnyConnect bisa digunakake, sampeyan kudu ngunggah gambar menyang saben ASA kanggo saben OS klien desktop sing digunakake (direncanakake nggunakake Linux / Windows / MAC), sampeyan butuh file kanthi Paket Penyebaran Headend Ing judhul:

    Nyebarake Kluster Load-Balancing ASA VPN

    • File sing diundhuh bisa diunggah, contone, menyang server FTP lan diunggah menyang saben ASA:

    Nyebarake Kluster Load-Balancing ASA VPN

    • Kita ngatur sertifikat ASDM lan Self-Signed kanggo SSL-VPN (disaranake nggunakake sertifikat sing dipercaya ing produksi). FQDN pesawat saka Alamat Cluster Virtual (vpn-demo.ashes.cc), uga saben FQDN sing digandhengake karo alamat eksternal saben simpul kluster, kudu mutusake masalah ing zona DNS eksternal menyang alamat IP antarmuka OUTSIDE (utawa menyang alamat sing dipetakan yen port forwarding udp/443 digunakake (DTLS) lan tcp/443(TLS)). Informasi rinci babagan syarat sertifikat kasebut ing bagean kasebut Verifikasi Sertifikat dokumentasi.

    !
vpn-demo-1(config)# crypto ca trustpoint SELF
vpn-demo-1(config-ca-trustpoint)# enrollment self
vpn-demo-1(config-ca-trustpoint)# fqdn vpn-demo.ashes.cc
vpn-demo-1(config-ca-trustpoint)# subject-name cn=*.ashes.cc, ou=ashes-lab, o=ashes, c=ru
vpn-demo-1(config-ca-trustpoint)# serial-number             
vpn-demo-1(config-ca-trustpoint)# crl configure
vpn-demo-1(config-ca-crl)# cry ca enroll SELF
% The fully-qualified domain name in the certificate will be: vpn-demo.ashes.cc
Generate Self-Signed Certificate? [yes/no]: yes
vpn-demo-1(config)# 
!
vpn-demo-1(config)# sh cry ca certificates 
Certificate
Status: Available
Certificate Serial Number: 4d43725e
Certificate Usage: General Purpose
Public Key Type: RSA (4096 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name: 
serialNumber=9A439T02F95
hostname=vpn-demo.ashes.cc
cn=*.ashes.cc
ou=ashes-lab
o=ashes
c=ru
Subject Name:
serialNumber=9A439T02F95
hostname=vpn-demo.ashes.cc
cn=*.ashes.cc
ou=ashes-lab
o=ashes
c=ru
Validity Date: 
start date: 00:16:17 MSK Mar 19 2020
end   date: 00:16:17 MSK Mar 17 2030
Storage: config
Associated Trustpoints: SELF 

CA Certificate
Status: Available
Certificate Serial Number: 0509
Certificate Usage: General Purpose
Public Key Type: RSA (4096 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name: 
cn=QuoVadis Root CA 2
o=QuoVadis Limited
c=BM
Subject Name: 
cn=QuoVadis Root CA 2
o=QuoVadis Limited
c=BM
Validity Date: 
start date: 21:27:00 MSK Nov 24 2006
end   date: 21:23:33 MSK Nov 24 2031
Storage: config
Associated Trustpoints: _SmartCallHome_ServerCA

    • Aja lali kanggo nemtokake port kanggo mriksa ASDM bisa digunakake, contone:

    Nyebarake Kluster Load-Balancing ASA VPN

    • Ayo nindakake setelan dhasar trowongan:
    • Ayo nggawe jaringan perusahaan kasedhiya liwat trowongan, lan supaya Internet langsung (ora cara paling aman yen ora ana proteksi ing host nyambungake, iku bisa kanggo nembus liwat host sing kena infeksi lan nampilake data perusahaan, pilihan pamisah-tunnel-kabijakan tunnelall bakal ngidini kabeh lalu lintas inang menyang trowongan. Nanging trowongan pamisah ndadekake bisa mbukak gateway VPN lan ora ngolah lalu lintas Internet host)
    • Ayo ngetokake alamat saka subnet 192.168.20.0/24 menyang host ing trowongan (blumbang saka 10 nganti 30 alamat (kanggo simpul #1)). Saben simpul kluster VPN kudu duwe blumbang dhewe.
    • Kita bakal nindakake otentikasi dhasar karo pangguna sing digawe sacara lokal ing ASA (Iki ora dianjurake, iki cara sing paling gampang), luwih becik nindakake otentikasi liwat LDAP / RADIUS, utawa luwih apik, dasi Otentikasi Multi-Faktor (MFA)tuladhane Cisco DUO.

    !
vpn-demo-1(config)# ip local pool vpn-pool 192.168.20.10-192.168.20.30 mask 255.255.255.0
!
vpn-demo-1(config)# access-list split-tunnel standard permit 192.168.0.0 255.255.0.0
!
vpn-demo-1(config)# group-policy SSL-VPN-GROUP-POLICY internal
vpn-demo-1(config)# group-policy SSL-VPN-GROUP-POLICY attributes
vpn-demo-1(config-group-policy)# vpn-tunnel-protocol ssl-client 
vpn-demo-1(config-group-policy)# split-tunnel-policy tunnelspecified
vpn-demo-1(config-group-policy)# split-tunnel-network-list value split-tunnel
vpn-demo-1(config-group-policy)# dns-server value 192.168.99.132
vpn-demo-1(config-group-policy)# default-domain value ashes.cc
vpn-demo-1(config)# tunnel-group DefaultWEBVPNGroup general-attributes
vpn-demo-1(config-tunnel-general)#  default-group-policy SSL-VPN-GROUP-POLICY
vpn-demo-1(config-tunnel-general)#  address-pool vpn-pool
!
vpn-demo-1(config)# username dkazakov password cisco
vpn-demo-1(config)# username dkazakov attributes
vpn-demo-1(config-username)# service-type remote-access
!
vpn-demo-1(config)# ssl trust-point SELF
vpn-demo-1(config)# webvpn
vpn-demo-1(config-webvpn)#  enable outside
vpn-demo-1(config-webvpn)#  anyconnect image disk0:/anyconnect-win-4.8.03036-webdeploy-k9.pkg
vpn-demo-1(config-webvpn)#  anyconnect enable
!

    • (OPTIONAL): Ing conto ing ndhuwur, kita nggunakake pangguna lokal ing ITU kanggo keasliane pangguna remot, sing mesthi, kajaba ing laboratorium, ora bisa ditrapake. Aku bakal menehi conto carane cepet ngganti setelan kanggo otentikasi kanggo radius server, contone digunakake Cisco Identity Services Engine:

    vpn-demo-1(config-aaa-server-group)# dynamic-authorization
vpn-demo-1(config-aaa-server-group)# interim-accounting-update
vpn-demo-1(config-aaa-server-group)# aaa-server RADIUS (outside) host 192.168.99.134
vpn-demo-1(config-aaa-server-host)# key cisco
vpn-demo-1(config-aaa-server-host)# exit
vpn-demo-1(config)# tunnel-group DefaultWEBVPNGroup general-attributes
vpn-demo-1(config-tunnel-general)# authentication-server-group  RADIUS 
!

    Integrasi iki ndadekake ora mung bisa nggabungake prosedur otentikasi kanthi cepet karo layanan direktori AD, nanging uga kanggo mbedakake apa komputer sing disambungake dadi AD, kanggo mangerteni apa piranti iki perusahaan utawa pribadi, lan kanggo netepake status piranti sing disambungake. .

    Nyebarake Kluster Load-Balancing ASA VPN

    Nyebarake Kluster Load-Balancing ASA VPN

    • Ayo konfigurasi NAT Transparan supaya lalu lintas antarane klien lan sumber daya jaringan jaringan perusahaan ora ditulis:

    vpn-demo-1(config-network-object)#  subnet 192.168.20.0 255.255.255.0
!
vpn-demo-1(config)# nat (inside,outside) source static any any destination static vpn-users vpn-users no-proxy-arp

    • (OPTIONAL): Supaya bisa mbukak klien menyang Internet liwat ASA (nalika nggunakake terowongan opsi) nggunakake PAT, uga metu liwat antarmuka OUTSIDE padha saka kang disambungake, sampeyan kudu nggawe setelan ing ngisor iki

    vpn-demo-1(config-network-object)# nat (outside,outside) source dynamic vpn-users interface
vpn-demo-1(config)# nat (inside,outside) source dynamic any interface
vpn-demo-1(config)# same-security-traffic permit intra-interface 
!

    • Nalika nggunakake kluster, penting banget kanggo ngaktifake jaringan internal kanggo ngerti ASA sing bakal ngarahake lalu lintas bali menyang pangguna, mula sampeyan kudu mbagekake rute / 32 alamat sing ditanggepi kanggo klien.
      Saiki, kita durung ngonfigurasi kluster, nanging kita wis duwe gateway VPN sing bisa disambungake kanthi individu liwat FQDN utawa IP.

    Nyebarake Kluster Load-Balancing ASA VPN

    Kita ndeleng klien sing disambungake ing tabel rute ASA pisanan:

    Nyebarake Kluster Load-Balancing ASA VPN

    Supaya kabeh kluster VPN lan kabeh jaringan perusahaan ngerti rute menyang klien kita, kita bakal mbagekke maneh awalan klien menyang protokol routing dinamis, contone OSPF:

    !
vpn-demo-1(config)# route-map RMAP-VPN-REDISTRIBUTE permit 1
vpn-demo-1(config-route-map)#  match ip address VPN-REDISTRIBUTE
!
vpn-demo-1(config)# router ospf 1
vpn-demo-1(config-router)#  network 192.168.255.0 255.255.255.0 area 0
vpn-demo-1(config-router)#  log-adj-changes
vpn-demo-1(config-router)#  redistribute static metric 5000 subnets route-map RMAP-VPN-REDISTRIBUTE

    Saiki kita duwe rute menyang klien saka gateway ASA-2 kaloro lan pangguna sing disambungake menyang gateway VPN sing beda-beda ing kluster bisa, contone, komunikasi langsung liwat softphone perusahaan, uga bali lalu lintas saka sumber daya sing dijaluk pangguna bakal. teka menyang gateway VPN sing dikarepake:

    Nyebarake Kluster Load-Balancing ASA VPN

  5. Ayo dadi pindhah menyang configuring kluster Load-Balancing.

    Alamat 192.168.31.40 bakal digunakake minangka IP Virtual (VIP - kabeh klien VPN wiwitane bakal nyambung menyang), saka alamat iki kluster Master bakal nggawe REDIRECT menyang simpul kluster sing kurang dimuat. Ojo lali nulis maju lan mbalikke rekaman DNS loro kanggo saben alamat external / FQDN saben simpul kluster, lan kanggo VIP.

    vpn-demo-1(config)# vpn load-balancing
vpn-demo-1(config-load-balancing)# interface lbpublic outside
vpn-demo-1(config-load-balancing)# interface lbprivate inside
vpn-demo-1(config-load-balancing)# priority 10
vpn-demo-1(config-load-balancing)# cluster ip address 192.168.31.40
vpn-demo-1(config-load-balancing)# cluster port 4000
vpn-demo-1(config-load-balancing)# redirect-fqdn enable
vpn-demo-1(config-load-balancing)# cluster key cisco
vpn-demo-1(config-load-balancing)# cluster encryption
vpn-demo-1(config-load-balancing)# cluster port 9023
vpn-demo-1(config-load-balancing)# participate
vpn-demo-1(config-load-balancing)#

    • Kita mriksa operasi kluster kanthi rong klien sing disambungake:

    Nyebarake Kluster Load-Balancing ASA VPN

    • Ayo nggawe pengalaman pelanggan luwih trep karo profil AnyConnect sing dimuat kanthi otomatis liwat ASDM.

    Nyebarake Kluster Load-Balancing ASA VPN

    Kita menehi jeneng profil kanthi cara sing trep lan nggandhengake kabijakan grup kasebut:

    Nyebarake Kluster Load-Balancing ASA VPN

    Sawise sambungan sabanjure klien, profil iki bakal diundhuh lan diinstal kanthi otomatis ing klien AnyConnect, dadi yen sampeyan kudu nyambungake, pilih saka dhaptar:

    Nyebarake Kluster Load-Balancing ASA VPN

    Awit kita digawe profil iki mung siji ASA nggunakake ASDM, aja lali kanggo mbaleni langkah ing ASA liyane ing kluster.

Kesimpulan: Mangkono, kita kanthi cepet nyebarake klompok sawetara gateway VPN kanthi imbangan beban otomatis. Nambahake simpul anyar menyang kluster gampang, kanthi skala horisontal sing prasaja kanthi nggunakake mesin virtual ASAv anyar utawa nggunakake ASA hardware. Klien AnyConnect sing sugih fitur bisa ningkatake sambungan remot sing aman kanthi nggunakake Postur (estimasi negara), paling efektif digunakake bebarengan karo sistem kontrol terpusat lan akses accounting Identity Services Engine.

Source: www.habr.com

Add a comment