αα αααα»αα’αααααααα αααα»αα αααααααααΆαααααΆαααΆααα αΆα α α’αααΈαααααααα’αααα’αΆα ααΆαααααααΆααααααααΆααααααα’αΆα ααααΎααΆαααααααΆαααΆαααΏααααα»ααα ααααααα ααΆαα αΌαααααΎααΈα ααααΆα VPN ααΆαα αΌαααααΎααΌαααααΆα AnyConnect αα·α Cisco ASA - VPN αααα»ααα»αααααΆαα ααααα.
ααα ααααΈααααΎαα αααα»αα αα»αααΆα αααΎααα αα»ααα·ααα·ααααα αααααΎαααΎαααΈααααΆαααΆααα αα α»ααααααααΆαα½α COVID-19 αααα»ααα·αααααααΉααααααααΎααααΈααααααα»ααααα·ααααααα½ααααα ααααΎααΆαααΈα ααααΆαα αααααΆαααααΆαααααΆααααααΌααααααα ααΆαααΆαααΈα ααααΆα ααΆααααα»ααα ααΎα αααααααΌα VPN αααααΆαααααΆαααααααααα»αα αα»ααααα»αααΎαα‘αΎααααΆαααααΆαα α αΎααααααααΆαααΏααααα»ααααα»αααΆαααααΎααΆαααααααΆααα½αααΆααΊααααΌαααΆαααΆαααΆαα αααααΆααα·αααα αααα»αα αα»αααΆα αααΎαααααΌααααααα α·αααααααΎααΆααα αΆααααΎααααααα·αααααΆαααΆαααΈα ααααΆααααΆααααααΆαααααααΆααα
ααΎααααΈαα½αα±ααα’αΆααΈααααααααααα
ααΆαααΌαααΆαα
αΌαααααΎααααΆαα VPN αααααΆααααα½α αα»ααααα·ααΆα αα·αα’αΆα
ααααΎααΆαααααααΆαααΆααααααΆαααα»ααααα·ααααα»αααααααααααααΈαααα»α Cisco αααα»ααααααα’αΆααααΆαααααααααααααα·ααΈ AnyConnect αααααααΌααα
ααααα»αααΆα SSL VPN client αα αΌαααααα
13 αααααΆα αα
αααα»αααΆααααα αααΆαααααΆαααΆααα αΆα α αααααΆααααΆαααΆαααααααΆα VPN Load-Balancing Cluster ααααΆααααααΆαα αα αααα·ααααΆ VPN αααα’αΆα ααααΎααΆαααααααΆαααΆααααα»αα
α§ααΆα αααααΆααααααααΉαααΆαααααααααΆααααααΆαααααα»ααααααααααααααα½ααααααααΆαααΆααααααααααΆαα αα·αααΆαα’αα»ααααΆααααααΆαααααΎ ααα»ααααααΉαααααΆαααΆαααααΎαααααα’αααααΆααααΆαα αΆααααααΎααα αα (ααααα αα α»αααααααα·ααααααααααΆαααααααΆααααα»αααααΆα αααΎα) ααΆαα½αααΉαααααααΆαααααΆαααααααααα½ααααΈααααα αα ααΉααααααΌαααΆαααααα’αααα’αα‘α»ααααααΆααα±ααααααΎααααΆααα ααααΎαααΆαα
ααααααΆαααααααα αα αα αααα·ααααΆ VPN Load Balancing Cluster αα·ααααααΆααΆααααΆααα αα·ααα·ααααααΆαα»αααΆαα ααααααααα»ααααααΎαααααααΆααααα αα αα αααα·ααααΆαααα’αΆα αα½ααααα αΌαααααΆααΌααααΌααα ASA αα»αααααΆααΆαααααα»α (ααΆαα½αααΉαααΆαααΉααααααΉαααΆααααΆαα) ααΎααααΈαααα»ααα»αααααΆαααΆααααααΆαα VPN ααΈα ααααΆαα αα·αααΆαααΆαααααΎααααΆααααααααααα αα·αααΆαααααααα ααΆαααααααααααΆαααααΆααααα ααααααααααααα ααα»ααααααΆα’αΆα ααααΎαα ααΆαααΎααααΈαααα»ααα»αααααΆαααααΆααααααΆαα VPN αααααααααααααααα· αα·αααΆααΆα±ααααΆαααΆαα’αααααααα ααααααα α»αααααΆααααααΆαα VPN αα αΌαααααααΆαα αα ααΆααααααΆααααααααα½ααα αααααα·ααααα»αα αααααα ααΆααααα»ααα αααα»αα αααααααΆααα»αααααΆααααααααααααααααα·α’αΆαααααααΎααααα»αααΆαααΆαααααααααΆαααααα ααα½ααααα VPN α
α ααααααΆααααΆαααααααααΆααααΆααααΆααααα ααααα (ααααα·αααΎα αΆαααΆα α) α―αααΆαα―αααΆαα’αΆα ααααΌαααΆαααααΎ ααΌα ααααααΆαααααΆαααααααααΉαααααΌαααΆαααααααααααααααααΆαααααααα―αααΆαα fileover αα·ααααααΆααααααααα αΆαααΆα ααααααΆααααΆααΆααΆαα’ααα±αααα α»ααα αααα»α Load-Balancing cluster ααα cluster αααα½αααΆααααΆαααααα»αααααΈααΆα node αααΆααα ααΉαααααα session user αα node ααααααααΆαααααααααα ααα»ααααααααα·ααααααΆαα»αααααΆαααΆαααΆααααααΆαα αααα αααΆααααΆααα αααααααα filer α ααΌα ααααα αΎα ααΆα’αΆα αα αα½α ααααα·αααΎα αΆαααΆα αααΎααααΈαααα αΌαααααΆααΌααα αα αααα·ααααΆααΆααααΈααααα
VPN Load-Balance cluster α’αΆα ααΆαααααΆααα αααΎαααΆαααΈαα
VPN Load-Balance Cluster ααααΌαααΆαααΆαααααα ααΎ ASA 5512-X αα·ααααααααΆααααα
αααααΆα ASA ααΈαα½αααα αααα»αα ααααα VPN Load-Balancing ααΊααΆα―αααΆα―αααΆααααα αααα»αααααααααααααΆαααααα ααΎαα’αα»ααααααα αΆαααααΆαααααααα ααΆααααααααααΆααα’αααααα‘αααααΈααααΆααΎα§αααααααΈαα½ααα
ααααΉααααΈααα‘αΌααΈααααα§ααΆα ααααααααΆααααααα±ααα
ααΆαααΆαααααααΆααααα
-
ααΎαααααΎα§ααΆα ααα ASAv ααααααΌαααααΎαααααΌαααΆα (ASAv5/10/30/50) ααΈααΌαααΆαα
-
ααΎααααααα ααα»α αααααΆαα INSIDE / OUTSIDE αα VLANs ααΌα ααααΆ (αα ααΆααααα VLAN ααααααΆ INSIDE αα αααα»ααααα½αααΆ ααα»ααααααΆααΌαα αα αααα»α cluster ααΌαααΎα topology) ααΆααΆααΆαααααΆααααΆααααα interfaces ααααααααααΌα ααααΆααΊαα αααα»αααααα L2 ααΌα ααααΆα
-
α’αΆααααΆαααααα
- αα ααααααααΆαααα‘αΎα ASAv ααΉααα·αααΆαα’αΆααααΆαααααααΆαα½ααα α αΎαααΉαααααΌαααΆααααααααααΉα 100kbpsα
- ααΎααααΈααα‘αΎαα’αΆααααΆααααα α’αααααααΌααααααΎααααααΆαααααΆαααα
αααα»αααααΈ Smart ααααα’αααα
https://software.cisco.com/ -> α’αΆααααΆααααααααααα·ααΈααααΆααα - αα αααα»ααααα’α½α αααααΎαααΌαα α»α ααΎαααΌαα»α ααΌααΉαααααΈα
- ααααΌαααααΆααααΆαα αααα»ααααα’α½α αααααΎαααΆαααΆαααααα α αΎααααααΆααΈαααααΌαααΆαααΈα α’αα»ααααΆααα»αααΆαααααααααααααααΆαααΆαα ααβ¦ ααΎααααΆαααΆααααααααααα α’αααααΉααα·αα’αΆα ααααΎαα»αααΆαααααΆαα’αα·αααααΈαααααΆααααΆααα α αΎαααΆαααα VPN α ααααα·αααΎααΆαααααα·αααααα ααΌαααΆαααααααα»αααααΈααααα’αααααΆαα½αααΉαααααΎααααΎα±αααααααα
- αααααΆααααΈα α»α αααΌαα»α αααααΎαααΌααΉααα·αα·ααααααααΆααΉαααααΌαααΆααααααΎαα‘αΎααααααΎαααΉαααααΎααΎααααΈααα½αααΆαα’αΆααααΆααααααααααΆαα ASAv α ααααααΆα
- ααααΎααα αΆα C,D,E ααααααααααααΆαα ASAv αααααΆαααααααΆαααΈαα½ααα
- ααΎααααΈααααΎα±ααααΆααΆααααααΆααααα½ααααα»αααΆαα αααααααααΆαααααΆαα ααΌαα’αα»ααααΆαα±αα telnet ααΆααααααα’αΆααααα α αΌαααααααα ααΆαααααααα ASA ααΈαα½αα (α§ααΆα αααααΆαααααααααα αΆαααΈααΆαααααααα ααΎ ASA-1)α telnet αα·αααααΎαααΆαααΆαα½αααΆααααα αα ααααα·αααΎα’ααααα·αααΆααααΌαααΆαααΆ ααααΆααααααΌαααααα·ααα»ααααα·ααΆααα 100 αα ααΆααααα αααααΆααααααααααααΆαααα·αα
! ciscoasa(config)# int gi0/0 ciscoasa(config)# nameif outside ciscoasa(config)# ip address 192.168.31.30 255.255.255.0 ciscoasa(config)# no shut ! ciscoasa(config)# int gi0/1 ciscoasa(config)# nameif inside ciscoasa(config)# ip address 192.168.255.2 255.255.255.0 ciscoasa(config)# no shut ! ciscoasa(config)# telnet 0 0 inside ciscoasa(config)# username admin password cisco priv 15 ciscoasa(config)# ena password cisco ciscoasa(config)# aaa authentication telnet console LOCAL ! ciscoasa(config)# route outside 0 0 192.168.31.1 ! ciscoasa(config)# wr !
- ααΎααααΈα
α»αααααααααααΆαααααΆαααα
αααα»α Smart-Account cloud α’αααααααΌααααααααααΆαα
αΌαααααΎα’ααΈαααΊαα·ααααααΆαα ASA,
ααααααΆααααα’α·ααα ααΈααα .
αα·ααΆαα±ααααααΈ ASA ααΊα αΆαααΆα α:
- α αΌαααααΎααΆαααα HTTPS αα α’ααΈαααΊαα·α;
- ααΆαααααΎααααΆααααααααααααΆ (ααΆααααααααΉαααααΌαααΆαααα NTP);
- αααΆαααΈααα DNS αααααΆαα
α»αααααα;
- ααΎα telnet αα ααΆαα ASA ααααααΎα αα·αααααΎααΆααααααααΎααααΈααααΎα±ααα’αΆααααΆααααααααααααΆαααα Smart-Account α
! ciscoasa(config)# clock set 19:21:00 Mar 18 2020 ciscoasa(config)# clock timezone MSK 3 ciscoasa(config)# ntp server 192.168.99.136 ! ciscoasa(config)# dns domain-lookup outside ciscoasa(config)# DNS server-group DefaultDNS ciscoasa(config-dns-server-group)# name-server 192.168.99.132 ! ! ΠΡΠΎΠ²Π΅ΡΠΈΠΌ ΡΠ°Π±ΠΎΡΡ DNS: ! ciscoasa(config-dns-server-group)# ping ya.ru Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 87.250.250.242, timeout is 2 seconds: !!!!! ! ! ΠΡΠΎΠ²Π΅ΡΠΈΠΌ ΡΠΈΠ½Ρ ΡΠΎΠ½ΠΈΠ·Π°ΡΠΈΡ NTP: ! ciscoasa(config)# show ntp associations address ref clock st when poll reach delay offset disp *~192.168.99.136 91.189.94.4 3 63 64 1 36.7 1.85 17.5 * master (synced), # master (unsynced), + selected, - candidate, ~ configured ! ! Π£ΡΡΠ°Π½ΠΎΠ²ΠΈΠΌ ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΡ Π½Π°ΡΠ΅ΠΉ ASAv Π΄Π»Ρ Smart-Licensing (Π² ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΠΈΠΈ Ρ ΠΠ°ΡΠΈΠΌ ΠΏΡΠΎΡΠΈΠ»Π΅ΠΌ, Π² ΠΌΠΎΠ΅ΠΌ ΡΠ»ΡΡΠ°Π΅ 100Π Π΄Π»Ρ ΠΏΡΠΈΠΌΠ΅ΡΠ°) ! ciscoasa(config)# license smart ciscoasa(config-smart-lic)# feature tier standard ciscoasa(config-smart-lic)# throughput level 100M ! ! Π ΡΠ»ΡΡΠ°Π΅ Π½Π΅ΠΎΠ±Ρ ΠΎΠ΄ΠΈΠΌΠΎΡΡΠΈ ΠΌΠΎΠΆΠ½ΠΎ Π½Π°ΡΡΡΠΎΠΈΡΡ Π΄ΠΎΡΡΡΠΏ Π² ΠΠ½ΡΠ΅ΡΠ½Π΅Ρ ΡΠ΅ΡΠ΅Π· ΠΏΡΠΎΠΊΡΠΈ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠΉΡΠ΅ ΡΠ»Π΅Π΄ΡΡΡΠΈΠΉ Π±Π»ΠΎΠΊ ΠΊΠΎΠΌΠ°Π½Π΄: !call-home ! http-proxy ip_address port port ! ! ΠΠ°Π»Π΅Π΅ ΠΌΡ Π²ΡΡΠ°Π²Π»ΡΠ΅ΠΌ ΡΠΊΠΎΠΏΠΈΡΠΎΠ²Π°Π½Π½ΡΠΉ ΠΈΠ· ΠΏΠΎΡΡΠ°Π»Π° Smart-Account ΡΠΎΠΊΠ΅Π½ (<token>) ΠΈ ΡΠ΅Π³ΠΈΡΡΡΠΈΡΡΠ΅ΠΌ Π»ΠΈΡΠ΅Π½Π·ΠΈΡ ! ciscoasa(config)# end ciscoasa# license smart register idtoken <token>
- ααΎααα·αα·αααααΎαααΆα§αααααααΆαα α»αααααααααααααααααΌαα’αΆααααΆααααα α αΎααααααΎαααααΆαα’αα·αααααΈαααΆαα
-
ααα‘αΎα SSL-VPN ααΆααΌαααααΆααα ααΎα αααααααΌαααΈαα½αα
- αααααΆαααα ααααααα ααΆααααααααααΆαα αΌαααααΎααΆαααα SSH αα·α ASDMα
ciscoasa(config)# ssh ver 2 ciscoasa(config)# aaa authentication ssh console LOCAL ciscoasa(config)# aaa authentication http console LOCAL ciscoasa(config)# hostname vpn-demo-1 vpn-demo-1(config)# domain-name ashes.cc vpn-demo-1(config)# cry key gen rsa general-keys modulus 4096 vpn-demo-1(config)# ssh 0 0 inside vpn-demo-1(config)# http 0 0 inside ! ! ΠΠΎΠ΄Π½ΠΈΠΌΠ΅ΠΌ ΡΠ΅ΡΠ²Π΅Ρ HTTPS Π΄Π»Ρ ASDM Π½Π° ΠΏΠΎΡΡΡ 445 ΡΡΠΎΠ±Ρ Π½Π΅ ΠΏΠ΅ΡΠ΅ΡΠ΅ΠΊΠ°ΡΡΡΡ Ρ SSL-VPN ΠΏΠΎΡΡΠ°Π»ΠΎΠΌ ! vpn-demo-1(config)# http server enable 445 !
- ααΎααααΈα±αα ASDM ααααΎαααΆα α’αααααααΌαααααΆαααααΆααΈααα ααααα cisco.com ααΆααααΌααααα»αααααΈαααααααα»α ααΆααΆα―αααΆαααΌα ααΆααααααα
- ααΎααααΈα±αααααΆαααΈαααααα AnyConnect ααααΎαααΆα α’αααααααΌααααα»αααΌαααΆααα ASA ααΈαα½αααααααΆααααααααααααααα·ααααα·ααΆααα»αααααΌααααααααΆαααααΎααΈαα½αα (αααααααΉαααααΎ Linux / Windows / MAC) α’αααααΉαααααΌαααΆαα―αααΆαααΆαα½α αααα ααααΆαααααααΆα Headend αααα»αα αααααΎαα
- α§ααΆα ααα α―αααΆααααααΆαααΆαααα’αΆα ααααΌαααΆααααα»αα‘αΎααα ααΆαααααΆαααΈααα FTP α αΎααααα αααα ααΆαα ASA ααΈαα½ααα
- ααΎαααααααα ααΆαααααααα ASDM αα·ααα·ααααΆαααααααααα α»αα αααααααΆααααααα½αα―ααααααΆαα SSL-VPN (ααΆααααΌαααΆαααααΆαα±ααααααΎαα·ααααΆαααααααααα’αΆα αα»αα α·αααααΆααααα»αααα·ααααα)α αααα»α FQDN ααα’αΆααααααΆαα ααααααα·αααα·α (vpn-demo.ashes.cc) ααααΌα ααΆ FQDN ααΈαα½αααααααααΆααααΆαα½αα’αΆααααααΆαααΆααααα ααααααΆααα αααααααΈαα½αα ααααΌααααααααααΆααα αααα»αααααα DNS ααΆααααα αα α’αΆααααααΆα IP ααα ααα»α αααααΆααααΆααααα (α¬ αα α’αΆααααααΆααααααΆαααΌαααΆα ααααα·αααΎααΆααααααΌαααααα ααα udp/443 ααααΌαααΆαααααΎ (DTLS) αα·α tcp/443(TLS))α ααααααΆααααα’α·αα’αααΈαααααΌαααΆααααααΆαααα·ααααΆααααααααααΌαααΆααααααΆαααα αααα»αααααα ααΆααααααααααΆαααα·ααααΆαααααα α―αααΆαα
! vpn-demo-1(config)# crypto ca trustpoint SELF vpn-demo-1(config-ca-trustpoint)# enrollment self vpn-demo-1(config-ca-trustpoint)# fqdn vpn-demo.ashes.cc vpn-demo-1(config-ca-trustpoint)# subject-name cn=*.ashes.cc, ou=ashes-lab, o=ashes, c=ru vpn-demo-1(config-ca-trustpoint)# serial-number vpn-demo-1(config-ca-trustpoint)# crl configure vpn-demo-1(config-ca-crl)# cry ca enroll SELF % The fully-qualified domain name in the certificate will be: vpn-demo.ashes.cc Generate Self-Signed Certificate? [yes/no]: yes vpn-demo-1(config)# ! vpn-demo-1(config)# sh cry ca certificates Certificate Status: Available Certificate Serial Number: 4d43725e Certificate Usage: General Purpose Public Key Type: RSA (4096 bits) Signature Algorithm: SHA256 with RSA Encryption Issuer Name: serialNumber=9A439T02F95 hostname=vpn-demo.ashes.cc cn=*.ashes.cc ou=ashes-lab o=ashes c=ru Subject Name: serialNumber=9A439T02F95 hostname=vpn-demo.ashes.cc cn=*.ashes.cc ou=ashes-lab o=ashes c=ru Validity Date: start date: 00:16:17 MSK Mar 19 2020 end date: 00:16:17 MSK Mar 17 2030 Storage: config Associated Trustpoints: SELF CA Certificate Status: Available Certificate Serial Number: 0509 Certificate Usage: General Purpose Public Key Type: RSA (4096 bits) Signature Algorithm: SHA1 with RSA Encryption Issuer Name: cn=QuoVadis Root CA 2 o=QuoVadis Limited c=BM Subject Name: cn=QuoVadis Root CA 2 o=QuoVadis Limited c=BM Validity Date: start date: 21:27:00 MSK Nov 24 2006 end date: 21:23:33 MSK Nov 24 2031 Storage: config Associated Trustpoints: _SmartCallHome_ServerCA
- αα»αααααα αααααΆααα αααααΎααααΈαα·αα·αααααΎα ASDM αααα»αααααΎαααΆα α§ααΆα αααα
- αααα’αα»ααααααΆααααααααΌαααααΆαααααααΌαααΌααααααααΈα
- α αΌαααααΎα±αααααααΆαααΆααΈαααααααΆαααΆααααααααΌαααΌααααααααΈ α αΎαα’αα»ααααΆαα±ααα’αα·αααΊαα·αα αΌααααααααΆαα (αα·ααααααΆαα·ααΈααΆααααααααααΆααα»ααααα·ααΆααααα»ααα ααααα·αααΎαα·αααΆαααΆαααΆαααΆααα ααΎαααΆαααΈααααααΆαααα ααΆα’αΆα ααααΆαα αΌαααΆαααααααΆαααΈααααααΆαααααα αα·ααααα αΆααα·ααααααααΆααΈααααα αααααΎα split-tunnel-policy tunnelall ααΉαα’αα»ααααΆαα±ααα ααΆα ααααΆαααΈαααΆααα’ααα αΌααα αααα»αααααΌαααΌααααααααΈα αααΆαβααΆβααβααα ααααΌαααΌααααααααΈααααα ααααΎα±ααααΆα’αΆα αα·αααααΎαααΆα VPN gateway αα·ααα·αααααΎαααΆαα ααΆα αα’ααΈαααΊαα·ααααααααΆαααΈα)
- αααα ααα’αΆααααααΆαααΈαααααΆααα 192.168.20.0/24 αα αααΆαααΈααα αααα»αααααΌαααΌααααααααΈ (α’αΆαααΈ 10 αα 30 α’αΆααααααΆα (αααααΆααααααΆαα #1))α ααααΆααααΈαα½ααααα ααααα VPN ααααΌαααααΆαα’αΆαααααΆαααααα½αααααααΆα
- ααΎαβααΉαβα’αα»ααααβααΆαβαααααααααΆααβααΌαααααΆαβααΆαα½αβα’αααβααααΎβαααβααΆαβαααααΎαβαααα»αβααΌαααααΆαβαα βααΎ ASA (αααβαα·αβααααΌαβααΆαβααααΆαβαα αααααΆβαα·ααΈβααΆαβαααα»α) ααΆβααΆβααΆαβαααααΎαβαααα»αβααΆαβααααΎβααΆαβαααααααααΆααβααΆαβααα LDAP/RADIUSα¬αααααΎαααΆααααααα α α ααΆααααααααααΆααααΆαααααΉαααααΌααα α»αααααΆ (MFA)α§ααΆα ααα αααΈααααΌ DUO.
! vpn-demo-1(config)# ip local pool vpn-pool 192.168.20.10-192.168.20.30 mask 255.255.255.0 ! vpn-demo-1(config)# access-list split-tunnel standard permit 192.168.0.0 255.255.0.0 ! vpn-demo-1(config)# group-policy SSL-VPN-GROUP-POLICY internal vpn-demo-1(config)# group-policy SSL-VPN-GROUP-POLICY attributes vpn-demo-1(config-group-policy)# vpn-tunnel-protocol ssl-client vpn-demo-1(config-group-policy)# split-tunnel-policy tunnelspecified vpn-demo-1(config-group-policy)# split-tunnel-network-list value split-tunnel vpn-demo-1(config-group-policy)# dns-server value 192.168.99.132 vpn-demo-1(config-group-policy)# default-domain value ashes.cc vpn-demo-1(config)# tunnel-group DefaultWEBVPNGroup general-attributes vpn-demo-1(config-tunnel-general)# default-group-policy SSL-VPN-GROUP-POLICY vpn-demo-1(config-tunnel-general)# address-pool vpn-pool ! vpn-demo-1(config)# username dkazakov password cisco vpn-demo-1(config)# username dkazakov attributes vpn-demo-1(config-username)# service-type remote-access ! vpn-demo-1(config)# ssl trust-point SELF vpn-demo-1(config)# webvpn vpn-demo-1(config-webvpn)# enable outside vpn-demo-1(config-webvpn)# anyconnect image disk0:/anyconnect-win-4.8.03036-webdeploy-k9.pkg vpn-demo-1(config-webvpn)# anyconnect enable !
- (ααΆαααααΎα)α αααα»αα§ααΆα αααααΆαααΎ ααΎαααΆαααααΎα’αααααααΎααααΆαααααα»ααααα»ααα ααΎ ITU ααΎααααΈαααααααααΆααα’αααααααΎααααΆααααΈα ααααΆα αααααΆααΆααα·αααΆαα ααΎαααααααα αααα»ααααααΈααα·αααααααΊα’αΆα α’αα»ααααααΆααα·α αα½α α αααα»αβααΉαβαααααβα§ααΆα αααβαα½αβα’αααΈβααααβαααααβααΆαβαααααβαααΆαβααΆααβαα ααβαααααΆααβααΆαβαααααααααΆαα αααΆααΈααΌ αααΆαααΈαααα§ααΆα αααααααΌαααΆαααααΎ αααΆαααΈαααΊααΈαα’ααααααααΆαααααα:
vpn-demo-1(config-aaa-server-group)# dynamic-authorization vpn-demo-1(config-aaa-server-group)# interim-accounting-update vpn-demo-1(config-aaa-server-group)# aaa-server RADIUS (outside) host 192.168.99.134 vpn-demo-1(config-aaa-server-host)# key cisco vpn-demo-1(config-aaa-server-host)# exit vpn-demo-1(config)# tunnel-group DefaultWEBVPNGroup general-attributes vpn-demo-1(config-tunnel-general)# authentication-server-group RADIUS !
αααΆα αααααααααααΆαααααΎα±ααααΆαα·αααααΉαααα’αΆα αα½ααααα αΌαααΈαα·αα·ααΈαααααααααΆααααΆααααΆαααΆαααα ααααΆαα½αααΉαααααΆααααααα―αααΆα AD ααα»ααααααα ααα»αααααααααΆααααΎααααΈαααααΆααααΆααΎαα»αααααΌααααααααΆαααααΆααααΆαααααα·αααα·αααα AD ααΎααααΈαααααΆααΎα§ααααααααααΊααΆααΆααΈααααα α¬ααααΆαααααα½α αα·αααΎααααΈααΆααααααααααΆαααΆαααα§ααααααααααΆαααααΆααα .
- α αΌαααααααα ααΆαααααααα Transparent NAT ααΎααααΈα±ααα ααΆα ααααααΆαα’αα·αα·αα αα·αααααΆααααααααΆααααααΆαααΆααΈααααααα·αααααΌαααΆααααααα
vpn-demo-1(config-network-object)# subnet 192.168.20.0 255.255.255.0 ! vpn-demo-1(config)# nat (inside,outside) source static any any destination static vpn-users vpn-users no-proxy-arp
- (ααΆαααααΎα)α ααΎααααΈαααα αΆαα’αα·αα·ααααααααΎααα ααΆααα’ααΈαααΊαα·αααΆαααα ASA (αα αααααααΎ ααααΌαααΌααααααααΈ αααααΎα) αααααααΎ PAT ααααΌα ααΆα ααααΆααααα ααα»α αααααΆααααΆααααα ααΌα ααααΆααααα½αααΆααααΌαααΆαααααΆαα α’αααααααΌαααααΎααΆααααααααΌα ααΆαααααα
vpn-demo-1(config-network-object)# nat (outside,outside) source dynamic vpn-users interface vpn-demo-1(config)# nat (inside,outside) source dynamic any interface vpn-demo-1(config)# same-security-traffic permit intra-interface !
- αα
αααααααΎα
ααααα ααΆααΆαααΆααααααΆααααααΆααααΆαααααα»αααΆαααΎααααααΆαααΆααααα»αααΎααααΈαααααΆ ASA ααΆαα½αααΎααααΈαααααΌαα
ααΆα
ααα
ααΆααα’αααααααΎααααΆαααα·α αααααΆααααΆααααα’αααααααΌαα
ααα
αΆαα‘αΎααα·αααΌαααααΌα / α’αΆααααααΆα 32 αααα
ααα±ααα’αα·αα·ααα
αα αααααα ααΎααα·αααΆααααΆαααααααα ααΆααααααααα ααααααα α‘αΎααα ααα»ααααααΎαααΆαααααΎαααΆα VPN gateways αααα’αΆα ααααΆααααΆαααααααα»ααααααΆαααα FQDN α¬ IP α
ααΎαααΎααααΆαααΈαααααααααααΆααααααΆαααα αααα»αααΆααΆαααΆαααααΌααα ASA ααααΌαα
ααΎααααΈα±ααα ααααα VPN ααΆααααΌαααααααΎα αα·ααααααΆαααΆααΈαααααααΆααααΌαααΉαααΈααααΌααα ααΆααα’αα·αα·ααααααααΎα ααΎαααΉαα ααα αΆααα»ααααααααΆαααΈααααααα‘αΎααα·ααα ααΆαα·ααΈααΆαααΆαααααΌαααΆααααα α§ααΆα ααα OSPFα
! vpn-demo-1(config)# route-map RMAP-VPN-REDISTRIBUTE permit 1 vpn-demo-1(config-route-map)# match ip address VPN-REDISTRIBUTE ! vpn-demo-1(config)# router ospf 1 vpn-demo-1(config-router)# network 192.168.255.0 255.255.255.0 area 0 vpn-demo-1(config-router)# log-adj-changes vpn-demo-1(config-router)# redistribute static metric 5000 subnets route-map RMAP-VPN-REDISTRIBUTE
α₯α‘αΌαααα ααΎαααΆαααααΌααα ααΆααα’αα·αα·ααααΈα αααααααΌα ASA-2 ααΈααΈα α αΎαα’αααααααΎααααΆααααΆαααααΆαααα α αααααααΌα VPN αααααααααΆαα αααα»αα αααααα’αΆα ααααΆαααααααααααααΆααααΆααααααΌαααααααααααΆααΈααααα ααααΌα ααΆα ααΆα ααααα‘αααααα·αααΈααααΆααααααΆαααααΎαα»ααααα’αααααααΎααααΆααααΉα ααααΆααα αααααααΆα VPN αααα ααααΆαα
-
α αΌααααααα ααΆαααααααα ααΆαααααααα Load-Balance cluster α
α’αΆααααααΆα 192.168.31.40 ααΉαααααΌαααΆαααααΎααΆ IP αα·αααα·α (VIP - αααΆαααΈαααααα VPN ααΆααα’ααααΉαααααΆαααα ααΆααααΌα) ααΈα’αΆααααααΆαααα Master cluster ααΉαααααΎ REDIRECT αα ααΆααααααΆαα cluster ααααα·αααΌααααα»αα αα»αααααα ααααα αααααΌααααααα·ααααα αααΆααααααααααΆ DNS ααΆαααααααΆααα’αΆααααααΆαααΆααααα ααΈαα½αα / FQDN ααααααΆααααΈαα½ααααα ααααα αα·ααααααΆααααΈα’αΆαααΈα
vpn-demo-1(config)# vpn load-balancing vpn-demo-1(config-load-balancing)# interface lbpublic outside vpn-demo-1(config-load-balancing)# interface lbprivate inside vpn-demo-1(config-load-balancing)# priority 10 vpn-demo-1(config-load-balancing)# cluster ip address 192.168.31.40 vpn-demo-1(config-load-balancing)# cluster port 4000 vpn-demo-1(config-load-balancing)# redirect-fqdn enable vpn-demo-1(config-load-balancing)# cluster key cisco vpn-demo-1(config-load-balancing)# cluster encryption vpn-demo-1(config-load-balancing)# cluster port 9023 vpn-demo-1(config-load-balancing)# participate vpn-demo-1(config-load-balancing)#
- ααΎααα·αα·αααααΎαααααα·ααααα·ααΆαααααα αααααααΆαα½αα’αα·αα·αααααααΆααααααΆααααΈαα
- α αΌαααααΎα±αααααα·αααααα’αα·αα·ααααΆααααααΆααααα½αααΆαα½αααΉααααααα AnyConnect αααααΆααααα»ααααααααααααααααα·ααΆαααα ASDM α
ααΎαααΆααααααααααααααααααΆαααΆααααααααΆαααΆααααα½α α αΎαααααΆαααααααΆααααααα»αααααααΎαααΆαα½αααΆα
αααααΆααααΈααΆααααααΆαααααααΆααααααα’αα·αα·αα αααααααααααΉαααααΌαααΆαααΆααα αα·αααα‘αΎααααααααααααααααα·αα αααα»ααααΆαααΈαααααα AnyConnect ααΌα ααααααααα·αααΎα’αααααααΌαααΆαααααΆαα ααααΆααααααααΎαααΎαααΆααΈαααααΈα
αααααΆαααΎαααΆααααααΎααααααααααααΆαααααα ααΎ ASA αααα½αααααααααααΎ ASDM αα»αααααα ααααΎααα αΆαααααααααα ααΎ ASAs αααααααααα αααα»αα αααααα
ααα ααααΈααααα·ααααΆα: ααΌα ααααα αΎα ααΎαααΆαααΆαααααααΆαααΌαα αααααααα αααααααΆα VPN ααΆα αααΎαααΆαα½αααΉααα»αααααΆαααΆααααα»ααααααααααααααααα·α ααΆαααααααααααΆααααααΈαα αααα»αα αααααααΊααΆααααα½α ααΆαα½αααΉαααΆαααααΎααΆαααααααΆααααααααΆαααα αααααΆααα±ααααααΎααααΆαααααΆαααΈααα·αααα·α ASAv ααααΈ α¬ααααΎ ASAs αααααααΉαα αααΆαααΈαααααα AnyConnect αααααααΌααα ααααααααααα·αααα’αΆα αααααΎαααΆααααααΆααααΈα ααααΆααααααααααα»ααααα·ααΆααααΆαααααΆαααααααααΎ α₯αα·ααΆαα (ααΆααααΆααααααΆααααααααα)ααααΎαααΆαααΆαααααα·αααααΆααααα»ααααα»αααΆαααααΆααααΆαα½αααααααααααααΆαααααααααααααααΆα αα·αααΆαα αΌαααααΎααααΈ αααΆαααΈαααααΆααααα’ααααααααΆα.
ααααα: www.habr.com