In hoc articulo velim gradatim praebere instructiones quomodo possis celeriter maxime scalabilem rationem momento explicari. Longinquus Access VPN accessum fundatur AnyConnect et Cisco ASA - VPN Load Librans botrus.
Π²Π΅Π΄Π΅Π½ΠΈΠ΅: Multae societates circum orbem terrarum, ob condicionem hodiernam cum COVID-19, operam dant ut suos conductos ad laborem remotum transferant. Ob transitum ad opus remotum divulgatum, onus societatum portarum VPN existentium critico auget et velocissima facultas ad eas ascendendi requiritur. Contra, multae turmae conceptum remoti operis a de integro festinare coguntur.
Ad negotia celeriter ad effectum deducendi opportunis, securis, et scalis VPN accessum conductoriis adiuvet, Cisco usque ad 13 septimanas licentias praebet ad clientelam-dives AnyConnect SSL-VPN. .
.
Praeparavi gradatim instructiones pro optione simplici ad botrum VPN oneratus librans explicandi ut technologiae VPN maxime scalabiles.
Exemplum inferius, satis simplex erit ex parte algorithms authenticationis et auctoritatis adhibitae, sed erit optio bona pro initio velox (quod est aliquid quod nunc multi carent) cum possibilitate altissimae accommodandae. necessitates vestras in processu instruere.
Brevis notitia: VPN Ponens botrus technologiam librans non est defectivus vel racemus munus in sensu nativo suo, haec technologia prorsus diversa ASA exempla (cum restrictionibus quibusdam) cohaerere potest ut nexus VPN remotis-Accessibus stateram oneret. Nulla synchronisatio sessionum et configurationum inter nodi talis botri, sed fieri potest ut nexus VPN libram automatice onerent et culpae tolerantiae nexuum VPN curent donec saltem una nodi activa in botro remaneat. Onus in botro statim secundum quod inposuit nodis secundum numerum VPN sessionum libratur.
Nam culpa tolerantiae nodis botri specificis (si opus sit), fasciculo uti potes, ergo nexus activa a primario fasciculi nodo procedetur. Fasciculus non est condicio necessaria ad tolerantiam culpae praestandae intra botrum Load-Bananceing, in eventu nodi defectus, botrus ipse usorem in aliam nodi vitam transferet, sed sine nexu status servato, quae prorsus quid est. tabella praebet. Ideo hae duae technologiae coniungi possunt, si opus est.
Botrus VPN Ponens plus quam duos nodos continere potest.
Botrus VPN Ponens Librans sustinetur ASA 5512-X et altior.
Cum uterque ASA intra VPN Botrus Load-Librationem independens unitas est secundum unctiones, omnes gradus conformationis in singulis singulae notae exequimur.
Topologia logica exempli causa est:
Coepi instruere:
-
ASAv exempla exemplarium explicamus ex imagine (ASAv5/10/30/50) necessaria.
-
INTRA/EXTRA interfaces eidem VLAN assignamus (Foris in suo VLAN, intra in suo, at intra botrum commune, vide topologiam), interest ut interfaces eiusdem generis in eodem segmento L2 sitae sint.
-
Licentiae:
- In tempore institutionis ASAv licentias quaslibet non habebit et ad 100kbit/sec limitatur.
- Ad licentiam installandi, signum generandi in Smert-Ratio Rationis Tuae debes: -> Dolor Software Licensing
- In fenestra quod aperit, preme puga Novum Thochen
- Fac ut ager in fenestra aperit activum est et capsa reprimatur Patitur export imperium functionality... Sine hac activo agro, valido encryption functionibus uti non poteris, itaque, VPN. Si hic ager non est activus, pete ut turmas tuas rationem activationis petant.
- Post instaret felis Create Thochensignum erit, quod utemur ad licentiam ASAv, transcribere;
- Repetamus vestigia C, D, E pro singulis explicavit ASAv.
- Ut indicium facilius effingas, telnet temporaliter faciamus. Configurare unumquemque ASA (exemplum infra uncinis in ASA-I illustratum). telnet ab extra non operatur, si vere id opus est, securitatem-gradum ad 100 ad extra mutare, deinde retro mutare.
! ciscoasa(config)# int gi0/0 ciscoasa(config)# nameif outside ciscoasa(config)# ip address 192.168.31.30 255.255.255.0 ciscoasa(config)# no shut ! ciscoasa(config)# int gi0/1 ciscoasa(config)# nameif inside ciscoasa(config)# ip address 192.168.255.2 255.255.255.0 ciscoasa(config)# no shut ! ciscoasa(config)# telnet 0 0 inside ciscoasa(config)# username admin password cisco priv 15 ciscoasa(config)# ena password cisco ciscoasa(config)# aaa authentication telnet console LOCAL ! ciscoasa(config)# route outside 0 0 192.168.31.1 ! ciscoasa(config)# wr !- Ad signum subcriptio in nube Smert-Rationis, Internet accessum ad ASA praebere debes, .
Denique ASA opus est;
- Penitus accessus per HTTPS;
- tempus synchronisation (rectius per NTP);
- DNS relatus servo;
- Imus per telnet ad ASA nostro et occasus facimus licentiam excitandi per Smart-Account.
! ciscoasa(config)# clock set 19:21:00 Mar 18 2020 ciscoasa(config)# clock timezone MSK 3 ciscoasa(config)# ntp server 192.168.99.136 ! ciscoasa(config)# dns domain-lookup outside ciscoasa(config)# DNS server-group DefaultDNS ciscoasa(config-dns-server-group)# name-server 192.168.99.132 ! ! ΠΡΠΎΠ²Π΅ΡΠΈΠΌ ΡΠ°Π±ΠΎΡΡ DNS: ! ciscoasa(config-dns-server-group)# ping ya.ru Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 87.250.250.242, timeout is 2 seconds: !!!!! ! ! ΠΡΠΎΠ²Π΅ΡΠΈΠΌ ΡΠΈΠ½Ρ ΡΠΎΠ½ΠΈΠ·Π°ΡΠΈΡ NTP: ! ciscoasa(config)# show ntp associations address ref clock st when poll reach delay offset disp *~192.168.99.136 91.189.94.4 3 63 64 1 36.7 1.85 17.5 * master (synced), # master (unsynced), + selected, - candidate, ~ configured ! ! Π£ΡΡΠ°Π½ΠΎΠ²ΠΈΠΌ ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΡ Π½Π°ΡΠ΅ΠΉ ASAv Π΄Π»Ρ Smart-Licensing (Π² ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΠΈΠΈ Ρ ΠΠ°ΡΠΈΠΌ ΠΏΡΠΎΡΠΈΠ»Π΅ΠΌ, Π² ΠΌΠΎΠ΅ΠΌ ΡΠ»ΡΡΠ°Π΅ 100Π Π΄Π»Ρ ΠΏΡΠΈΠΌΠ΅ΡΠ°) ! ciscoasa(config)# license smart ciscoasa(config-smart-lic)# feature tier standard ciscoasa(config-smart-lic)# throughput level 100M ! ! Π ΡΠ»ΡΡΠ°Π΅ Π½Π΅ΠΎΠ±Ρ ΠΎΠ΄ΠΈΠΌΠΎΡΡΠΈ ΠΌΠΎΠΆΠ½ΠΎ Π½Π°ΡΡΡΠΎΠΈΡΡ Π΄ΠΎΡΡΡΠΏ Π² ΠΠ½ΡΠ΅ΡΠ½Π΅Ρ ΡΠ΅ΡΠ΅Π· ΠΏΡΠΎΠΊΡΠΈ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠΉΡΠ΅ ΡΠ»Π΅Π΄ΡΡΡΠΈΠΉ Π±Π»ΠΎΠΊ ΠΊΠΎΠΌΠ°Π½Π΄: !call-home ! http-proxy ip_address port port ! ! ΠΠ°Π»Π΅Π΅ ΠΌΡ Π²ΡΡΠ°Π²Π»ΡΠ΅ΠΌ ΡΠΊΠΎΠΏΠΈΡΠΎΠ²Π°Π½Π½ΡΠΉ ΠΈΠ· ΠΏΠΎΡΡΠ°Π»Π° Smart-Account ΡΠΎΠΊΠ΅Π½ (<token>) ΠΈ ΡΠ΅Π³ΠΈΡΡΡΠΈΡΡΠ΅ΠΌ Π»ΠΈΡΠ΅Π½Π·ΠΈΡ ! ciscoasa(config)# end ciscoasa# license smart register idtoken <token>- Reprehendimus machinam feliciter descripserunt licentiam ac optiones encryptiones in promptu sunt:
-
Vestibulum SSL-VPN basic in unaquaque porta
- Deinde configuramus accessum per SSH et ASDM:
ciscoasa(config)# ssh ver 2 ciscoasa(config)# aaa authentication ssh console LOCAL ciscoasa(config)# aaa authentication http console LOCAL ciscoasa(config)# hostname vpn-demo-1 vpn-demo-1(config)# domain-name ashes.cc vpn-demo-1(config)# cry key gen rsa general-keys modulus 4096 vpn-demo-1(config)# ssh 0 0 inside vpn-demo-1(config)# http 0 0 inside ! ! ΠΠΎΠ΄Π½ΠΈΠΌΠ΅ΠΌ ΡΠ΅ΡΠ²Π΅Ρ HTTPS Π΄Π»Ρ ASDM Π½Π° ΠΏΠΎΡΡΡ 445 ΡΡΠΎΠ±Ρ Π½Π΅ ΠΏΠ΅ΡΠ΅ΡΠ΅ΠΊΠ°ΡΡΡΡ Ρ SSL-VPN ΠΏΠΎΡΡΠ°Π»ΠΎΠΌ ! vpn-demo-1(config)# http server enable 445 !- Ad ASDM ad operandum, primum ex cisco.com detrahendum est, in casu meo sequens fasciculus:
- Ad clientem AnyConnect ad operandum, debes imaginem trahere unicuique ASA pro escritorio clientis OS adhibito (proposuit ut Linux/Windows/MAC utere), lima opus erit cum Headend instruere Package In indice:
- Tabulae receptae fasciculi impositi possunt, exempli gratia, servo FTP et unicuique ASA impositi;
- ASDM et subsignatum libellum de SSL-VPN configuramus (commendatur ut certificatorium in productione uti). Statutum FQDN de botri Oratio Virtualis (vpn-demo.ashes.cc), ac singula FQDN cum inscriptione externa cuiusque nodi coniungi debent resolveri in zona externa DNS ad IP inscriptionem interfaciei extra (vel ad inscriptionem praescriptam si udp/443 port transmissio adhibetur (DTLS) et tcp/443(TLS)). ENARRATIO de requisitis ad certificatorium specificatur in sectione libellum sunt comprobatio documentum.
! vpn-demo-1(config)# crypto ca trustpoint SELF vpn-demo-1(config-ca-trustpoint)# enrollment self vpn-demo-1(config-ca-trustpoint)# fqdn vpn-demo.ashes.cc vpn-demo-1(config-ca-trustpoint)# subject-name cn=*.ashes.cc, ou=ashes-lab, o=ashes, c=ru vpn-demo-1(config-ca-trustpoint)# serial-number vpn-demo-1(config-ca-trustpoint)# crl configure vpn-demo-1(config-ca-crl)# cry ca enroll SELF % The fully-qualified domain name in the certificate will be: vpn-demo.ashes.cc Generate Self-Signed Certificate? [yes/no]: yes vpn-demo-1(config)# ! vpn-demo-1(config)# sh cry ca certificates Certificate Status: Available Certificate Serial Number: 4d43725e Certificate Usage: General Purpose Public Key Type: RSA (4096 bits) Signature Algorithm: SHA256 with RSA Encryption Issuer Name: serialNumber=9A439T02F95 hostname=vpn-demo.ashes.cc cn=*.ashes.cc ou=ashes-lab o=ashes c=ru Subject Name: serialNumber=9A439T02F95 hostname=vpn-demo.ashes.cc cn=*.ashes.cc ou=ashes-lab o=ashes c=ru Validity Date: start date: 00:16:17 MSK Mar 19 2020 end date: 00:16:17 MSK Mar 17 2030 Storage: config Associated Trustpoints: SELF CA Certificate Status: Available Certificate Serial Number: 0509 Certificate Usage: General Purpose Public Key Type: RSA (4096 bits) Signature Algorithm: SHA1 with RSA Encryption Issuer Name: cn=QuoVadis Root CA 2 o=QuoVadis Limited c=BM Subject Name: cn=QuoVadis Root CA 2 o=QuoVadis Limited c=BM Validity Date: start date: 21:27:00 MSK Nov 24 2006 end date: 21:23:33 MSK Nov 24 2031 Storage: config Associated Trustpoints: _SmartCallHome_ServerCA- Operationem ASDM reprimendam, portum denotare noli, exempli gratia:
- Praecipua cuniculi occasus peragamus:
- Reticulum corporatum per cuniculum facilem faciemus et interretialem directe coniungemus (non tutissima methodus sine mensurae securitatis in connectens exercitum, penetrare potest per infectam exercitum et per output corporatum datam, optionem split, cuniculum, consilium cuniculi permittet omnem exercitum in cuniculum negotiationis. tamen Scindo-Tunnel sinit, ut VPN porta sublevare possit nec processus exercitum Internet negotiationis)
- Exercitationes in cuniculo dabimus cum inscriptionibus e subnet 192.168.20.0/24 (piscina 10 ad 30 inscriptionum (pro nodi #1)). Quilibet nodi in botro debet habere suum VPN stagnum.
- Praecipuam authenticitatem faciamus cum usore locali creato in ASA (Hoc non commendatur, haec est methodus simplicissima), melius est per authenticas facere. LDAP/RADIUSaut melius, ue Multi-factor authenticitate (MFA), Exempli gratia Cisco DUO.
! vpn-demo-1(config)# ip local pool vpn-pool 192.168.20.10-192.168.20.30 mask 255.255.255.0 ! vpn-demo-1(config)# access-list split-tunnel standard permit 192.168.0.0 255.255.0.0 ! vpn-demo-1(config)# group-policy SSL-VPN-GROUP-POLICY internal vpn-demo-1(config)# group-policy SSL-VPN-GROUP-POLICY attributes vpn-demo-1(config-group-policy)# vpn-tunnel-protocol ssl-client vpn-demo-1(config-group-policy)# split-tunnel-policy tunnelspecified vpn-demo-1(config-group-policy)# split-tunnel-network-list value split-tunnel vpn-demo-1(config-group-policy)# dns-server value 192.168.99.132 vpn-demo-1(config-group-policy)# default-domain value ashes.cc vpn-demo-1(config)# tunnel-group DefaultWEBVPNGroup general-attributes vpn-demo-1(config-tunnel-general)# default-group-policy SSL-VPN-GROUP-POLICY vpn-demo-1(config-tunnel-general)# address-pool vpn-pool ! vpn-demo-1(config)# username dkazakov password cisco vpn-demo-1(config)# username dkazakov attributes vpn-demo-1(config-username)# service-type remote-access ! vpn-demo-1(config)# ssl trust-point SELF vpn-demo-1(config)# webvpn vpn-demo-1(config-webvpn)# enable outside vpn-demo-1(config-webvpn)# anyconnect image disk0:/anyconnect-win-4.8.03036-webdeploy-k9.pkg vpn-demo-1(config-webvpn)# anyconnect enable !- (libitum): In exemplo superiore in firewall ad authenticas remotos utentes locales usi sumus, quod sane parum prodest nisi in officina laborat. Exemplum dabo quomodo prompte adaptationem ad authenticas adaptet RADIUS server, used for example Cisco Identity Services Engine:
vpn-demo-1(config-aaa-server-group)# dynamic-authorization vpn-demo-1(config-aaa-server-group)# interim-accounting-update vpn-demo-1(config-aaa-server-group)# aaa-server RADIUS (outside) host 192.168.99.134 vpn-demo-1(config-aaa-server-host)# key cisco vpn-demo-1(config-aaa-server-host)# exit vpn-demo-1(config)# tunnel-group DefaultWEBVPNGroup general-attributes vpn-demo-1(config-tunnel-general)# authentication-server-group RADIUS !Haec integratio effecit non solum ut celeriter authenticas procedendi rationem cum servitio directorio integrandi, sed etiam ad distinguendum num computatorium connexum ad AD pertineat, intellige an fabrica corporatum sit an personale, ac statum connexum perpendat. notae.
- Transparent NAT configurare ut commercium inter clientem et retis facultates retis corporati nihil impedit:
vpn-demo-1(config-network-object)# subnet 192.168.20.0 255.255.255.0 ! vpn-demo-1(config)# nat (inside,outside) source static any any destination static vpn-users vpn-users no-proxy-arp- (libitum); Exponere clientes nostros ad Internet per ASA (cum usura cuniculum optiones) utens PAT, et etiam per eosdem exitus interfacies extra, unde connectuntur, debes facere occasus sequentes
vpn-demo-1(config-network-object)# nat (outside,outside) source dynamic vpn-users interface vpn-demo-1(config)# nat (inside,outside) source dynamic any interface vpn-demo-1(config)# same-security-traffic permit intra-interface !- Maximi momenti est cum botro utendo ut retis internis ad intelligendum quod ASA ad iter faciendum negotiatio utentibus usoribus reddat, necesse est enim vias /32 inscriptiones clientibus latis redigendas esse.
In momento, botrum nondum figuravimus, sed portas iam VPN laboramus ad quas singulatim per FQDN vel IP coniungere potes.
Connexum clientem videmus in excitanda mensa primae ASA;
Ut totus noster botrus VPN et tota retis corporatus viam clienti nostro cognoscant, clientem praepositionem in protocollo dynamico evertere debebimus, exempli gratia OSPF:
! vpn-demo-1(config)# route-map RMAP-VPN-REDISTRIBUTE permit 1 vpn-demo-1(config-route-map)# match ip address VPN-REDISTRIBUTE ! vpn-demo-1(config)# router ospf 1 vpn-demo-1(config-router)# network 192.168.255.0 255.255.255.0 area 0 vpn-demo-1(config-router)# log-adj-changes vpn-demo-1(config-router)# redistribute static metric 5000 subnets route-map RMAP-VPN-REDISTRIBUTENunc iter ad clientem habemus ex porta secunda ASA-2 et usoribus cum diversis VPN portarum intra botrum connexum, exempli gratia, directe communicare per corporatum softphonem, sicut negotiatio ex opibus ab utente petitis adveniet. ad optatos portae VPN:
-
Transeamus ad botrum Librans ad erigendum.
192.168.31.40 Oratio Rectum IP adhibebitur (VIP - omnes clientes VPN cum initio coniungent), ex hac inscriptione Magister Botrus redibit ad nodi botri minus onusto. Noli oblivisci subcriptio deinceps vicissim DNS records tum pro utraque inscriptione externa/FQDN utriusque nodi botri, et pro VIP.
vpn-demo-1(config)# vpn load-balancing vpn-demo-1(config-load-balancing)# interface lbpublic outside vpn-demo-1(config-load-balancing)# interface lbprivate inside vpn-demo-1(config-load-balancing)# priority 10 vpn-demo-1(config-load-balancing)# cluster ip address 192.168.31.40 vpn-demo-1(config-load-balancing)# cluster port 4000 vpn-demo-1(config-load-balancing)# redirect-fqdn enable vpn-demo-1(config-load-balancing)# cluster key cisco vpn-demo-1(config-load-balancing)# cluster encryption vpn-demo-1(config-load-balancing)# cluster port 9023 vpn-demo-1(config-load-balancing)# participate vpn-demo-1(config-load-balancing)#- Cohibemus operationem botri cum clientibus duobus connexis;
- Experientiam emptoris commodiorem faciamus cum automatice anyConnect profile per ASDM receptam.
Profile modo convenienti nominamus et consilium nostrum adiungimus cum ea:
Post nexum clientem proximum, haec profile sponte in clientelam AnyConnect recepta et inaugurata erit, ut si coniungere debes, tantum e indice eligere debes:
Cum ASDM hanc paginam in una tantum ASA creavimus, vestigia in reliquis ASAs in botro iterare noli oblivisci.
conclusioni, Ita celeriter botrum plurium portarum VPN cum latis onere libratis direximus. Nodos novos botro addito facile est, scalas horizontales simplices efficere, novas ASAv virtualis machinis disponere vel ferramentis ASAs utere. Pluma-dives AnyConnect clientis augere potest maxime augendae tuae iunctio capabilities in tuto remota Positio (publica censibus), efficacissime adhibentur in conjunctione cum accessu centralised potestate et ratiocinatione Identity Services Engine.
Source: www.habr.com