I roto i tenei tuhinga ka hiahia ahau ki te whakarato i nga tohutohu taahiraa-i-te-taahiraa me pehea e taea ai e koe te tuku tere i te kaupapa tino tauineine i tenei wa. VPN Uru Mamao uru i runga AnyConnect me Cisco ASA - VPN Uta Taurite Huihuinga.
Kupu Whakataki: He maha nga kamupene huri noa i te ao, na te ahuatanga o naianei me COVID-19, kei te whakapau kaha ki te whakawhiti i a raatau kaimahi ki nga mahi mamao. Na te whanuitanga o te whakawhiti ki nga mahi mamao, ka nui haere te uta ki runga i nga kuaha VPN o nga kamupene o naianei me te kaha tere ki te tarai i a raatau. I tetahi atu taha, he maha nga kamupene e kaha ana ki te mohio ki te kaupapa o te mahi mamao mai i te waahi.
Kua whakareri ahau i nga tohutohu taahiraa-i-te-taahiraa mo tetahi whiringa ngawari mo te tuku i te kahui Whakatau-Uta VPN hei hangarau VPN tino tauineine.
Ko te tauira i raro nei ka tino ngawari mai i te tirohanga o te whakamotuhēhēnga me te hātepe whakamanatanga e whakamahia ana, engari he whiringa pai mo te tiimata tere (he mea karekau te nuinga o nga tangata inaianei) me te whai waahi ki te urutau hohonu o hiahia i te wa o te tukunga.
Nga korero poto: Ko te hangarau VPN Load Balancing Cluster ehara i te mea ngaro, he mahi whakatopu ranei i roto i tona tikanga taketake; ka taea e tenei hangarau te whakakotahi i nga tauira ASA tino rereke (me etahi here) kia utaina te toenga o nga hononga VPN Urunga-Mamao. Karekau he tukutahitanga o nga huihuinga me nga whirihoranga i waenga i nga pona o taua kapoi, engari ka taea te uta aunoa i nga hononga VPN toenga me te whakarite i te he o nga hononga VPN kia noho ra ano kia kotahi te iti rawa o te node kaha ki roto i te tautau. Ko te kawenga i roto i te kohinga ka taurite aunoa i runga i te taumaha o nga mahi o nga pona ma te maha o nga huihuinga VPN.
Mo te hee o nga pokapu kahui motuhake (mehemea e hiahiatia ana), ka taea e koe te whakamahi i te kaipakihi, no reira ka tukatukahia te hononga hohe e te node Paraimere o te konae. Ehara i te mea e tika ana te whakawhiti kōnae mo te whakapumau i te pai o te he i roto i te kapoi Whakatau-Uta; mena he rahunga node, ma te roopu tonu e whakawhiti te waahi kaiwhakamahi ki tetahi atu node ora, engari me te kore e mau tonu te mana hononga, ko te aha tonu. ka whakaratohia e te kaipatu. Na reira, ka taea te whakakotahi i enei hangarau e rua mehemea e tika ana.
Ka nui ake i te rua nga pona kei roto i te kapopu Whakatau-Uta VPN.
Kei te tautokohia te kahui Whakapaitika VPN i runga i te ASA 5512-X me te teitei ake.
I te mea ko ia ASA kei roto i te kahui Whakatau-Uta VPN he waeine motuhake i runga i nga whakaritenga, ka mahia e matou nga waahanga whirihoranga katoa ki ia taputapu takitahi.
Ka tukuna e matou nga tauira ASAv o nga tauira e hiahiatia ana e matou (ASAv5/10/30/50) mai i te ahua.
Ka tohua e matou nga atanga o roto/waho ki te VLAN ano (Kei waho i tana ake VLAN, I roto i a ia ano, engari he mea noa i roto i te tautau, tirohia te topology), he mea nui kia noho nga hononga o te momo rite ki te waahanga L2 kotahi.
Raihana:
I te wa o te whakaurunga, karekau he raihana a ASAv ka iti ki te 100kbit/hekona.
Hei whakauru i tetahi raihana, me whakaputa e koe he tohu ki roto i to putea-Paari: https://software.cisco.com/ -> Raihana Pūmanawa Smart
I te matapihi e tuwhera ana, paatohia te paatene Tohu Hou
Me mohio kei roto i te matapihi e tuwhera ana, kei te kaha te mara ka tohua te pouakataki Whakaaetia te mahi kaweake... Ki te kore tenei mara hohe, e kore e taea e koe te whakamahi i nga mahi whakamunatanga kaha, a, na reira, VPN. Mena karekau tenei mara, whakapaa atu ki to roopu kaute ki te tono kia whakahohehia.
I muri i te patene i te paatene Waihanga Tohu, ka hangaia he tohu ka whakamahia e matou ki te whiwhi raihana mo ASAv, kapehia:
Me whakahoki ano i nga taahiraa C,D,E mo ia ASAv kua tukuna.
Kia ngawari ake te kape i te tohu, me whakaahei te telnet mo te wa poto. Me whirihora ia ASA (ko te tauira i raro nei e whakaatu ana i nga tautuhinga i runga i te ASA-1). telnet mai i waho kare e mahi, ki te tino hiahia koe, huri i te taumata-haumarutanga ki te 100 ki waho, katahi ka huri whakamuri.
!
ciscoasa(config)# int gi0/0
ciscoasa(config)# nameif outside
ciscoasa(config)# ip address 192.168.31.30 255.255.255.0
ciscoasa(config)# no shut
!
ciscoasa(config)# int gi0/1
ciscoasa(config)# nameif inside
ciscoasa(config)# ip address 192.168.255.2 255.255.255.0
ciscoasa(config)# no shut
!
ciscoasa(config)# telnet 0 0 inside
ciscoasa(config)# username admin password cisco priv 15
ciscoasa(config)# ena password cisco
ciscoasa(config)# aaa authentication telnet console LOCAL
!
ciscoasa(config)# route outside 0 0 192.168.31.1
!
ciscoasa(config)# wr
!
Hei rehita i tetahi tohu ki roto i te kapua Smart-Account, me whakarato koe i te uru Ipurangi ki te ASA, nga korero i konei.
Hei poto, ka hiahiatia te ASA:
Te uru ipurangi ma te HTTPS;
te tukutahinga wa (he tika ake ma te NTP);
tūmau DNS kua rēhitatia;
Ka haere matou ma te waea waea ki a maatau ASA ka whakarite i nga tautuhinga hei whakahohe i te raihana ma te Smart-Account.
!
ciscoasa(config)# clock set 19:21:00 Mar 18 2020
ciscoasa(config)# clock timezone MSK 3
ciscoasa(config)# ntp server 192.168.99.136
!
ciscoasa(config)# dns domain-lookup outside
ciscoasa(config)# DNS server-group DefaultDNS
ciscoasa(config-dns-server-group)# name-server 192.168.99.132
!
! Проверим работу DNS:
!
ciscoasa(config-dns-server-group)# ping ya.ru
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 87.250.250.242, timeout is 2 seconds:
!!!!!
!
! Проверим синхронизацию NTP:
!
ciscoasa(config)# show ntp associations
address ref clock st when poll reach delay offset disp
*~192.168.99.136 91.189.94.4 3 63 64 1 36.7 1.85 17.5
* master (synced), # master (unsynced), + selected, - candidate, ~ configured
!
! Установим конфигурацию нашей ASAv для Smart-Licensing (в соответствии с Вашим профилем, в моем случае 100М для примера)
!
ciscoasa(config)# license smart
ciscoasa(config-smart-lic)# feature tier standard
ciscoasa(config-smart-lic)# throughput level 100M
!
! В случае необходимости можно настроить доступ в Интернет через прокси используйте следующий блок команд:
!call-home
! http-proxy ip_address port port
!
! Далее мы вставляем скопированный из портала Smart-Account токен (<token>) и регистрируем лицензию
!
ciscoasa(config)# end
ciscoasa# license smart register idtoken <token>
Ka tirohia kua rehita angitu te taputapu he raihana me nga whiringa whakamunatanga e waatea ana:
Te whirihora SSL-VPN taketake i runga i ia kuaha
Whai muri, ka whirihorahia te uru ma te SSH me te ASDM:
ciscoasa(config)# ssh ver 2
ciscoasa(config)# aaa authentication ssh console LOCAL
ciscoasa(config)# aaa authentication http console LOCAL
ciscoasa(config)# hostname vpn-demo-1
vpn-demo-1(config)# domain-name ashes.cc
vpn-demo-1(config)# cry key gen rsa general-keys modulus 4096
vpn-demo-1(config)# ssh 0 0 inside
vpn-demo-1(config)# http 0 0 inside
!
! Поднимем сервер HTTPS для ASDM на порту 445 чтобы не пересекаться с SSL-VPN порталом
!
vpn-demo-1(config)# http server enable 445
!
Mo te mahi a ASDM, me tango tuatahi koe mai i cisco.com, i taku keehi ko te konae e whai ake nei:
Kia mahi te kiritaki AnyConnect, me tango e koe he whakaahua ki ia ASA mo ia OS papamahi kiritaki e whakamahia ana (kua whakamaheretia ki te whakamahi i te Linux/Windows/MAC), ka hiahia koe ki tetahi konae me Mōkī Whakamahi Uhunga I roto i te taitara:
Ko nga konae kua tangohia ka taea te tuku ake, hei tauira, ki te tūmau FTP ka tukuna ki ia ASA takitahi:
Ka whirihorahia e matou te ASDM me te Tiwhikete Waitohu Whaiaro mo SSL-VPN (e taunaki ana kia whakamahia he tiwhikete whakawhirinaki ki te whakaputa). Ko te FQDN kua whakaritea o te roopu Wāhitau Mariko (vpn-demo.ashes.cc), me ia FQDN e hono ana ki te wahitau o waho o ia node kahui me whakatau i roto i te rohe DNS o waho ki te wahitau IP o te atanga WAwaho (ranei ki te wahitau kua mapi mena ka whakamahia te tauranga whakamua udp/443 (DTLS) me te tcp/443(TLS)). Ko nga korero taipitopito mo nga whakaritenga mo te tiwhikete kua tohua i roto i te waahanga Tiwhikete Tiwhikete tuhinga.
!
vpn-demo-1(config)# crypto ca trustpoint SELF
vpn-demo-1(config-ca-trustpoint)# enrollment self
vpn-demo-1(config-ca-trustpoint)# fqdn vpn-demo.ashes.cc
vpn-demo-1(config-ca-trustpoint)# subject-name cn=*.ashes.cc, ou=ashes-lab, o=ashes, c=ru
vpn-demo-1(config-ca-trustpoint)# serial-number
vpn-demo-1(config-ca-trustpoint)# crl configure
vpn-demo-1(config-ca-crl)# cry ca enroll SELF
% The fully-qualified domain name in the certificate will be: vpn-demo.ashes.cc
Generate Self-Signed Certificate? [yes/no]: yes
vpn-demo-1(config)#
!
vpn-demo-1(config)# sh cry ca certificates
Certificate
Status: Available
Certificate Serial Number: 4d43725e
Certificate Usage: General Purpose
Public Key Type: RSA (4096 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:
serialNumber=9A439T02F95
hostname=vpn-demo.ashes.cc
cn=*.ashes.cc
ou=ashes-lab
o=ashes
c=ru
Subject Name:
serialNumber=9A439T02F95
hostname=vpn-demo.ashes.cc
cn=*.ashes.cc
ou=ashes-lab
o=ashes
c=ru
Validity Date:
start date: 00:16:17 MSK Mar 19 2020
end date: 00:16:17 MSK Mar 17 2030
Storage: config
Associated Trustpoints: SELF
CA Certificate
Status: Available
Certificate Serial Number: 0509
Certificate Usage: General Purpose
Public Key Type: RSA (4096 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=QuoVadis Root CA 2
o=QuoVadis Limited
c=BM
Subject Name:
cn=QuoVadis Root CA 2
o=QuoVadis Limited
c=BM
Validity Date:
start date: 21:27:00 MSK Nov 24 2006
end date: 21:23:33 MSK Nov 24 2031
Storage: config
Associated Trustpoints: _SmartCallHome_ServerCA
Hei tirotiro i te mahi a te ASDM, kaua e wareware ki te tohu i te tauranga, hei tauira:
Me mahi tatou i nga tautuhinga kauhanga taketake:
Ka hanga e matou te whatunga rangatōpū uru i roto i te kauhanga, ka hono tika te Ipurangi (ehara i te tikanga tino haumaru i roto i te kore o mehua haumarutanga i runga i te ope honotanga, ka taea ki te kuhu i roto i te ope huaketo me te whakaputa raraunga rangatōpū, kōwhiringa. wehewehe-tunnel-policy tunnelall ka tukua nga waka manaaki katoa ki roto i te kauhanga. Heoi ano Waahi-Tunnel ka taea ki te whakaora i te kuaha VPN me te kore e whakahaere i nga waka Ipurangi kaihautu)
Ka tukuna e matou nga kaihautu i roto i te kauhanga me nga wahitau mai i te kupengaroto 192.168.20.0/24 (he puna 10 ki te 30 nga wahitau (mo te node #1)). Me whai puna VPN ake ia node o te tautau.
Me mahi motuhēhēnga taketake me tetahi kaiwhakamahi i hangaia i te rohe i runga i te ASA (Kaore tenei i te tūtohu, koinei te tikanga ngawari), he pai ake te mahi motuhēhēnga mā LDAP/RADIUS, pai ake ranei, here Motuhēhēnga-maha (MFA)hei tauira Cisco DUO.
(KŌWHIRINGA): I roto i te tauira i runga ake nei, i whakamahia e matou he kaiwhakamahi rohe i runga i te papangaahi ki te whakamotuhēhē i nga kaiwhakamahi mamao, he iti noa te whakamahi engari i te taiwhanga. Ka hoatu e ahau he tauira mo te tere urutau i te tatūnga mo te motuhēhēnga RADIUS tūmau, whakamahia hei tauira Cisco Identity Services Engine:
Ko tenei whakaurunga ka taea e kore anake te whakauru tere i te tukanga whakamotuhēhēnga me te ratonga whaiaronga AD, engari ki te wehewehe mena no AD te rorohiko hono, me te mohio he taputapu umanga, he mea whaiaro ranei, me te aromatawai i te ahua o te hono. taputapu.
Me whirihorahia te NAT Transparent kia kore ai e pokanoa te hokohoko i waenga i te kiritaki me nga rauemi whatunga o te whatunga umanga:
vpn-demo-1(config-network-object)# subnet 192.168.20.0 255.255.255.0
!
vpn-demo-1(config)# nat (inside,outside) source static any any destination static vpn-users vpn-users no-proxy-arp
(KŌWHIWHIRI): Hei whakaatu i o taatau kaihoko ki te Ipurangi ma te ASA (ka whakamahi tunnelall nga whiringa) ma te whakamahi i te PAT, ka puta ano ma te atanga o WAHO o waho mai i te waahi e hono ana, me whakarite e koe nga tautuhinga e whai ake nei
He mea tino nui ki te whakamahi i te roopu kia mohio ai te whatunga o roto ko tehea ASA hei arahi i nga waka ki nga kaiwhakamahi; mo tenei me tohatoha ano nga huarahi /32 nga wahitau kua tukuna ki nga kaihoko.
I tenei wa, kaore ano matou kia whirihora i te roopu, engari kei a matou nga huarahi VPN e mahi ana ka taea e koe te hono takitahi ma te FQDN, IP ranei.
Ka kite matou i te kiritaki hono i te ripanga ararere o te ASA tuatahi:
Kia mohio ai ta matou roopu VPN katoa me te whatunga umanga katoa ki te huarahi ki to taatau kiritaki, ka tohatohahia e matou te tohu o mua o te kiritaki ki te kawa ararere hihiri, hei tauira OSPF:
Inaianei kei a matou he huarahi ki te kiritaki mai i te keeti tuarua ASA-2 me nga kaiwhakamahi e hono ana ki nga keeti VPN rereke i roto i te roopu ka taea, hei tauira, te korero tika ma te waea ngohengohe umanga, pera i te hokinga mai o nga waka mai i nga rauemi i tonoa e te kaiwhakamahi ka tae mai. i te kuaha VPN e hiahiatia ana:
Ka anga whakamua ki te whakarite i te kapoi Whakatau-Uta.
Ko te wahitau 192.168.31.40 ka whakamahia hei IP Mariko (VIP - ka hono tuatahi nga kaihoko VPN katoa ki a ia), mai i tenei wahitau ka WHAKAARO te Kaiwhakaako Cluster ki tetahi node tautau iti ake te utaina. Kaua e wareware ki te rehita whakamua me te whakamuri i nga rekoata DNS mo ia wāhitau waho/FQDN o ia kōpuku kāhui, me te VIP.
Ka tirohia e matou te mahi o te roopu me nga kaihoko hono e rua:
Kia watea ake te wheako o te kaihoko ma te tango aunoa i tetahi tohu AnyConnect ma te ASDM.
Ka whakaingoatia e matou te korero i runga i te huarahi ngawari me te hono i ta maatau kaupapa here roopu ki a ia:
Whai muri i te hononga o te kiritaki e whai ake nei, ka tangohia aunoatia tenei kōtaha ka whakauruhia ki roto i te kiritaki AnyConnect, na ki te hiahia koe ki te hono atu, me kowhiria e koe mai i te rarangi:
Mai i te whakamahi i te ASDM i hangaia e matou tenei korero i runga i te ASA kotahi anake, kaua e wareware ki te whakahoki ano i nga taahiraa i runga i nga toenga ASA i roto i te kohinga.
Whakamutunga: No reira, i tukuna tere e matou he kahui o te maha o nga kuaha VPN me te whakataurite kawenga aunoa. He ngawari te taapiri i nga kohanga hou ki te kahui, ka eke ki te tauine whakapae ngawari ma te tuku mihini mariko ASAv hou, ma te whakamahi ranei i nga ASA taputapu. Ka taea e te kiritaki AnyConnect whai rawa-a-ahua te whakanui ake i o kaha hononga mamao haumaru ma te whakamahi i te Turanga (aromatawai a te kawanatanga), tino pai te whakamahi i te taha o te mana uru me te punaha kaute Mihini Ratonga Tuakiri.