I roto i tenei tuhinga ka hiahia ahau ki te whakarato i nga tohutohu taahiraa-i-te-taahiraa me pehea e taea ai e koe te tuku tere i te kaupapa tino tauineine i tenei wa. VPN Uru Mamao uru i runga AnyConnect me Cisco ASA - VPN Uta Taurite Huihuinga.
Kupu Whakataki: He maha nga kamupene huri noa i te ao, na te ahuatanga o naianei me COVID-19, kei te whakapau kaha ki te whakawhiti i a raatau kaimahi ki nga mahi mamao. Na te whanuitanga o te whakawhiti ki nga mahi mamao, ka nui haere te uta ki runga i nga kuaha VPN o nga kamupene o naianei me te kaha tere ki te tarai i a raatau. I tetahi atu taha, he maha nga kamupene e kaha ana ki te mohio ki te kaupapa o te mahi mamao mai i te waahi.
Hei awhina i nga pakihi ki te whakatinana tere i te urunga VPN watea, haumaru, me te tauineine mo nga kaimahi, ka whakarato a Cisco ki nga raihana 13-wiki mo te kaihoko AnyConnect SSL-VPN whai rawa. .
.
Kua whakareri ahau i nga tohutohu taahiraa-i-te-taahiraa mo tetahi whiringa ngawari mo te tuku i te kahui Whakatau-Uta VPN hei hangarau VPN tino tauineine.
Ko te tauira i raro nei ka tino ngawari mai i te tirohanga o te whakamotuhēhēnga me te hātepe whakamanatanga e whakamahia ana, engari he whiringa pai mo te tiimata tere (he mea karekau te nuinga o nga tangata inaianei) me te whai waahi ki te urutau hohonu o hiahia i te wa o te tukunga.
Nga korero poto: Ko te hangarau VPN Load Balancing Cluster ehara i te mea ngaro, he mahi whakatopu ranei i roto i tona tikanga taketake; ka taea e tenei hangarau te whakakotahi i nga tauira ASA tino rereke (me etahi here) kia utaina te toenga o nga hononga VPN Urunga-Mamao. Karekau he tukutahitanga o nga huihuinga me nga whirihoranga i waenga i nga pona o taua kapoi, engari ka taea te uta aunoa i nga hononga VPN toenga me te whakarite i te he o nga hononga VPN kia noho ra ano kia kotahi te iti rawa o te node kaha ki roto i te tautau. Ko te kawenga i roto i te kohinga ka taurite aunoa i runga i te taumaha o nga mahi o nga pona ma te maha o nga huihuinga VPN.
Mo te hee o nga pokapu kahui motuhake (mehemea e hiahiatia ana), ka taea e koe te whakamahi i te kaipakihi, no reira ka tukatukahia te hononga hohe e te node Paraimere o te konae. Ehara i te mea e tika ana te whakawhiti kōnae mo te whakapumau i te pai o te he i roto i te kapoi Whakatau-Uta; mena he rahunga node, ma te roopu tonu e whakawhiti te waahi kaiwhakamahi ki tetahi atu node ora, engari me te kore e mau tonu te mana hononga, ko te aha tonu. ka whakaratohia e te kaipatu. Na reira, ka taea te whakakotahi i enei hangarau e rua mehemea e tika ana.
Ka nui ake i te rua nga pona kei roto i te kapopu Whakatau-Uta VPN.
Kei te tautokohia te kahui Whakapaitika VPN i runga i te ASA 5512-X me te teitei ake.
I te mea ko ia ASA kei roto i te kahui Whakatau-Uta VPN he waeine motuhake i runga i nga whakaritenga, ka mahia e matou nga waahanga whirihoranga katoa ki ia taputapu takitahi.
Ko te topology arorau o te tauira i homai ko:
Tukunga Tuatahi:
-
Ka tukuna e matou nga tauira ASAv o nga tauira e hiahiatia ana e matou (ASAv5/10/30/50) mai i te ahua.
-
Ka tohua e matou nga atanga o roto/waho ki te VLAN ano (Kei waho i tana ake VLAN, I roto i a ia ano, engari he mea noa i roto i te tautau, tirohia te topology), he mea nui kia noho nga hononga o te momo rite ki te waahanga L2 kotahi.
-
Raihana:
- I te wa o te whakaurunga, karekau he raihana a ASAv ka iti ki te 100kbit/hekona.
- Hei whakauru i tetahi raihana, me whakaputa e koe he tohu ki roto i to putea-Paari: -> Raihana Pūmanawa Smart
- I te matapihi e tuwhera ana, paatohia te paatene Tohu Hou
- Me mohio kei roto i te matapihi e tuwhera ana, kei te kaha te mara ka tohua te pouakataki Whakaaetia te mahi kaweake... Ki te kore tenei mara hohe, e kore e taea e koe te whakamahi i nga mahi whakamunatanga kaha, a, na reira, VPN. Mena karekau tenei mara, whakapaa atu ki to roopu kaute ki te tono kia whakahohehia.
- I muri i te patene i te paatene Waihanga Tohu, ka hangaia he tohu ka whakamahia e matou ki te whiwhi raihana mo ASAv, kapehia:
- Me whakahoki ano i nga taahiraa C,D,E mo ia ASAv kua tukuna.
- Kia ngawari ake te kape i te tohu, me whakaahei te telnet mo te wa poto. Me whirihora ia ASA (ko te tauira i raro nei e whakaatu ana i nga tautuhinga i runga i te ASA-1). telnet mai i waho kare e mahi, ki te tino hiahia koe, huri i te taumata-haumarutanga ki te 100 ki waho, katahi ka huri whakamuri.
! ciscoasa(config)# int gi0/0 ciscoasa(config)# nameif outside ciscoasa(config)# ip address 192.168.31.30 255.255.255.0 ciscoasa(config)# no shut ! ciscoasa(config)# int gi0/1 ciscoasa(config)# nameif inside ciscoasa(config)# ip address 192.168.255.2 255.255.255.0 ciscoasa(config)# no shut ! ciscoasa(config)# telnet 0 0 inside ciscoasa(config)# username admin password cisco priv 15 ciscoasa(config)# ena password cisco ciscoasa(config)# aaa authentication telnet console LOCAL ! ciscoasa(config)# route outside 0 0 192.168.31.1 ! ciscoasa(config)# wr !- Hei rehita i tetahi tohu ki roto i te kapua Smart-Account, me whakarato koe i te uru Ipurangi ki te ASA, .
Hei poto, ka hiahiatia te ASA:
- Te uru ipurangi ma te HTTPS;
- te tukutahinga wa (he tika ake ma te NTP);
- tūmau DNS kua rēhitatia;
- Ka haere matou ma te waea waea ki a maatau ASA ka whakarite i nga tautuhinga hei whakahohe i te raihana ma te Smart-Account.
! ciscoasa(config)# clock set 19:21:00 Mar 18 2020 ciscoasa(config)# clock timezone MSK 3 ciscoasa(config)# ntp server 192.168.99.136 ! ciscoasa(config)# dns domain-lookup outside ciscoasa(config)# DNS server-group DefaultDNS ciscoasa(config-dns-server-group)# name-server 192.168.99.132 ! ! Проверим работу DNS: ! ciscoasa(config-dns-server-group)# ping ya.ru Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 87.250.250.242, timeout is 2 seconds: !!!!! ! ! Проверим синхронизацию NTP: ! ciscoasa(config)# show ntp associations address ref clock st when poll reach delay offset disp *~192.168.99.136 91.189.94.4 3 63 64 1 36.7 1.85 17.5 * master (synced), # master (unsynced), + selected, - candidate, ~ configured ! ! Установим конфигурацию нашей ASAv для Smart-Licensing (в соответствии с Вашим профилем, в моем случае 100М для примера) ! ciscoasa(config)# license smart ciscoasa(config-smart-lic)# feature tier standard ciscoasa(config-smart-lic)# throughput level 100M ! ! В случае необходимости можно настроить доступ в Интернет через прокси используйте следующий блок команд: !call-home ! http-proxy ip_address port port ! ! Далее мы вставляем скопированный из портала Smart-Account токен (<token>) и регистрируем лицензию ! ciscoasa(config)# end ciscoasa# license smart register idtoken <token>- Ka tirohia kua rehita angitu te taputapu he raihana me nga whiringa whakamunatanga e waatea ana:
-
Te whirihora SSL-VPN taketake i runga i ia kuaha
- Whai muri, ka whirihorahia te uru ma te SSH me te ASDM:
ciscoasa(config)# ssh ver 2 ciscoasa(config)# aaa authentication ssh console LOCAL ciscoasa(config)# aaa authentication http console LOCAL ciscoasa(config)# hostname vpn-demo-1 vpn-demo-1(config)# domain-name ashes.cc vpn-demo-1(config)# cry key gen rsa general-keys modulus 4096 vpn-demo-1(config)# ssh 0 0 inside vpn-demo-1(config)# http 0 0 inside ! ! Поднимем сервер HTTPS для ASDM на порту 445 чтобы не пересекаться с SSL-VPN порталом ! vpn-demo-1(config)# http server enable 445 !- Mo te mahi a ASDM, me tango tuatahi koe mai i cisco.com, i taku keehi ko te konae e whai ake nei:
- Kia mahi te kiritaki AnyConnect, me tango e koe he whakaahua ki ia ASA mo ia OS papamahi kiritaki e whakamahia ana (kua whakamaheretia ki te whakamahi i te Linux/Windows/MAC), ka hiahia koe ki tetahi konae me Mōkī Whakamahi Uhunga I roto i te taitara:
- Ko nga konae kua tangohia ka taea te tuku ake, hei tauira, ki te tūmau FTP ka tukuna ki ia ASA takitahi:
- Ka whirihorahia e matou te ASDM me te Tiwhikete Waitohu Whaiaro mo SSL-VPN (e taunaki ana kia whakamahia he tiwhikete whakawhirinaki ki te whakaputa). Ko te FQDN kua whakaritea o te roopu Wāhitau Mariko (vpn-demo.ashes.cc), me ia FQDN e hono ana ki te wahitau o waho o ia node kahui me whakatau i roto i te rohe DNS o waho ki te wahitau IP o te atanga WAwaho (ranei ki te wahitau kua mapi mena ka whakamahia te tauranga whakamua udp/443 (DTLS) me te tcp/443(TLS)). Ko nga korero taipitopito mo nga whakaritenga mo te tiwhikete kua tohua i roto i te waahanga Tiwhikete Tiwhikete tuhinga.
! vpn-demo-1(config)# crypto ca trustpoint SELF vpn-demo-1(config-ca-trustpoint)# enrollment self vpn-demo-1(config-ca-trustpoint)# fqdn vpn-demo.ashes.cc vpn-demo-1(config-ca-trustpoint)# subject-name cn=*.ashes.cc, ou=ashes-lab, o=ashes, c=ru vpn-demo-1(config-ca-trustpoint)# serial-number vpn-demo-1(config-ca-trustpoint)# crl configure vpn-demo-1(config-ca-crl)# cry ca enroll SELF % The fully-qualified domain name in the certificate will be: vpn-demo.ashes.cc Generate Self-Signed Certificate? [yes/no]: yes vpn-demo-1(config)# ! vpn-demo-1(config)# sh cry ca certificates Certificate Status: Available Certificate Serial Number: 4d43725e Certificate Usage: General Purpose Public Key Type: RSA (4096 bits) Signature Algorithm: SHA256 with RSA Encryption Issuer Name: serialNumber=9A439T02F95 hostname=vpn-demo.ashes.cc cn=*.ashes.cc ou=ashes-lab o=ashes c=ru Subject Name: serialNumber=9A439T02F95 hostname=vpn-demo.ashes.cc cn=*.ashes.cc ou=ashes-lab o=ashes c=ru Validity Date: start date: 00:16:17 MSK Mar 19 2020 end date: 00:16:17 MSK Mar 17 2030 Storage: config Associated Trustpoints: SELF CA Certificate Status: Available Certificate Serial Number: 0509 Certificate Usage: General Purpose Public Key Type: RSA (4096 bits) Signature Algorithm: SHA1 with RSA Encryption Issuer Name: cn=QuoVadis Root CA 2 o=QuoVadis Limited c=BM Subject Name: cn=QuoVadis Root CA 2 o=QuoVadis Limited c=BM Validity Date: start date: 21:27:00 MSK Nov 24 2006 end date: 21:23:33 MSK Nov 24 2031 Storage: config Associated Trustpoints: _SmartCallHome_ServerCA- Hei tirotiro i te mahi a te ASDM, kaua e wareware ki te tohu i te tauranga, hei tauira:
- Me mahi tatou i nga tautuhinga kauhanga taketake:
- Ka hanga e matou te whatunga rangatōpū uru i roto i te kauhanga, ka hono tika te Ipurangi (ehara i te tikanga tino haumaru i roto i te kore o mehua haumarutanga i runga i te ope honotanga, ka taea ki te kuhu i roto i te ope huaketo me te whakaputa raraunga rangatōpū, kōwhiringa. wehewehe-tunnel-policy tunnelall ka tukua nga waka manaaki katoa ki roto i te kauhanga. Heoi ano Waahi-Tunnel ka taea ki te whakaora i te kuaha VPN me te kore e whakahaere i nga waka Ipurangi kaihautu)
- Ka tukuna e matou nga kaihautu i roto i te kauhanga me nga wahitau mai i te kupengaroto 192.168.20.0/24 (he puna 10 ki te 30 nga wahitau (mo te node #1)). Me whai puna VPN ake ia node o te tautau.
- Me mahi motuhēhēnga taketake me tetahi kaiwhakamahi i hangaia i te rohe i runga i te ASA (Kaore tenei i te tūtohu, koinei te tikanga ngawari), he pai ake te mahi motuhēhēnga mā LDAP/RADIUS, pai ake ranei, here Motuhēhēnga-maha (MFA)hei tauira Cisco DUO.
! vpn-demo-1(config)# ip local pool vpn-pool 192.168.20.10-192.168.20.30 mask 255.255.255.0 ! vpn-demo-1(config)# access-list split-tunnel standard permit 192.168.0.0 255.255.0.0 ! vpn-demo-1(config)# group-policy SSL-VPN-GROUP-POLICY internal vpn-demo-1(config)# group-policy SSL-VPN-GROUP-POLICY attributes vpn-demo-1(config-group-policy)# vpn-tunnel-protocol ssl-client vpn-demo-1(config-group-policy)# split-tunnel-policy tunnelspecified vpn-demo-1(config-group-policy)# split-tunnel-network-list value split-tunnel vpn-demo-1(config-group-policy)# dns-server value 192.168.99.132 vpn-demo-1(config-group-policy)# default-domain value ashes.cc vpn-demo-1(config)# tunnel-group DefaultWEBVPNGroup general-attributes vpn-demo-1(config-tunnel-general)# default-group-policy SSL-VPN-GROUP-POLICY vpn-demo-1(config-tunnel-general)# address-pool vpn-pool ! vpn-demo-1(config)# username dkazakov password cisco vpn-demo-1(config)# username dkazakov attributes vpn-demo-1(config-username)# service-type remote-access ! vpn-demo-1(config)# ssl trust-point SELF vpn-demo-1(config)# webvpn vpn-demo-1(config-webvpn)# enable outside vpn-demo-1(config-webvpn)# anyconnect image disk0:/anyconnect-win-4.8.03036-webdeploy-k9.pkg vpn-demo-1(config-webvpn)# anyconnect enable !- (KŌWHIRINGA): I roto i te tauira i runga ake nei, i whakamahia e matou he kaiwhakamahi rohe i runga i te papangaahi ki te whakamotuhēhē i nga kaiwhakamahi mamao, he iti noa te whakamahi engari i te taiwhanga. Ka hoatu e ahau he tauira mo te tere urutau i te tatūnga mo te motuhēhēnga RADIUS tūmau, whakamahia hei tauira Cisco Identity Services Engine:
vpn-demo-1(config-aaa-server-group)# dynamic-authorization vpn-demo-1(config-aaa-server-group)# interim-accounting-update vpn-demo-1(config-aaa-server-group)# aaa-server RADIUS (outside) host 192.168.99.134 vpn-demo-1(config-aaa-server-host)# key cisco vpn-demo-1(config-aaa-server-host)# exit vpn-demo-1(config)# tunnel-group DefaultWEBVPNGroup general-attributes vpn-demo-1(config-tunnel-general)# authentication-server-group RADIUS !Ko tenei whakaurunga ka taea e kore anake te whakauru tere i te tukanga whakamotuhēhēnga me te ratonga whaiaronga AD, engari ki te wehewehe mena no AD te rorohiko hono, me te mohio he taputapu umanga, he mea whaiaro ranei, me te aromatawai i te ahua o te hono. taputapu.
- Me whirihorahia te NAT Transparent kia kore ai e pokanoa te hokohoko i waenga i te kiritaki me nga rauemi whatunga o te whatunga umanga:
vpn-demo-1(config-network-object)# subnet 192.168.20.0 255.255.255.0 ! vpn-demo-1(config)# nat (inside,outside) source static any any destination static vpn-users vpn-users no-proxy-arp- (KŌWHIWHIRI): Hei whakaatu i o taatau kaihoko ki te Ipurangi ma te ASA (ka whakamahi tunnelall nga whiringa) ma te whakamahi i te PAT, ka puta ano ma te atanga o WAHO o waho mai i te waahi e hono ana, me whakarite e koe nga tautuhinga e whai ake nei
vpn-demo-1(config-network-object)# nat (outside,outside) source dynamic vpn-users interface vpn-demo-1(config)# nat (inside,outside) source dynamic any interface vpn-demo-1(config)# same-security-traffic permit intra-interface !- He mea tino nui ki te whakamahi i te roopu kia mohio ai te whatunga o roto ko tehea ASA hei arahi i nga waka ki nga kaiwhakamahi; mo tenei me tohatoha ano nga huarahi /32 nga wahitau kua tukuna ki nga kaihoko.
I tenei wa, kaore ano matou kia whirihora i te roopu, engari kei a matou nga huarahi VPN e mahi ana ka taea e koe te hono takitahi ma te FQDN, IP ranei.
Ka kite matou i te kiritaki hono i te ripanga ararere o te ASA tuatahi:
Kia mohio ai ta matou roopu VPN katoa me te whatunga umanga katoa ki te huarahi ki to taatau kiritaki, ka tohatohahia e matou te tohu o mua o te kiritaki ki te kawa ararere hihiri, hei tauira OSPF:
! vpn-demo-1(config)# route-map RMAP-VPN-REDISTRIBUTE permit 1 vpn-demo-1(config-route-map)# match ip address VPN-REDISTRIBUTE ! vpn-demo-1(config)# router ospf 1 vpn-demo-1(config-router)# network 192.168.255.0 255.255.255.0 area 0 vpn-demo-1(config-router)# log-adj-changes vpn-demo-1(config-router)# redistribute static metric 5000 subnets route-map RMAP-VPN-REDISTRIBUTEInaianei kei a matou he huarahi ki te kiritaki mai i te keeti tuarua ASA-2 me nga kaiwhakamahi e hono ana ki nga keeti VPN rereke i roto i te roopu ka taea, hei tauira, te korero tika ma te waea ngohengohe umanga, pera i te hokinga mai o nga waka mai i nga rauemi i tonoa e te kaiwhakamahi ka tae mai. i te kuaha VPN e hiahiatia ana:
-
Ka anga whakamua ki te whakarite i te kapoi Whakatau-Uta.
Ko te wahitau 192.168.31.40 ka whakamahia hei IP Mariko (VIP - ka hono tuatahi nga kaihoko VPN katoa ki a ia), mai i tenei wahitau ka WHAKAARO te Kaiwhakaako Cluster ki tetahi node tautau iti ake te utaina. Kaua e wareware ki te rehita whakamua me te whakamuri i nga rekoata DNS mo ia wāhitau waho/FQDN o ia kōpuku kāhui, me te VIP.
vpn-demo-1(config)# vpn load-balancing vpn-demo-1(config-load-balancing)# interface lbpublic outside vpn-demo-1(config-load-balancing)# interface lbprivate inside vpn-demo-1(config-load-balancing)# priority 10 vpn-demo-1(config-load-balancing)# cluster ip address 192.168.31.40 vpn-demo-1(config-load-balancing)# cluster port 4000 vpn-demo-1(config-load-balancing)# redirect-fqdn enable vpn-demo-1(config-load-balancing)# cluster key cisco vpn-demo-1(config-load-balancing)# cluster encryption vpn-demo-1(config-load-balancing)# cluster port 9023 vpn-demo-1(config-load-balancing)# participate vpn-demo-1(config-load-balancing)#- Ka tirohia e matou te mahi o te roopu me nga kaihoko hono e rua:
- Kia watea ake te wheako o te kaihoko ma te tango aunoa i tetahi tohu AnyConnect ma te ASDM.
Ka whakaingoatia e matou te korero i runga i te huarahi ngawari me te hono i ta maatau kaupapa here roopu ki a ia:
Whai muri i te hononga o te kiritaki e whai ake nei, ka tangohia aunoatia tenei kōtaha ka whakauruhia ki roto i te kiritaki AnyConnect, na ki te hiahia koe ki te hono atu, me kowhiria e koe mai i te rarangi:
Mai i te whakamahi i te ASDM i hangaia e matou tenei korero i runga i te ASA kotahi anake, kaua e wareware ki te whakahoki ano i nga taahiraa i runga i nga toenga ASA i roto i te kohinga.
Whakamutunga: No reira, i tukuna tere e matou he kahui o te maha o nga kuaha VPN me te whakataurite kawenga aunoa. He ngawari te taapiri i nga kohanga hou ki te kahui, ka eke ki te tauine whakapae ngawari ma te tuku mihini mariko ASAv hou, ma te whakamahi ranei i nga ASA taputapu. Ka taea e te kiritaki AnyConnect whai rawa-a-ahua te whakanui ake i o kaha hononga mamao haumaru ma te whakamahi i te Turanga (aromatawai a te kawanatanga), tino pai te whakamahi i te taha o te mana uru me te punaha kaute Mihini Ratonga Tuakiri.
Source: will.com