I totonu o lenei tusiga ou te manaʻo e tuʻuina atu taʻiala taʻitasi i le auala e mafai ai ona e vave faʻaogaina le polokalame sili ona faʻaogaina i le taimi nei. VPN Avanoa Mamao fa'avae avanoa AnyConnect ma Cisco ASA - VPN Load Balancing Cluster.
Folasaga: Tele kamupani i le lalolagi, ona o le tulaga o iai nei ma le COVID-19, o loʻo taumafai e faʻafeiloaʻi a latou tagata faigaluega i galuega mamao. Ona o le faʻalauteleina o suiga i galuega mamao, o le uta i luga o faitotoa VPN o loʻo i ai nei o kamupani ua faʻateleina faʻatuputeleina ma e manaʻomia se gafatia vave e fua ai. I le isi itu, o le tele o kamupani ua faʻamalosia e vave faʻatautaia le manatu o galuega mamao mai le sasa.
Ina ia fesoasoani i pisinisi ia vave ona faʻatino avanoa VPN faigofie, malupuipuia, ma faʻalauteleina mo tagata faigaluega, Cisco e tuʻuina atu laisene e oʻo atu i le 13-vaiaso mo le tagata faʻatau AnyConnect SSL-VPN. .
.
Ua ou saunia laasaga taʻitasi taʻiala mo se filifiliga faigofie mo le faʻapipiʻiina o le VPN Load-Balancing cluster e avea ma tekonolosi VPN sili ona faʻaogaina.
O le faʻataʻitaʻiga o loʻo i lalo o le a matua faigofie lava mai le tulaga o le faʻamaonia ma le faʻatagaina algorithms faʻaaogaina, ae o le a avea ma se filifiliga lelei mo se amataga vave (lea o se mea e le o maua e le toʻatele o tagata i le taimi nei) ma le avanoa e faʻafetaui loloto ai. o ou mana'oga i le taimi o le fa'atulagaina.
Fa'amatalaga puupuu: VPN Load Balancing Cluster tekinolosi e le o se fa'aletonu po'o se galuega fa'apipi'i i lona uiga moni; o lenei tekinolosi e mafai ona tu'ufa'atasia uma fa'ata'ita'iga ASA (fa'atasi ai ma ni tapula'a) ina ia mafai ai ona uta paleni feso'ota'iga VPN Remote-Access. E leai se tu'ufa'atasiga o sauniga ma fetuutuunaiga i le va o pona o sea fuifui, ae e mafai ona otometi le utaina paleni VPN feso'ota'iga ma fa'amautinoa le fa'apalepale sese o feso'ota'iga VPN se'ia le itiiti ifo ma le tasi le node malosi e tumau i le fuifui. O le uta i totonu o le fuifui e paleni otometi e faʻatatau i le mamafa o galuega a nodes i le numera o sauniga VPN.
Mo le fa'apalepale fa'aletonu o nodes fa'apipi'i fa'apitoa (pe a mana'omia), e mafai ona e fa'aogaina se faila, o lea o le feso'ota'iga malosi o le a fa'agasolo e le Primary node o le faila. O le faila faila e le o se tulaga talafeagai mo le faʻamautinoaina o le faʻapalepale sese i totonu o le Load-Balancing cluster; i le tulaga o le faaletonu o le node, o le fuifui lava ia o le a faʻafeiloaʻi le tagata faʻaoga i se isi node ola, ae aunoa ma le faatumauina o le tulaga o fesoʻotaʻiga, o le mea tonu lava lea. e saunia e le faila. E tusa ai, o nei tekinolosi e lua e mafai ona tuʻufaʻatasia pe a manaʻomia.
Ole VPN Load-Balancing cluster e mafai ona aofia ai le sili atu ma le lua nodes.
VPN Load-Balancing cluster e lagolagoina ile ASA 5512-X ma maualuga atu.
Talu ai o ASA taʻitasi i totonu o le VPN Load-Balancing cluster o se iunite tutoʻatasi i tulaga faʻatulagaina, matou te faia uma laasaga faʻatulagaina taʻitasi i masini taʻitasi.
O le topology talafeagai o le faʻataʻitaʻiga o loʻo tuʻuina atu:
Fa'atonuga Muamua:
-
Matou te faʻaogaina ASAv faʻataʻitaʻiga o faʻataʻitaʻiga matou te manaʻomia (ASAv5/10/30/50) mai le ata.
-
Matou te tuʻuina atu fesoʻotaʻiga i totonu / fafo i le VLAN lava e tasi (I fafo i lana lava VLAN, LOTO i lona lava, ae masani i totonu o le fuifui, vaʻai topology), e taua tele fesoʻotaʻiga o le ituaiga tutusa o loʻo i totonu o le vaega L2 tutusa.
-
Laisene:
- I le taimi o le faʻapipiʻiina, ASAv o le a leai ni laisene ma o le a faʻatapulaʻaina i le 100kbit/sec.
- Ina ia faʻapipiʻi se laisene, e manaʻomia lou faʻatupuina o se faʻailoga i lau Smart-Account account: -> Laisene Polokalama Atamai
- I le faamalama e matala, kiliki le ki Faailoga Fou
- Ia mautinoa o loʻo galue le fanua i le faamalama e matala ma siaki le pusa siaki Fa'ataga galuega fa'atino e fa'atau atu i fafo... A aunoa ma lenei fanua galue, o le a le mafai ona e faʻaogaina galuega faʻamalamalamaga malosi ma, e tusa ai, VPN. Afai e le o malosi lenei fanua, fa'amolemole fa'afeso'ota'i lau 'au fa'amatalaga e talosagaina le fa'agaoioia.
- Ina ua uma ona oomiina le faamau Fausia Togi, o le a faia se faʻailoga o le a matou faʻaaogaina e maua ai se laisene mo ASAv, kopi i ai:
- Se'i toe fai la'asaga C,D,E mo ASAv ta'itasi.
- Ina ia fa'afaigofie ona kopi le fa'ailoga, se'i tatou fa'agaoioi le telnet mo sina taimi. Sei o tatou fetuutuunai ASA taitasi (o le faʻataʻitaʻiga o loʻo i lalo o loʻo faʻaalia ai tulaga ile ASA-1). telnet mai fafo e le aoga, afai e te manaʻomia moni, sui le tulaga saogalemu i le 100 i fafo, ona toe sui lea.
! ciscoasa(config)# int gi0/0 ciscoasa(config)# nameif outside ciscoasa(config)# ip address 192.168.31.30 255.255.255.0 ciscoasa(config)# no shut ! ciscoasa(config)# int gi0/1 ciscoasa(config)# nameif inside ciscoasa(config)# ip address 192.168.255.2 255.255.255.0 ciscoasa(config)# no shut ! ciscoasa(config)# telnet 0 0 inside ciscoasa(config)# username admin password cisco priv 15 ciscoasa(config)# ena password cisco ciscoasa(config)# aaa authentication telnet console LOCAL ! ciscoasa(config)# route outside 0 0 192.168.31.1 ! ciscoasa(config)# wr !- Ina ia resitalaina se faʻailoga i le Smart-Account cloud, e tatau ona e tuʻuina atu le Initaneti i le ASA, .
I se faapuupuuga, ASA e manaʻomia:
- Initaneti e ala ile HTTPS;
- taimi fa'amaopoopo (sili atu sa'o e ala i le NTP);
- resitala DNS server;
- Matou te alu i luga o le telefoni i le matou ASA ma fai faʻatulagaga e faʻagaoioia ai le laisene e ala i le Smart-Account.
! ciscoasa(config)# clock set 19:21:00 Mar 18 2020 ciscoasa(config)# clock timezone MSK 3 ciscoasa(config)# ntp server 192.168.99.136 ! ciscoasa(config)# dns domain-lookup outside ciscoasa(config)# DNS server-group DefaultDNS ciscoasa(config-dns-server-group)# name-server 192.168.99.132 ! ! Проверим работу DNS: ! ciscoasa(config-dns-server-group)# ping ya.ru Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 87.250.250.242, timeout is 2 seconds: !!!!! ! ! Проверим синхронизацию NTP: ! ciscoasa(config)# show ntp associations address ref clock st when poll reach delay offset disp *~192.168.99.136 91.189.94.4 3 63 64 1 36.7 1.85 17.5 * master (synced), # master (unsynced), + selected, - candidate, ~ configured ! ! Установим конфигурацию нашей ASAv для Smart-Licensing (в соответствии с Вашим профилем, в моем случае 100М для примера) ! ciscoasa(config)# license smart ciscoasa(config-smart-lic)# feature tier standard ciscoasa(config-smart-lic)# throughput level 100M ! ! В случае необходимости можно настроить доступ в Интернет через прокси используйте следующий блок команд: !call-home ! http-proxy ip_address port port ! ! Далее мы вставляем скопированный из портала Smart-Account токен (<token>) и регистрируем лицензию ! ciscoasa(config)# end ciscoasa# license smart register idtoken <token>- Matou te siaki ua manuia le resitalaina e le masini o se laisene ma o loʻo avanoa avanoa faʻamatalaga:
-
Fa'atulagaina o SSL-VPN faavae i faitoto'a ta'itasi
- Le isi, matou faʻapipiʻi avanoa e ala i le SSH ma le ASDM:
ciscoasa(config)# ssh ver 2 ciscoasa(config)# aaa authentication ssh console LOCAL ciscoasa(config)# aaa authentication http console LOCAL ciscoasa(config)# hostname vpn-demo-1 vpn-demo-1(config)# domain-name ashes.cc vpn-demo-1(config)# cry key gen rsa general-keys modulus 4096 vpn-demo-1(config)# ssh 0 0 inside vpn-demo-1(config)# http 0 0 inside ! ! Поднимем сервер HTTPS для ASDM на порту 445 чтобы не пересекаться с SSL-VPN порталом ! vpn-demo-1(config)# http server enable 445 !- Mo le ASDM e galue, e tatau ona e siiina muamua mai le cisco.com, i loʻu tulaga o le faila lea:
- Mo le AnyConnect client e galue, e tatau ona e sii maia se ata i ASA taʻitasi mo tagata taʻitasi o loʻo faʻaaogaina OS (fuafua e faʻaaoga Linux/Windows/MAC), e te manaʻomia se faila ma Fa'apipi'i Fa'aulu ulu I le ulutala:
- O faila na sii mai e mafai ona tuʻuina atu, mo se faʻataʻitaʻiga, i se FTP server ma tuʻuina atu i ASA taʻitoʻatasi:
- Matou te faʻatulagaina le ASDM ma le Self-Signed certificate mo SSL-VPN (e fautuaina e faʻaaoga se tusi faamaonia faatuatuaina i le gaosiga). O le FQDN faʻavaeina o le faʻapipiʻi Virtual Address (vpn-demo.ashes.cc), faʻapea foʻi ma FQDN taʻitasi e fesoʻotaʻi ma le tuatusi fafo o node fuifui taʻitasi e tatau ona foʻia i totonu ole sone DNS i fafo ile tuatusi IP ole faʻaoga OUTSIDE (poʻo i le tuatusi faafanua pe a fa'aoga le udp/443 port forwarding (DTLS) ma le tcp/443(TLS)). O faʻamatalaga auiliili i manaʻoga mo le tusi faamaonia o loʻo faʻamaonia i le vaega Tusi Faamaonia Faamaonia fa'amaumauga.
! vpn-demo-1(config)# crypto ca trustpoint SELF vpn-demo-1(config-ca-trustpoint)# enrollment self vpn-demo-1(config-ca-trustpoint)# fqdn vpn-demo.ashes.cc vpn-demo-1(config-ca-trustpoint)# subject-name cn=*.ashes.cc, ou=ashes-lab, o=ashes, c=ru vpn-demo-1(config-ca-trustpoint)# serial-number vpn-demo-1(config-ca-trustpoint)# crl configure vpn-demo-1(config-ca-crl)# cry ca enroll SELF % The fully-qualified domain name in the certificate will be: vpn-demo.ashes.cc Generate Self-Signed Certificate? [yes/no]: yes vpn-demo-1(config)# ! vpn-demo-1(config)# sh cry ca certificates Certificate Status: Available Certificate Serial Number: 4d43725e Certificate Usage: General Purpose Public Key Type: RSA (4096 bits) Signature Algorithm: SHA256 with RSA Encryption Issuer Name: serialNumber=9A439T02F95 hostname=vpn-demo.ashes.cc cn=*.ashes.cc ou=ashes-lab o=ashes c=ru Subject Name: serialNumber=9A439T02F95 hostname=vpn-demo.ashes.cc cn=*.ashes.cc ou=ashes-lab o=ashes c=ru Validity Date: start date: 00:16:17 MSK Mar 19 2020 end date: 00:16:17 MSK Mar 17 2030 Storage: config Associated Trustpoints: SELF CA Certificate Status: Available Certificate Serial Number: 0509 Certificate Usage: General Purpose Public Key Type: RSA (4096 bits) Signature Algorithm: SHA1 with RSA Encryption Issuer Name: cn=QuoVadis Root CA 2 o=QuoVadis Limited c=BM Subject Name: cn=QuoVadis Root CA 2 o=QuoVadis Limited c=BM Validity Date: start date: 21:27:00 MSK Nov 24 2006 end date: 21:23:33 MSK Nov 24 2031 Storage: config Associated Trustpoints: _SmartCallHome_ServerCA- Ina ia siaki le gaioiga a le ASDM, aua nei galo e faʻamaonia le taulaga, mo se faʻataʻitaʻiga:
- Se'i o tatou fa'atinoina tulaga fa'avae tunnel:
- O le a matou faia le fesoʻotaʻiga tuʻufaʻatasia e mafai ona maua e ala i se alavai, ma faʻafesoʻotaʻi saʻo le Initaneti (e le o le auala sili ona malupuipuia i le leai o ni puipuiga malu i luga o le talimalo fesoʻotaʻi, e mafai ona ulu atu i totonu o se faʻamaʻi pipisi ma faʻamaumauga a le kamupani, filifiliga. vaeluaga-faiga-faiga tunnelall o le a fa'atagaina femalaga'iga uma i totonu o le alavai. Ae ui i lea Vaeluaga-Alāvai e mafai ai ona faʻamama le faitotoa VPN ae le faʻatautaia fefaʻatauaiga i luga ole Initaneti)
- O le a matou tuʻuina atu 'au i totonu o le alavai ma tuatusi mai le subnet 192.168.20.0/24 (se vaitaele o le 10 i le 30 tuatusi (mo node #1)). O node ta'itasi i le fuifui e tatau ona iai lana lava vaitaele VPN.
- Sei o tatou faia faʻamaoniga autu ma se tagata faʻaoga faʻapitonuʻu i luga o le ASA (E le fautuaina, o le auala sili lea ona faigofie), e sili atu le faʻamaonia e ala i LDAP/RADIUS, pe sili atu, fusiua Fa'amautuga Fa'aopoopo (MFA)mo se faʻataʻitaʻiga Cisco DUO.
! vpn-demo-1(config)# ip local pool vpn-pool 192.168.20.10-192.168.20.30 mask 255.255.255.0 ! vpn-demo-1(config)# access-list split-tunnel standard permit 192.168.0.0 255.255.0.0 ! vpn-demo-1(config)# group-policy SSL-VPN-GROUP-POLICY internal vpn-demo-1(config)# group-policy SSL-VPN-GROUP-POLICY attributes vpn-demo-1(config-group-policy)# vpn-tunnel-protocol ssl-client vpn-demo-1(config-group-policy)# split-tunnel-policy tunnelspecified vpn-demo-1(config-group-policy)# split-tunnel-network-list value split-tunnel vpn-demo-1(config-group-policy)# dns-server value 192.168.99.132 vpn-demo-1(config-group-policy)# default-domain value ashes.cc vpn-demo-1(config)# tunnel-group DefaultWEBVPNGroup general-attributes vpn-demo-1(config-tunnel-general)# default-group-policy SSL-VPN-GROUP-POLICY vpn-demo-1(config-tunnel-general)# address-pool vpn-pool ! vpn-demo-1(config)# username dkazakov password cisco vpn-demo-1(config)# username dkazakov attributes vpn-demo-1(config-username)# service-type remote-access ! vpn-demo-1(config)# ssl trust-point SELF vpn-demo-1(config)# webvpn vpn-demo-1(config-webvpn)# enable outside vpn-demo-1(config-webvpn)# anyconnect image disk0:/anyconnect-win-4.8.03036-webdeploy-k9.pkg vpn-demo-1(config-webvpn)# anyconnect enable !- (FILIFILI): I le faʻataʻitaʻiga o loʻo i luga, matou te faʻaogaina se tagata faʻapitonuʻu i luga o le pa puipui e faʻamaonia ai tagata faʻaoga mamao, o le mea moni e itiiti se faʻaoga sei vagana ai le fale suesue. O le a ou tuʻuina atu se faʻataʻitaʻiga o le auala e faʻafetaui vave ai le seti mo le faʻamaonia i luga ratio server, fa'aaogaina mo se fa'ata'ita'iga Cisco Identity Services Engine:
vpn-demo-1(config-aaa-server-group)# dynamic-authorization vpn-demo-1(config-aaa-server-group)# interim-accounting-update vpn-demo-1(config-aaa-server-group)# aaa-server RADIUS (outside) host 192.168.99.134 vpn-demo-1(config-aaa-server-host)# key cisco vpn-demo-1(config-aaa-server-host)# exit vpn-demo-1(config)# tunnel-group DefaultWEBVPNGroup general-attributes vpn-demo-1(config-tunnel-general)# authentication-server-group RADIUS !O lenei tuʻufaʻatasiga na mafai ai e le gata ina faʻapipiʻi vave le faʻamaoniga faʻamaonia ma le AD directory service, ae ia iloa ai foi pe o le komepiuta fesoʻotaʻi e patino i le AD, malamalama pe o se masini faʻapitoa poʻo se tagata lava ia, ma iloilo le tulaga o le fesoʻotaʻiga. masini.
- Sei o tatou fetuutuunai le Transparent NAT ina ia aua ne'i fa'alavelaveina femalagaiga i le va o le kalani ma punaoa feso'ota'iga a le kamupani feso'ota'iga:
vpn-demo-1(config-network-object)# subnet 192.168.20.0 255.255.255.0 ! vpn-demo-1(config)# nat (inside,outside) source static any any destination static vpn-users vpn-users no-proxy-arp- (FILIFILI): Ina ia faʻaalia a matou tagata faʻatau i luga ole Initaneti e ala ile ASA (pe a faʻaaoga tunnelall filifiliga) faʻaaoga PAT, ma alu ese foʻi e ala i le faʻaoga tutusa i fafo mai le mea e fesoʻotaʻi ai, e tatau ona e faia tulaga nei
vpn-demo-1(config-network-object)# nat (outside,outside) source dynamic vpn-users interface vpn-demo-1(config)# nat (inside,outside) source dynamic any interface vpn-demo-1(config)# same-security-traffic permit intra-interface !- E taua tele pe a faʻaaogaina se fuifui e mafai ai e le fesoʻotaʻiga i totonu ona malamalama po o le fea ASA e faʻafeiloaʻi ai fefaʻatauaiga i tagata faʻaoga; ona o lea e manaʻomia ai le toe tufatufaina atu o auala /32 tuatusi na tuʻuina atu i tagata faʻatau.
I le taimi nei, matou te leʻi faʻapipiʻiina le fuifui, ae ua uma ona matou galulue VPN faitotoa e mafai ona e faʻafesoʻotaʻi taʻitoʻatasi e ala i le FQDN poʻo le IP.
Matou te vaʻai i le tagata faʻafesoʻotaʻi fesoʻotaʻi i le laulau taʻavale a le ASA muamua:
Ina ia iloa uma e le matou vaega VPN atoa ma le fesoʻotaʻiga faʻapisinisi atoa le auala i le matou tagata faʻatau, matou te toe tufatufaina atu le faʻauluuluga o le kalani i se faʻataʻitaʻiga faʻamalosi, mo se faʻataʻitaʻiga OSPF:
! vpn-demo-1(config)# route-map RMAP-VPN-REDISTRIBUTE permit 1 vpn-demo-1(config-route-map)# match ip address VPN-REDISTRIBUTE ! vpn-demo-1(config)# router ospf 1 vpn-demo-1(config-router)# network 192.168.255.0 255.255.255.0 area 0 vpn-demo-1(config-router)# log-adj-changes vpn-demo-1(config-router)# redistribute static metric 5000 subnets route-map RMAP-VPN-REDISTRIBUTEO lea ua i ai la matou auala i le tagata o tausia mai le faitotoa lona lua ASA-2 ma tagata e fesootai atu i faitotoa eseese VPN i totonu o le fuifui e mafai, mo se faataitaiga, fesootai tuusao e ala i se telefoni feaveai, e pei lava o le toe foi mai o taavale mai punaoa e talosagaina e le tagata faaaoga o le a taunuu. i le faitotoa VPN e mana'omia:
-
Se'i o tatou aga'i atu i le fa'atulagaina o le vaega o uta-Paleni.
O le tuatusi 192.168.31.40 o le a fa'aaogaina e fai ma Virtual IP (VIP - o le a muamua ona fa'afeso'ota'i i ai tagata fa'atau VPN uma), mai le tuatusi lea o le a REDIRECT ai e le Cluster Master i se node kulupu e itiiti le utaina. Aua nei galo e lesitala agai i luma ma toe fesuiai faamaumauga DNS mo tuatusi fafo ta'itasi/FQDN o node fuifui ta'itasi, ma mo VIP.
vpn-demo-1(config)# vpn load-balancing vpn-demo-1(config-load-balancing)# interface lbpublic outside vpn-demo-1(config-load-balancing)# interface lbprivate inside vpn-demo-1(config-load-balancing)# priority 10 vpn-demo-1(config-load-balancing)# cluster ip address 192.168.31.40 vpn-demo-1(config-load-balancing)# cluster port 4000 vpn-demo-1(config-load-balancing)# redirect-fqdn enable vpn-demo-1(config-load-balancing)# cluster key cisco vpn-demo-1(config-load-balancing)# cluster encryption vpn-demo-1(config-load-balancing)# cluster port 9023 vpn-demo-1(config-load-balancing)# participate vpn-demo-1(config-load-balancing)#- Matou te siakiina le faʻaogaina o le fuifui faʻatasi ma tagata faʻapipiʻi e lua:
- Se'i o tatou fa'afaigofie le poto masani a le tagata fa'atau ile fa'apipi'iina otometi le fa'amatalaga AnyConnect ile ASDM.
Matou te faaigoaina le talaaga i se auala faigofie ma faʻafesoʻotaʻi la matou faiga faʻavae i ai:
A maeʻa le fesoʻotaʻiga o loʻo sosoo ai, o le a otometi lava ona sii mai ma faʻapipiʻi lenei faʻamatalaga i le AnyConnect client, o lea afai e te manaʻomia le faʻafesoʻotaʻi, e tatau ona e filifilia mai le lisi:
Talu ai ona o le faʻaaogaina o le ASDM na matou fatuina ai lenei faʻamatalaga i luga o le tasi ASA, aua nei galo e toe fai laasaga i luga o ASA o totoe i le fuifui.
Faaiuga: O lea, na vave ona matou faʻapipiʻiina se fuifui o le tele o faitotoʻa VPN faʻatasi ai ma le paleni otometi. O le fa'aopoopoina o nodes fou i le fuifui e faigofie, ausia le fa'alava fa'alava faigofie e ala i le fa'aogaina o masini fou ASAv po'o le fa'aogaina o meafaigaluega ASA. E mafai ona fa'aleleia atili e le tagata fa'atau AnyConnect au mea tau feso'ota'iga mamao e fa'aaoga ai le Tulaga (su'esu'ega a le setete), sili ona fa'aoga lelei fa'atasi ma se fa'atonuga tuto'atasi le fa'atonuina o avanoa ma faiga fa'amaumauga Inisinia Auaunaga Fa'asinomaga.
puna: www.habr.com