Muchinyorwa chino ndinoda kupa nhanho-ne-nhanho mirairo yekuti iwe unogona sei kukurumidza kuendesa iyo yakanyanya scalable scheme panguva ino. Remote-Access VPN access based AnyConnect uye Cisco ASA - VPN Load Bancing Cluster.
Nhanganyaya: Makambani mazhinji pasi rese, nekuda kwemamiriro ezvinhu aripo neCCIDID-19, ari kuedza kuendesa vashandi vavo kubasa kure. Nekuda kweshanduko yakapararira kuenda kubasa kure, kuremerwa kuripo kweVPN magedhi emakambani kunowedzera zvakanyanya uye nekukasira kugona kuayera kunodiwa. Kune rimwe divi, makambani mazhinji anomanikidzwa kukurumidza kubata pfungwa yebasa riri kure kubva pakutanga.
Kubatsira mabhizinesi kukurumidza kuita zviri nyore, zvakachengeteka, uye zvinokanganisa VPN kuwana kune vashandi, Cisco inopa anosvika gumi nematatu-vhiki marezinesi kune akapfuma-akapfuma AnyConnect SSL-VPN mutengi. .
.
Ndakagadzirira nhanho-ne-nhanho mirairo yesarudzo yakapusa yekuendesa VPN Load-Bancing cluster seyakanyanya scalable VPN tekinoroji.
Muenzaniso uri pazasi uchave wakapusa kubva pakuona kwehuchokwadi uye mvumo algorithms inoshandiswa, asi ichave sarudzo yakanaka yekutanga nekukurumidza (chinova chimwe chinhu chinoshaikwa nevanhu vazhinji izvozvi) nekukwanisa kuchinjika kwakadzama kune. zvaunoda panguva yekuendesa.
Ruzivo rupfupi: VPN Load Balancing Cluster tekinoroji haisi yekutadza kana basa rekubatanidza mupfungwa yayo yekuzvarwa; tekinoroji iyi inogona kusanganisa akasiyana maASA modhi (nezvimwe zvirambidzo) kuitira kurodha chiyero Remote-Access VPN kubatana. Iko hakuna kuwiriranisa kwezvikamu uye zvigadziriso pakati pemanodhi esumbu rakadaro, asi zvinokwanisika kurongedza otomatiki chiyero cheVPN chinongedzo uye kuve nechokwadi chekushivirira kushivirira kweVPN kubatana kusvikira kanodhi imwe inoshanda inoramba iri musumbu. Kuremerwa kuri musumbu kunobva kwadzikama zvichienderana nebasa remanodhi nehuwandu hwezvikamu zveVPN.
Nekukanganisa kushivirira kweakananga cluster node (kana zvichidikanwa), unogona kushandisa filer, saka iyo inoshanda yekubatanidza ichagadziriswa nePrimary node yefaira. Iyo fileover haisi mamiriro anodiwa ekuona kukanganisa kushivirira mukati meMutoro-Balanceng cluster; muchiitiko chekutadza kwenode, cluster pachayo inoendesa chikamu chemushandisi kune imwe mhenyu node, asi pasina kuchengetedza chimiro chekubatanidza, zvinova ndizvo chaizvo. iyo filer inopa. Saizvozvo, matekinoroji maviri aya anogona kusanganiswa kana zvichidikanwa.
A VPN Load-Bancing cluster inogona kunge iine anopfuura maviri node.
VPN Load-Bancing cluster inotsigirwa paASA 5512-X uye pamusoro.
Sezvo ASA yega yega mukati meVPN Load-Bancing cluster iri yakazvimirira unit maererano nemaitiro, isu tinoita ese ekugadzirisa matanho ega pane yega yega mudziyo.
Iyo inonzwisisika topology yemuenzaniso wakapihwa ndeiyi:
Kutanga Deployment:
-
Isu tinotumira ASAv zviitiko zvematemplate atinoda (ASAv5/10/30/50) kubva pamufananidzo.
-
Isu tinopa INSIDE / OUTSIDE interfaces kune imwecheteyo VLAN (Kunze muVLAN yayo, INSIDE mune yayo, asi yakajairika mukati meboka, ona topology), zvakakosha kuti mainterfaces emhando imwechete anowanikwa mune imwechete L2 chikamu.
-
Marezenisi:
- Panguva yekumisikidzwa, ASAv haizove nemarezinesi uye ichaganhurwa ku100kbit/sec.
- Kuti uise rezinesi, unofanirwa kugadzira chiratidzo muSmart-Account account yako: -> Smart Software Licensing
- Pahwindo rinovhurwa, tinya bhatani New Token
- Ita shuwa kuti munda uri pahwindo rinovhurwa unoshanda uye cheki bhokisi rakatariswa Bvumira kunze-inodzorwa kushanda... Pasina iyi inoshanda, haugone kushandisa yakasimba encryption mabasa uye, maererano, VPN. Kana iyi ndima isiri kushanda, ndapota taura nechikwata cheakaundi yako kuti ukumbire activation.
- Mushure mekudzvanya bhatani Gadzira Chiratidzo, chiratidzo chichagadzirwa chatichashandisa kuwana rezinesi yeASAv, ikope:
- Ngatidzokorore nhanho C,D,E kune yega yega yakaiswa ASAv.
- Kuita kuti zvive nyore kukopa chiratidzo, ngatigonese telnet kwenguva pfupi. Ngatigadzirise ASA yega yega (muenzaniso uri pazasi unoratidza marongero paASA-1). telnet kubva kunze haishande, kana uchinyatsoida, shandura iyo yekuchengetedza-level kuenda ku100 kuenda kunze, wozoidzosera kumashure.
! ciscoasa(config)# int gi0/0 ciscoasa(config)# nameif outside ciscoasa(config)# ip address 192.168.31.30 255.255.255.0 ciscoasa(config)# no shut ! ciscoasa(config)# int gi0/1 ciscoasa(config)# nameif inside ciscoasa(config)# ip address 192.168.255.2 255.255.255.0 ciscoasa(config)# no shut ! ciscoasa(config)# telnet 0 0 inside ciscoasa(config)# username admin password cisco priv 15 ciscoasa(config)# ena password cisco ciscoasa(config)# aaa authentication telnet console LOCAL ! ciscoasa(config)# route outside 0 0 192.168.31.1 ! ciscoasa(config)# wr !- Kunyoresa chiratidzo muSmart-Akaunti gore, unofanirwa kupa Internet kuwana kuASA, .
Muchidimbu, ASA inodiwa:
- Indaneti kuburikidza neHTTPS;
- kuwiriranisa nguva (zvakanyanya nenzira yeNTP);
- yakanyoreswa DNS server;
- Isu tinoenda kuburikidza ne telnet kune yedu ASA uye toita marongero ekuita rezinesi kuburikidza neSmart-Account.
! ciscoasa(config)# clock set 19:21:00 Mar 18 2020 ciscoasa(config)# clock timezone MSK 3 ciscoasa(config)# ntp server 192.168.99.136 ! ciscoasa(config)# dns domain-lookup outside ciscoasa(config)# DNS server-group DefaultDNS ciscoasa(config-dns-server-group)# name-server 192.168.99.132 ! ! ΠΡΠΎΠ²Π΅ΡΠΈΠΌ ΡΠ°Π±ΠΎΡΡ DNS: ! ciscoasa(config-dns-server-group)# ping ya.ru Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 87.250.250.242, timeout is 2 seconds: !!!!! ! ! ΠΡΠΎΠ²Π΅ΡΠΈΠΌ ΡΠΈΠ½Ρ ΡΠΎΠ½ΠΈΠ·Π°ΡΠΈΡ NTP: ! ciscoasa(config)# show ntp associations address ref clock st when poll reach delay offset disp *~192.168.99.136 91.189.94.4 3 63 64 1 36.7 1.85 17.5 * master (synced), # master (unsynced), + selected, - candidate, ~ configured ! ! Π£ΡΡΠ°Π½ΠΎΠ²ΠΈΠΌ ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΡ Π½Π°ΡΠ΅ΠΉ ASAv Π΄Π»Ρ Smart-Licensing (Π² ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΠΈΠΈ Ρ ΠΠ°ΡΠΈΠΌ ΠΏΡΠΎΡΠΈΠ»Π΅ΠΌ, Π² ΠΌΠΎΠ΅ΠΌ ΡΠ»ΡΡΠ°Π΅ 100Π Π΄Π»Ρ ΠΏΡΠΈΠΌΠ΅ΡΠ°) ! ciscoasa(config)# license smart ciscoasa(config-smart-lic)# feature tier standard ciscoasa(config-smart-lic)# throughput level 100M ! ! Π ΡΠ»ΡΡΠ°Π΅ Π½Π΅ΠΎΠ±Ρ ΠΎΠ΄ΠΈΠΌΠΎΡΡΠΈ ΠΌΠΎΠΆΠ½ΠΎ Π½Π°ΡΡΡΠΎΠΈΡΡ Π΄ΠΎΡΡΡΠΏ Π² ΠΠ½ΡΠ΅ΡΠ½Π΅Ρ ΡΠ΅ΡΠ΅Π· ΠΏΡΠΎΠΊΡΠΈ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠΉΡΠ΅ ΡΠ»Π΅Π΄ΡΡΡΠΈΠΉ Π±Π»ΠΎΠΊ ΠΊΠΎΠΌΠ°Π½Π΄: !call-home ! http-proxy ip_address port port ! ! ΠΠ°Π»Π΅Π΅ ΠΌΡ Π²ΡΡΠ°Π²Π»ΡΠ΅ΠΌ ΡΠΊΠΎΠΏΠΈΡΠΎΠ²Π°Π½Π½ΡΠΉ ΠΈΠ· ΠΏΠΎΡΡΠ°Π»Π° Smart-Account ΡΠΎΠΊΠ΅Π½ (<token>) ΠΈ ΡΠ΅Π³ΠΈΡΡΡΠΈΡΡΠ΅ΠΌ Π»ΠΈΡΠ΅Π½Π·ΠΈΡ ! ciscoasa(config)# end ciscoasa# license smart register idtoken <token>- Isu tinotarisisa kuti mudziyo wabudirira kunyoresa rezinesi uye encryption sarudzo dziripo:
-
Kugadzirisa yakakosha SSL-VPN pane yega gedhi
- Tevere, isu tinogadzirisa kupinda kuburikidza neSSH uye ASDM:
ciscoasa(config)# ssh ver 2 ciscoasa(config)# aaa authentication ssh console LOCAL ciscoasa(config)# aaa authentication http console LOCAL ciscoasa(config)# hostname vpn-demo-1 vpn-demo-1(config)# domain-name ashes.cc vpn-demo-1(config)# cry key gen rsa general-keys modulus 4096 vpn-demo-1(config)# ssh 0 0 inside vpn-demo-1(config)# http 0 0 inside ! ! ΠΠΎΠ΄Π½ΠΈΠΌΠ΅ΠΌ ΡΠ΅ΡΠ²Π΅Ρ HTTPS Π΄Π»Ρ ASDM Π½Π° ΠΏΠΎΡΡΡ 445 ΡΡΠΎΠ±Ρ Π½Π΅ ΠΏΠ΅ΡΠ΅ΡΠ΅ΠΊΠ°ΡΡΡΡ Ρ SSL-VPN ΠΏΠΎΡΡΠ°Π»ΠΎΠΌ ! vpn-demo-1(config)# http server enable 445 !- Kuti ASDM ishande, unofanirwa kutanga waidhawunirodha kubva kucisco.com, mune yangu iri inotevera faira:
- Kuti mutengi weAnyConnect ashande, unofanirwa kudhawunirodha mufananidzo kune yega yega ASA kune yega yega mutengi desktop OS inoshandiswa (yakarongwa kushandisa Linux/Windows/MAC), iwe uchada faira rine Headend Deployment Package Mumusoro:
- Iwo mafaera akatorwa anogona kuiswa, semuenzaniso, kune FTP sevha uye kurodha kune yega yega ASA:
- Isu tinogadzirisa ASDM uye Self-Yakasaina chitupa cheSSL-VPN (zvinokurudzirwa kushandisa chitupa chakavimbika mukugadzira). Iyo yakagadzwa FQDN ye cluster Virtual Kero (vpn-demo.ashes.cc), pamwe neFQDN yega yega yakabatana nekero yekunze ye cluster node yega yega inofanirwa kugadziriswa munzvimbo yekunze yeDNS kune IP kero ye OUTSIDE interface (kana kukero ine mepu kana udp/443 chiteshi chekufambisa chichishandiswa (DTLS) uye tcp/443(TLS)). Ruzivo rwakadzama pamusoro pezvinodiwa zvechitupa zvinotsanangurwa muchikamu Chitupa Verification zvinyorwa.
! vpn-demo-1(config)# crypto ca trustpoint SELF vpn-demo-1(config-ca-trustpoint)# enrollment self vpn-demo-1(config-ca-trustpoint)# fqdn vpn-demo.ashes.cc vpn-demo-1(config-ca-trustpoint)# subject-name cn=*.ashes.cc, ou=ashes-lab, o=ashes, c=ru vpn-demo-1(config-ca-trustpoint)# serial-number vpn-demo-1(config-ca-trustpoint)# crl configure vpn-demo-1(config-ca-crl)# cry ca enroll SELF % The fully-qualified domain name in the certificate will be: vpn-demo.ashes.cc Generate Self-Signed Certificate? [yes/no]: yes vpn-demo-1(config)# ! vpn-demo-1(config)# sh cry ca certificates Certificate Status: Available Certificate Serial Number: 4d43725e Certificate Usage: General Purpose Public Key Type: RSA (4096 bits) Signature Algorithm: SHA256 with RSA Encryption Issuer Name: serialNumber=9A439T02F95 hostname=vpn-demo.ashes.cc cn=*.ashes.cc ou=ashes-lab o=ashes c=ru Subject Name: serialNumber=9A439T02F95 hostname=vpn-demo.ashes.cc cn=*.ashes.cc ou=ashes-lab o=ashes c=ru Validity Date: start date: 00:16:17 MSK Mar 19 2020 end date: 00:16:17 MSK Mar 17 2030 Storage: config Associated Trustpoints: SELF CA Certificate Status: Available Certificate Serial Number: 0509 Certificate Usage: General Purpose Public Key Type: RSA (4096 bits) Signature Algorithm: SHA1 with RSA Encryption Issuer Name: cn=QuoVadis Root CA 2 o=QuoVadis Limited c=BM Subject Name: cn=QuoVadis Root CA 2 o=QuoVadis Limited c=BM Validity Date: start date: 21:27:00 MSK Nov 24 2006 end date: 21:23:33 MSK Nov 24 2031 Storage: config Associated Trustpoints: _SmartCallHome_ServerCA- Kutarisa kushanda kweASDM, usakanganwa kutsanangura chiteshi, semuenzaniso:
- Ngatiite zvigadziriso zvetunnel:
- Isu tichaita kuti network yemubatanidzwa iwanikwe kuburikidza netunnel, uye batanidza iyo Internet zvakananga (kwete iyo yakanyanya kuchengeteka nzira mukushaikwa kwematanho ekuchengetedza pane yekubatanidza host, zvinokwanisika kupinda kuburikidza neane hutachiona uye kubuda data rekambani, sarudzo. split-tunnel-policy tunnel ichabvumira yese traffic traffic kupinda mugero. Zvakadaro Split-Tunnel inoita kuti zvibvire kudzoreredza VPN gedhi uye kwete kugadzirisa host yeInternet traffic)
- Isu tichaburitsa mauto mugero nemakero kubva kune subnet 192.168.20.0/24 (dziva regumi kusvika makumi matatu kero (yenode #10)). Imwe neimwe node musumbu inofanirwa kuve neyayo VPN dziva.
- Ngatiitei chokwadi chechokwadi nemushandisi akagadzirwa munharaunda paASA (Izvi hazvikurudzirwe, iyi ndiyo nzira yakapusa), zviri nani kuita huchokwadi kuburikidza. LDAP/RADIUS, kana zviri nani, sunga Multi-Factor Authentication (MFA), semuenzaniso Cisco DUO.
! vpn-demo-1(config)# ip local pool vpn-pool 192.168.20.10-192.168.20.30 mask 255.255.255.0 ! vpn-demo-1(config)# access-list split-tunnel standard permit 192.168.0.0 255.255.0.0 ! vpn-demo-1(config)# group-policy SSL-VPN-GROUP-POLICY internal vpn-demo-1(config)# group-policy SSL-VPN-GROUP-POLICY attributes vpn-demo-1(config-group-policy)# vpn-tunnel-protocol ssl-client vpn-demo-1(config-group-policy)# split-tunnel-policy tunnelspecified vpn-demo-1(config-group-policy)# split-tunnel-network-list value split-tunnel vpn-demo-1(config-group-policy)# dns-server value 192.168.99.132 vpn-demo-1(config-group-policy)# default-domain value ashes.cc vpn-demo-1(config)# tunnel-group DefaultWEBVPNGroup general-attributes vpn-demo-1(config-tunnel-general)# default-group-policy SSL-VPN-GROUP-POLICY vpn-demo-1(config-tunnel-general)# address-pool vpn-pool ! vpn-demo-1(config)# username dkazakov password cisco vpn-demo-1(config)# username dkazakov attributes vpn-demo-1(config-username)# service-type remote-access ! vpn-demo-1(config)# ssl trust-point SELF vpn-demo-1(config)# webvpn vpn-demo-1(config-webvpn)# enable outside vpn-demo-1(config-webvpn)# anyconnect image disk0:/anyconnect-win-4.8.03036-webdeploy-k9.pkg vpn-demo-1(config-webvpn)# anyconnect enable !- (ZVINODA): Mumuenzaniso uri pamusoro apa, takashandisa mushandisi wepanzvimbo pafirewall kuratidza vashandisi vari kure, izvo zvisingaite zvishoma kunze kwemurabhoritari. Ini ndichapa muenzaniso wekukurumidza kugadzirisa iyo setup yekusimbisa pa nharaunda server, inoshandiswa semuenzaniso Cisco Identity Services Injini:
vpn-demo-1(config-aaa-server-group)# dynamic-authorization vpn-demo-1(config-aaa-server-group)# interim-accounting-update vpn-demo-1(config-aaa-server-group)# aaa-server RADIUS (outside) host 192.168.99.134 vpn-demo-1(config-aaa-server-host)# key cisco vpn-demo-1(config-aaa-server-host)# exit vpn-demo-1(config)# tunnel-group DefaultWEBVPNGroup general-attributes vpn-demo-1(config-tunnel-general)# authentication-server-group RADIUS !Kubatanidzwa uku hakuna kuita kuti zvikwanisike kwete kukurumidza kubatanidza maitiro ehuchokwadi neiyo AD directory service, asiwo kusiyanisa kana komputa yakabatana ndeye AD, kunzwisisa kana iri yekambani mudziyo kana yemunhu, uye kuongorora mamiriro eiyo yakabatana. mudziyo.
- Ngatigadzirisei Transparent NAT kuitira kuti traffic pakati pemutengi uye netiweki zviwanikwa zveiyo corporate network isakanganiswe ne:
vpn-demo-1(config-network-object)# subnet 192.168.20.0 255.255.255.0 ! vpn-demo-1(config)# nat (inside,outside) source static any any destination static vpn-users vpn-users no-proxy-arp- (ZVINODA): Kufumura vatengi vedu kuInternet kuburikidza neASA (kana uchishandisa tunnelall sarudzo) uchishandisa PAT, uye zvakare kubuda kuburikidza yakafanana OUTSIDE interface kubva kwaakabatana, unofanirwa kugadzira anotevera marongero.
vpn-demo-1(config-network-object)# nat (outside,outside) source dynamic vpn-users interface vpn-demo-1(config)# nat (inside,outside) source dynamic any interface vpn-demo-1(config)# same-security-traffic permit intra-interface !- Izvo zvakanyanya kukosha kana uchishandisa cluster kugonesa iyo yemukati network kuti inzwisise kuti ndeipi ASA yekufambisa kudzorera traffic kune vashandisi; nekuda kweizvi zvinodikanwa kugoverazve nzira /32 kero dzakapihwa kune vatengi.
Parizvino, isu hatisati tagadzira sumbu, asi isu tatova nekushanda VPN magedhi ayo iwe wega unogona kubatana neFQDN kana IP.
Isu tinoona mutengi akabatana mutafura yenzira yekutanga ASA:
Kuti yedu yese VPN cluster uye netiweki yese yemakambani azive nzira kumutengi wedu, isu tichagovera zvakare mutengi prefix muine simba yekufambisa protocol, semuenzaniso OSPF:
! vpn-demo-1(config)# route-map RMAP-VPN-REDISTRIBUTE permit 1 vpn-demo-1(config-route-map)# match ip address VPN-REDISTRIBUTE ! vpn-demo-1(config)# router ospf 1 vpn-demo-1(config-router)# network 192.168.255.0 255.255.255.0 area 0 vpn-demo-1(config-router)# log-adj-changes vpn-demo-1(config-router)# redistribute static metric 5000 subnets route-map RMAP-VPN-REDISTRIBUTEIye zvino isu tine nzira yekuenda kune mutengi kubva kune yechipiri ASA-2 gedhi uye vashandisi vakabatana kune akasiyana VPN magedhi mukati meboka vanogona, semuenzaniso, kutaurirana zvakananga kuburikidza nekambani softphone, sekudzoka traffic kubva kune zviwanikwa zvakakumbirwa nemushandisi zvichasvika. pane yaunoda VPN gedhi:
-
Ngatienderere mberi nekumisikidza iyo Load-Bancing cluster.
Kero 192.168.31.40 ichashandiswa seVirtual IP (VIP - vese vatengi veVPN vachatanga kubatana nayo), kubva kukero iyi Cluster Master icha REDIRECT kune isinganyanyi kutakurwa cluster node. Usakanganwa kunyoresa mberi uye kudzosera DNS zvinyorwa ese ari maviri kero yega yega yekunze/FQDN yega yega cluster node, uye yeVIP.
vpn-demo-1(config)# vpn load-balancing vpn-demo-1(config-load-balancing)# interface lbpublic outside vpn-demo-1(config-load-balancing)# interface lbprivate inside vpn-demo-1(config-load-balancing)# priority 10 vpn-demo-1(config-load-balancing)# cluster ip address 192.168.31.40 vpn-demo-1(config-load-balancing)# cluster port 4000 vpn-demo-1(config-load-balancing)# redirect-fqdn enable vpn-demo-1(config-load-balancing)# cluster key cisco vpn-demo-1(config-load-balancing)# cluster encryption vpn-demo-1(config-load-balancing)# cluster port 9023 vpn-demo-1(config-load-balancing)# participate vpn-demo-1(config-load-balancing)#- Isu tinotarisa kushanda kwesumbu nevatengi vaviri vakabatana:
- Ngatiite kuti ruzivo rwemutengi ruve nyore neiyo inodhawunirodha yega AnyConnect mbiri kuburikidza neASDM.
Isu tinopa zita nenzira iri nyore uye tinosanganisa mutemo weboka redu nawo:
Mushure mekubatana kwemutengi kunotevera, iyi mbiri inotorwa otomatiki uye kuiswa muAnyConnect mutengi, saka kana iwe uchida kubatanidza, unongoda kuisarudza kubva pane iyo rondedzero:
Sezvo tichishandisa ASDM isu takagadzira iyi mbiri pane imwe chete ASA, usakanganwa kudzokorora matanho pane asara maASA musumbu.
Mhedziso: Nekudaro, isu takakurumidza kutumira boka re akati wandei VPN magedhi ane otomatiki mutoro kuenzanisa. Kuwedzera node nyowani kune sumbu iri nyore, kuwana yakapusa yakatwasuka kuyera nekuisa mitsva yeASAv chaiyo michina kana kushandisa Hardware ASAs. Iyo ficha-yakapfuma AnyConnect mutengi inogona kuwedzera zvakanyanya yako yakachengeteka kure yekubatanidza kugona uchishandisa iyo Mamiriro (state assessments), inonyanya kushandiswa pamwe chete necentralized access control uye accounting system Identity Services Injini.
Source: www.habr.com