Gelinaya Kooxda Isku-dheellitirka Culayska ee ASA VPN
Maqaalkan waxaan jeclaan lahaa inaan ku bixiyo tilmaamo tallaabo-tallaabo ah oo ku saabsan sida aad si dhakhso leh u geyn karto nidaamka ugu miisaanka badan xilligan. Helitaanka fog ee VPN helitaanka ku salaysan AnyConnect iyo Cisco ASA - Kutlada Isku dheeli tirka culeyska VPN.
Hordhac: Shirkado badan oo adduunka ah, xaaladda hadda jirta ee COVID-19 awgeed, ayaa dadaal ugu jira sidii ay shaqaalahooda ugu wareejin lahaayeen shaqo fog. Sababo la xiriira u gudubka baahsan ee shaqada fog, culeyska saaran albaabada VPN ee jira ee shirkadaha ayaa si aad ah u kordheysa waxaana loo baahan yahay awood aad u dhaqso badan oo lagu cabbiro iyaga. Dhanka kale, shirkado badan ayaa lagu qasbay inay si degdeg ah u bartaan fikradda shaqada fog ee eber.
Waxaan u diyaariyey tilmaamo tallaabo-tallaabo ah ikhtiyaarka fudud ee lagu geynayo kooxda Isku-dheellitirka-qaadista VPN sida tignoolajiyada VPN ee la cabbiri karo.
Tusaalaha hoose wuxuu noqon doonaa mid aad u fudud marka loo eego aragtida xaqiijinta iyo oggolaanshaha algorithms ee la isticmaalo, laakiin waxay noqon doontaa ikhtiyaarka wanaagsan ee bilawga degdega ah (taas oo ah wax ay dad badani hadda ka maqan yihiin) iyada oo suurtagal ah in si qoto dheer loola qabsado baahiyahaaga inta lagu jiro habka dirista.
Xog kooban: Isku-dheelitirka VPN Technology Cluster maaha mid guul-darraystay ama shaqo kooxeed dareenkeeda asalka ah; tignoolajiyadani waxay isku dari kartaa noocyo kala duwan oo ASA ah (oo leh xaddidaadyo gaar ah) si loo buuxiyo dheelitirka isku xirka Helitaanka fog ee VPN. Ma jiro wax isku-dubarid ah oo fadhiyada iyo isku xidhka u dhexeeya qanjidhada kooxdan oo kale, laakiin waxa suurtogal ah in si toos ah loogu shubo isku-dheellitirka isku xirka VPN iyo hubinta dulqaadka cilada ee xidhiidhada VPN ilaa ugu yaraan hal nood firfircoon uu ku sii jiro kooxda. Culayska kooxda ayaa si toos ah isku dheeli tiran iyadoo ku xidhan culayska shaqada ee qanjidhada tirada fadhiyada VPN.
U dulqaadashada cilladaha qanjidhada kooxeed ee gaarka ah (haddii loo baahdo), waxaad isticmaali kartaa fayl-gare, markaa xidhiidhka firfircoon waxa lagu farsamayn doonaa noodhka koowaad ee faylalka. Faylka-kordhintu maaha shuruud lagama maarmaan u ah xaqiijinta u-dulqaadashada khaladka gudaha kutlada Load-Balancing; haddii ay dhacdo cillad-beelka, kutlada lafteedu waxay u wareejin doontaa fadhiga isticmaalaha nood kale oo nool, laakiin iyada oo aan la ilaalin heerka xidhiidhka, taas oo ah waxa saxda ah. faylalka ayaa bixiya. Sidaa darteed, labadan tignoolajiyada waa la isku dari karaa haddii loo baahdo.
Kooxda isku dheelli tirka VPN waxay ka koobnaan kartaa in ka badan laba noodood.
Kutlada Load-Balancing VPN waxaa lagu taageeraa ASA 5512-X iyo wixii ka sareeya.
Maaddaama ASA kasta oo ka tirsan kooxda VPN Load-Balancing ay tahay unug madax-bannaan marka la eego habaynta, waxaanu si gaar ah u fulinaa dhammaan tillaabooyinka qaabaynta aalad kasta.
Topology-ga macquulka ah ee tusaalaha la bixiyay waa:
Gelintii Hore:
Waxaan geynnaa tusaalooyinka ASAv ee qaababka aan u baahanahay (ASAv5/10/30/50) sawirka.
Waxa aanu ku meelaynaynaa gudaha/Dbadda interfaces isla VLAN-ka (Ka baxsan VLAN-keeda, gudaha gudaha u gaar ah, laakiin ku dhex badan kooxda dhexdeeda, eeg topology), waxa muhiim ah in interfaces-yada isku nooc ah ay ku yaalaan isla qaybta L2.
Shatiyada:
Waqtiga rakibaadda, ASAv ma yeelan doonto wax shati ah waxayna ku koobnaan doontaa 100kbit/sek.
Si aad u rakibto shatiga, waxaad u baahan tahay inaad ku abuurto calaamad akoonkaaga Smart-Account: https://software.cisco.com/ -> Shatiga Software-ka casriga ah
Daaqada furmo, dhagsii badhanka Calaamad cusub
Hubi in goobta ku taal daaqadda furmo ay firfircoon tahay oo sanduuqa jeeggu la saxo Oggolow shaqeynta ay maamusho dhoofinta... La'aanteed goobtan firfircoon, ma awoodid inaad isticmaasho hawlaha sirta ah ee xooggan iyo, si waafaqsan, VPN. Haddii goobtani aanay shaqayn, fadlan la xidhiidh kooxda akoonkaaga si aad u codsato hawl gal
Kadib riix badhanka Abuur Token, calaamad ayaa la abuuri doonaa taas oo aan u isticmaali doono si aan u helno shatiga ASAv, nuqul ka samee:
Aynu ku celino tillaabooyinka C,D,E ee ASAv kasta oo la geeyo.
Si loo fududeeyo nuqul ka samaynta calaamada, aynu si ku meel gaadh ah u awoodno telnet. Aynu habaynno ASA kasta (tusaale hoose waxa uu tusayaa habaynta ASA-1). telnet ka dibadda ma shaqeeyo, haddii aad runtii u baahan tahay, u beddel heerka amniga ilaa 100 una beddel dibadda, ka dibna dib u beddel.
!
ciscoasa(config)# int gi0/0
ciscoasa(config)# nameif outside
ciscoasa(config)# ip address 192.168.31.30 255.255.255.0
ciscoasa(config)# no shut
!
ciscoasa(config)# int gi0/1
ciscoasa(config)# nameif inside
ciscoasa(config)# ip address 192.168.255.2 255.255.255.0
ciscoasa(config)# no shut
!
ciscoasa(config)# telnet 0 0 inside
ciscoasa(config)# username admin password cisco priv 15
ciscoasa(config)# ena password cisco
ciscoasa(config)# aaa authentication telnet console LOCAL
!
ciscoasa(config)# route outside 0 0 192.168.31.1
!
ciscoasa(config)# wr
!
Si aad isaga diiwaan geliso calaamadda Smart-Account Cloud, waa inaad bixisa galitaanka Internetka ee ASA, faahfaahinta halkan.
Marka la soo koobo, ASA ayaa loo baahan yahay:
Helitaanka internetka ee HTTPS;
waqti-is-waafajin (si sax ah iyada oo loo marayo NTP);
Adeegga DNS ee diiwaangashan;
Waxaan u sii maraynaa telnet ASA oo aanu samaynay dejin si aanu u dhaqaajino shatiga iyada oo loo marayo Smart-Account.
Si ASDM u shaqeyso, waa inaad marka hore ka soo dejiso cisco.com, xaaladdeyda waa faylka soo socda:
Si uu macmiilka AnyConnect u shaqeeyo, waxaad u baahan tahay inaad soo dejiso sawirka ASA kasta ee macmiil kasta oo OS ah oo la isticmaalo (loo qorsheeyay in la isticmaalo Linux/Windows/MAC), waxaad u baahan doontaa fayl leh Xirmada Gelitaanka Headend Cinwaanka:
Faylasha la soo dejiyay waxaa la soo gelin karaa, tusaale ahaan, server-ka FTP waxaana lagu shubi karaa ASA kasta:
Waxaan u habeyneynaa ASDM iyo shahaadada Is- Saxiixa ee SSL-VPN (waxaa lagu talinayaa in la isticmaalo shahaado la aamini karo xagga wax soo saarka). FQDN-ka la aasaasay ee kutlada Virtual Address (vpn-demo.ashes.cc), iyo sidoo kale FQDN kasta oo la xidhiidha ciwaanka dibadda ee qanjidhada koox kasta waa in lagu xalliyaa aagga DNS ee dibadeed ciwaanka IP-ga ee interface-ka DIBADDA (ama Ciwaanka khariidadda lagu sameeyay haddii udp/443 gudbinta dekedda la isticmaalo (DTLS) iyo tcp/443(TLS)). Macluumaad faahfaahsan oo ku saabsan shuruudaha shahaadada ayaa lagu qeexay qaybta Xaqiijinta Shahaadada dukumeenti
!
vpn-demo-1(config)# crypto ca trustpoint SELF
vpn-demo-1(config-ca-trustpoint)# enrollment self
vpn-demo-1(config-ca-trustpoint)# fqdn vpn-demo.ashes.cc
vpn-demo-1(config-ca-trustpoint)# subject-name cn=*.ashes.cc, ou=ashes-lab, o=ashes, c=ru
vpn-demo-1(config-ca-trustpoint)# serial-number
vpn-demo-1(config-ca-trustpoint)# crl configure
vpn-demo-1(config-ca-crl)# cry ca enroll SELF
% The fully-qualified domain name in the certificate will be: vpn-demo.ashes.cc
Generate Self-Signed Certificate? [yes/no]: yes
vpn-demo-1(config)#
!
vpn-demo-1(config)# sh cry ca certificates
Certificate
Status: Available
Certificate Serial Number: 4d43725e
Certificate Usage: General Purpose
Public Key Type: RSA (4096 bits)
Signature Algorithm: SHA256 with RSA Encryption
Issuer Name:
serialNumber=9A439T02F95
hostname=vpn-demo.ashes.cc
cn=*.ashes.cc
ou=ashes-lab
o=ashes
c=ru
Subject Name:
serialNumber=9A439T02F95
hostname=vpn-demo.ashes.cc
cn=*.ashes.cc
ou=ashes-lab
o=ashes
c=ru
Validity Date:
start date: 00:16:17 MSK Mar 19 2020
end date: 00:16:17 MSK Mar 17 2030
Storage: config
Associated Trustpoints: SELF
CA Certificate
Status: Available
Certificate Serial Number: 0509
Certificate Usage: General Purpose
Public Key Type: RSA (4096 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=QuoVadis Root CA 2
o=QuoVadis Limited
c=BM
Subject Name:
cn=QuoVadis Root CA 2
o=QuoVadis Limited
c=BM
Validity Date:
start date: 21:27:00 MSK Nov 24 2006
end date: 21:23:33 MSK Nov 24 2031
Storage: config
Associated Trustpoints: _SmartCallHome_ServerCA
Si aad u hubiso shaqada ASDM, ha ilaawin inaad qeexdo dekedda, tusaale ahaan:
Aynu fulino goobaha tunnel-ka aasaasiga ah:
Waxaan ka dhigi doonaa shabakada shirkadda in la heli karo iyada oo loo marayo tunnel ah, oo si toos ah ugu xidhi internetka (ma aha habka ugu ammaansan ee maqnaanshaha tillaabooyinka ammaanka ee martigeliyaha isku xira, waxaa suurtagal ah in la dhex galo iyada oo loo marayo martida cudurka iyo soo saarka xogta shirkadda, doorasho. tunnelall siyaasadda qaybsan-tunnel waxay u oggolaan doontaa dhammaan taraafikada martida loo yahay inay galaan tunnelka. Si kastaba ha ahaatee Qayb-Tunnel waxay suurtogal ka dhigtaa in la nafiso albaabka VPN oo aan la socodsiin taraafikada internetka ee martida loo yahay)
Waxaan soo saari doonaa martigaliyayaasha tunnelka ciwaanno ka socda subnetka 192.168.20.0/24 ( barkad ka kooban 10 ilaa 30 ciwaan (node ββ#1)). Nood kasta oo ka mid ah kooxda waa inuu lahaadaa barkad VPN u gaar ah.
Aynu ku samayno xaqiijinta aasaasiga ah isticmaale maxalli ah oo lagu abuuray ASA (Tani laguma talinayo, tani waa habka ugu fudud), way fiicantahay in la sameeyo aqoonsiga iyada oo loo marayo LDAP/RADIUS, ama ka sii fiican, xidhid Xaqiijinta Qodobbada Badan (MFA)tusaale ahaan Cisco DUO.
(ikhtiyaar)Tusaalaha kore, waxaan isticmaalnay isticmaale maxalli ah oo ku yaal dab-damiska si loo xaqiijiyo isticmaalayaasha fog, taas oo dabcan aan faa'iido yar lahayn marka laga reebo shaybaarka. Waxaan ku siin doonaa tusaale ah sida ugu dhaqsaha badan loo waafajiyo habaynta si loo xaqiijiyo RADIUS server, loo isticmaalo tusaale ahaan Injiinka Adeegyada Aqoonsiga Cisco:
Isku dhafkan ayaa suurtageliyay in aan si dhaqso ah loogu dhexgelin nidaamka xaqiijinta iyo adeegga tusaha AD, laakiin sidoo kale in la kala saaro in kumbiyuutarka ku xiran yahay AD, la fahmo in uu yahay qalab shirkad ama mid shakhsi ah, iyo in la qiimeeyo xaaladda ku xiran. qalab.
Aynu habaynno Transparent NAT si taraafikada u dhaxaysa macmiilka iyo ilaha shabakada ee shabakada shirkada aan la faragelin:
vpn-demo-1(config-network-object)# subnet 192.168.20.0 255.255.255.0
!
vpn-demo-1(config)# nat (inside,outside) source static any any destination static vpn-users vpn-users no-proxy-arp
(ikhtiyaar): Si aan macaamiisheena ugu bandhigno internetka iyada oo loo marayo ASA (marka la isticmaalayo tunnelall fursadaha) adoo isticmaalaya PAT, oo sidoo kale ka baxa isla interface ka baxsan halka ay ku xiran yihiin, waxaad u baahan tahay inaad sameyso dejinta soo socota
Aad bay muhiim u tahay marka la isticmaalayo koox si ay awood ugu siiso shabakada gudaha inay fahmaan ASA si ay ugu celiso taraafikada isticmaalayaasha; taas awgeed waxaa lagama maarmaan ah in dib loo qaybiyo dariiqyada / 32 ciwaannada la siiyay macaamiisha.
Waqtigan xaadirka ah, wali ma aanaan habeynin kutlada, laakiin waxaan horey u haysanay albaabada VPN oo aad si gaar ah ugu xiri karto FQDN ama IP.
Waxaan ku aragnaa macmiilka ku xiran miiska dajinta ee ASA ugu horeysay:
Si ay dhammaan kutladayada VPN iyo dhammaan shabakadaha shirkadu u ogaadaan dariiqa loo maro macmiilkayaga, waxaanu dib u qaybin doonaa horgalaha macmiilka borotokoolka jihaynta firfircoon, tusaale ahaan OSPF:
Hadda waxaan haysanaa waddo macaamiishu ka soo gasho albaabka labaad ee ASA-2 iyo isticmaaleyaasha ku xidhan albaabbada VPN ee kala duwan ee kutlada dhexdeeda waxay si toos ah ula xidhiidhi karaan talefoonka shirkadda, sida soo celinta taraafikada agabka uu codsaday isticmaaluhu wuu iman doonaa. Albaabka VPN ee la rabo:
Aan u gudubno samaynta kutlada-Dhaqaajinta-Load-Balancing.
Ciwaanka 192.168.31.40 waxa loo isticmaali doona sidii Virtual IP (VIP - dhammaan macaamiisha VPN marka hore way ku xidhi doonaan), ciwaankan Cluster Master-ka waxa uu u rogi doonaa qandho kooxeed yar oo raran. Ha ilaawin inaad isdiiwaangeliso u gudbi oo dib u celi diiwaanada DNS labadaba ciwaanka dibadda/FQDN ee noodhka koox kasta, iyo VIP.
Waxaan ku hubinaa shaqada kooxda laba macaamiil oo isku xidhan:
Aynu ka dhigno waayo-aragnimada macmiilka mid ku habboon oo si toos ah loo soo dejiyo AnyConnect profile iyada oo la adeegsanayo ASDM.
Waxaan u magacawnaa astaanta si habboon, waxaanan ku xidhiidhinnaa siyaasaddayada kooxda:
Xidhiidhka macmiilka ee xiga ka dib, profile-kan si toos ah ayaa loo soo dejin doonaa oo loogu rakibi doonaa macmiilka AnyConnect, markaa haddii aad u baahan tahay inaad ku xidho, waxaad u baahan tahay oo kaliya inaad ka doorato liiska:
Tan iyo markii aan isticmaalnay ASDM waxaan ku abuurnay astaantan hal ASA oo keliya, ha ilaawin inaad ku celiso tillaabooyinka ASAs haray ee kutlada.
ΠΡΠ²ΠΎΠ΄: Markaa, waxaanu si degdeg ah u geynay koox ka kooban dhawr albaab oo VPN ah oo leh miisaan si toos ah isu dheelitiraya. Ku darida qanjidhada cusub ee kutlada waa sahlan tahay, gaarista miisaan toosan oo sahlan iyadoo la dirayo mashiinada farsamada ASAv cusub ama isticmaalaya ASAs hardware. Macmiilka AnyConnect sifadiisu qani ku tahay ayaa si weyn u wanaajin kara awoodahaaga isku xidhka fog ee sugan adoo isticmaalaya Joogitaanka (qiimaynta gobolka), sida ugu waxtarka badan ee loo isticmaalo iyada oo lala kaashanayo kontoroolka gelitaanka dhexe iyo nidaamka xisaabaadka Matoorka Adeegyada Aqoonsiga.