Sehloohong sena, ke kopa ho fana ka litaelo tsa mohato ka mohato mabapi le hore na u ka sebelisa sekema se senyehileng ka ho fetesisa joang hajoale. Remote Access VPN phihlello e thehiloeng AnyConnect le Cisco ASA - VPN Load Balancing Cluster.
Selelekela: Likhamphani tse ngata lefats'eng ka bophara, ka lebaka la maemo a hajoale ka COVID-19, li etsa boiteko ba ho fetisetsa basebetsi ba bona mosebetsing o hole. Ka lebaka la phetoho e kholo mosebetsing o hole, mojaro oa liheke tsa VPN tse teng tsa lik'hamphani o ntse o eketseha haholo 'me ho hlokahala bokhoni bo potlakileng ba ho li phahamisa. Ka lehlakoreng le leng, lik'hamphani tse ngata li qobelloa ho potlakela ho tseba mohopolo oa mosebetsi o hole ho tloha qalong.
Ho thusa likhoebo ho fumana phihlello e bonolo, e sireletsehileng le e mpe ea VPN bakeng sa basebetsi ka nako e khuts'oane e ka khonehang, Cisco e fana ka laesense ea moreki oa SSL VPN ea nang le karolo ea AnyConnect bakeng sa libeke tse 13. .
.
Ke lokiselitse tataiso ea mohato ka mohato bakeng sa phepelo e bonolo ea VPN Load-Balancing Cluster e le theknoloji e mpe ka ho fetisisa ea VPN.
Mohlala o ka tlase o tla ba bonolo haholo mabapi le li-algorithms tsa netefatso le tumello tse sebelisitsoeng, empa e tla ba khetho e ntle bakeng sa ho qala kapele (e leng hona joale e sa lekaneng bakeng sa ba bangata) ka monyetla oa ho ikamahanya le maemo ka botebo ho litlhoko tsa hau nakong ea ho tsamaisoa. tshebetso.
Lintlha tse khutšoane: Theknoloji ea VPN Load Balancing Cluster ha e sebetse ebile ha se ts'ebetso ea ho kopanya ka kutloisiso ea eona ea tlhaho, theknoloji ena e ka kopanya mefuta e fapaneng ka ho feletseng ea ASA (e nang le lithibelo tse itseng) e le ho laola ho leka-lekana Remote-Access VPN dikgokelo. Ha ho na khokahano ea li-session le litlhophiso lipakeng tsa li-node tsa sehlopha se joalo, empa hoa khoneha ho jara li-connections tsa VPN ka bohona le ho netefatsa mamello ea phoso ea likhokahano tsa VPN ho fihlela bonyane node e le 'ngoe e sebetsang e sala sehlopheng. Mojaro ka har'a sehlopha o leka-lekana ka boiketsetso ho latela mosebetsi oa li-node ka palo ea mananeo a VPN.
Bakeng sa failover ea li-node tse khethehileng tsa sehlopha (haeba ho hlokahala), filer e ka sebelisoa, kahoo khokahanyo e sebetsang e tla sebetsoa ke Node ea Primary ea filer. Fileover ha se boemo bo hlokahalang bakeng sa ho netefatsa mamello ea phoso ka har'a sehlopha sa Load-Balancing, sehlopha ka boeona, ha ho e-na le ho hlōleha ha node, se tla fetisetsa seboka sa mosebedisi ho node e 'ngoe e phelang, empa ntle le ho boloka boemo ba khokahanyo, e leng hantle. e fanoeng ke filer. Ka hona, hoa khoneha, haeba ho hlokahala, ho kopanya theknoloji ena e 'meli.
Sehlopha sa VPN Load-Bancing se ka ba le li-node tse fetang tse peli.
VPN Load-Balancing Cluster e tšehetsoa ho ASA 5512-X le holimo.
Kaha ASA e 'ngoe le e' ngoe ka har'a sehlopha sa VPN Load-Balancing ke yuniti e ikemetseng ho latela maemo, re etsa mehato eohle ea tlhophiso ka bonngoe sesebelisoa ka seng.
The logic ea topology ea mohlala o fanoeng:
Phetiso ea mantlha:
-
Re sebelisa mehlala ea ASAv ea litempele tseo re li hlokang (ASAv5/10/30/50) ho tsoa setšoantšong.
-
Re abela li-interface tsa INSIDE / OUTSIDE ho li-VLAN tse tšoanang (Ka ntle ho VLAN ea eona, INSIDE ka boeona, empa ka kakaretso ka har'a sehlopha, bona topology), ke habohlokoa hore li-interfaces tsa mofuta o tšoanang li be karolong e tšoanang ea L2.
-
Lilaesense:
- Hajoale ts'ebetso ea ASAv e ke ke ea ba le laesense efe kapa efe mme e tla lekanyetsoa ho 100kbps.
- Ho kenya laesense, o hloka ho hlahisa lets'oao ho Smart-Account ea hau: -> Smart Software Licensing
- Fesetereng e butsoeng, tobetsa konopo Letšoao le Lecha
- Etsa bonnete ba hore fensetereng e butsoeng ho na le sebaka se sebetsang 'me ho hlahlojoa letšoao Lumella tšebetso e laoloang ke thomello… Ntle le ts'ebetso ena e sebetsang, u ke ke ua khona ho sebelisa mesebetsi ea encryption e matla mme, ka hona, VPN. Haeba karolo ena e sa sebetse, ka kopo ikopanye le sehlopha sa akhaonto ea hau ka kopo ea ho e bula.
- Kamora ho tobetsa konopo Theha Letshwao, ho tla etsoa lets'oao leo re tla le sebelisa ho fumana laesense ea ASAv, e kopitse:
- Pheta mehato ea C,D,E bakeng sa ASAv e ngoe le e ngoe e kentsoeng.
- Ho etsa hore ho be bonolo ho kopitsa lets'oao, ha re lumelleng telnet ka nakoana. Ha re lokiseng ASA ka 'ngoe (mohlala o ka tlase o bonts'a litlhophiso ho ASA-1). telnet ha e sebetse le kantle, haeba u hlile u e hloka, fetola boemo ba ts'ireletso ho 100 ho ea kantle, ebe u e khutlisa.
! ciscoasa(config)# int gi0/0 ciscoasa(config)# nameif outside ciscoasa(config)# ip address 192.168.31.30 255.255.255.0 ciscoasa(config)# no shut ! ciscoasa(config)# int gi0/1 ciscoasa(config)# nameif inside ciscoasa(config)# ip address 192.168.255.2 255.255.255.0 ciscoasa(config)# no shut ! ciscoasa(config)# telnet 0 0 inside ciscoasa(config)# username admin password cisco priv 15 ciscoasa(config)# ena password cisco ciscoasa(config)# aaa authentication telnet console LOCAL ! ciscoasa(config)# route outside 0 0 192.168.31.1 ! ciscoasa(config)# wr !- Ho ngodisa letshwao ho leru la Smart-Account, o tlameha ho fana ka phihlello ya inthanete bakeng sa ASA, .
Ka bokhutšoanyane, ASA ea hlokahala:
- fihlella ka HTTPS ho Internet;
- khokahano ea nako (ka nepo haholoanyane, ka NTP);
- seva sa DNS se ngolisitsoeng;
- Re buisana le ASA ea rona mme re etsa litlhophiso tsa ho kenya laesense ka Smart-Account.
! ciscoasa(config)# clock set 19:21:00 Mar 18 2020 ciscoasa(config)# clock timezone MSK 3 ciscoasa(config)# ntp server 192.168.99.136 ! ciscoasa(config)# dns domain-lookup outside ciscoasa(config)# DNS server-group DefaultDNS ciscoasa(config-dns-server-group)# name-server 192.168.99.132 ! ! Проверим работу DNS: ! ciscoasa(config-dns-server-group)# ping ya.ru Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 87.250.250.242, timeout is 2 seconds: !!!!! ! ! Проверим синхронизацию NTP: ! ciscoasa(config)# show ntp associations address ref clock st when poll reach delay offset disp *~192.168.99.136 91.189.94.4 3 63 64 1 36.7 1.85 17.5 * master (synced), # master (unsynced), + selected, - candidate, ~ configured ! ! Установим конфигурацию нашей ASAv для Smart-Licensing (в соответствии с Вашим профилем, в моем случае 100М для примера) ! ciscoasa(config)# license smart ciscoasa(config-smart-lic)# feature tier standard ciscoasa(config-smart-lic)# throughput level 100M ! ! В случае необходимости можно настроить доступ в Интернет через прокси используйте следующий блок команд: !call-home ! http-proxy ip_address port port ! ! Далее мы вставляем скопированный из портала Smart-Account токен (<token>) и регистрируем лицензию ! ciscoasa(config)# end ciscoasa# license smart register idtoken <token>- Re netefatsa hore sesebelisoa se ngolisitse laesense ka katleho le likhetho tsa encryption lia fumaneha:
-
Theha SSL-VPN ea mantlha hekeng ka 'ngoe
- E latelang, lokisa phihlello ka SSH le ASDM:
ciscoasa(config)# ssh ver 2 ciscoasa(config)# aaa authentication ssh console LOCAL ciscoasa(config)# aaa authentication http console LOCAL ciscoasa(config)# hostname vpn-demo-1 vpn-demo-1(config)# domain-name ashes.cc vpn-demo-1(config)# cry key gen rsa general-keys modulus 4096 vpn-demo-1(config)# ssh 0 0 inside vpn-demo-1(config)# http 0 0 inside ! ! Поднимем сервер HTTPS для ASDM на порту 445 чтобы не пересекаться с SSL-VPN порталом ! vpn-demo-1(config)# http server enable 445 !- Hore ASDM e sebetse, o tlameha ho e jarolla pele webosaeteng ea cisco.com, molemong oa ka ke faele e latelang:
- Hore moreki oa AnyConnect a sebetse, o hloka ho kenya setšoantšo ho ASA e 'ngoe le e' ngoe bakeng sa OS e 'ngoe le e 'ngoe e sebelisitsoeng ea bareki (e reriloeng ho sebelisa Linux / Windows / MAC), o tla hloka faele e nang le Sephutheloana sa Tšebeliso ea Lihlooho Sehloohong:
- Lifaele tse jarollotsoeng li ka jarolloa, ka mohlala, ho seva sa FTP mme tsa fetisetsoa ho motho ka mong ASA:
- Re lokisa ASDM le Setifikeiti sa Boithaopo bakeng sa SSL-VPN (ho khothaletsoa ho sebelisa setifikeiti se tšepahalang tlhahisong). FQDN e behiloeng ea Virtual Cluster Address (vpn-demo.ashes.cc), hammoho le FQDN ka 'ngoe e amanang le aterese ea kantle ea node ka 'ngoe ea sehlopha, e tlameha ho rarolla sebakeng sa kantle sa DNS ho aterese ea IP ea OUTSIDE interface (kapa atereseng e 'mapeng haeba ho sebelisoa koung ea udp/443 (DTLS) le tcp/443(TLS)). Lintlha tse felletseng mabapi le litlhoko tsa setifikeiti li boletsoe karolong Netefatso ea Setifikeiti litokomane.
! vpn-demo-1(config)# crypto ca trustpoint SELF vpn-demo-1(config-ca-trustpoint)# enrollment self vpn-demo-1(config-ca-trustpoint)# fqdn vpn-demo.ashes.cc vpn-demo-1(config-ca-trustpoint)# subject-name cn=*.ashes.cc, ou=ashes-lab, o=ashes, c=ru vpn-demo-1(config-ca-trustpoint)# serial-number vpn-demo-1(config-ca-trustpoint)# crl configure vpn-demo-1(config-ca-crl)# cry ca enroll SELF % The fully-qualified domain name in the certificate will be: vpn-demo.ashes.cc Generate Self-Signed Certificate? [yes/no]: yes vpn-demo-1(config)# ! vpn-demo-1(config)# sh cry ca certificates Certificate Status: Available Certificate Serial Number: 4d43725e Certificate Usage: General Purpose Public Key Type: RSA (4096 bits) Signature Algorithm: SHA256 with RSA Encryption Issuer Name: serialNumber=9A439T02F95 hostname=vpn-demo.ashes.cc cn=*.ashes.cc ou=ashes-lab o=ashes c=ru Subject Name: serialNumber=9A439T02F95 hostname=vpn-demo.ashes.cc cn=*.ashes.cc ou=ashes-lab o=ashes c=ru Validity Date: start date: 00:16:17 MSK Mar 19 2020 end date: 00:16:17 MSK Mar 17 2030 Storage: config Associated Trustpoints: SELF CA Certificate Status: Available Certificate Serial Number: 0509 Certificate Usage: General Purpose Public Key Type: RSA (4096 bits) Signature Algorithm: SHA1 with RSA Encryption Issuer Name: cn=QuoVadis Root CA 2 o=QuoVadis Limited c=BM Subject Name: cn=QuoVadis Root CA 2 o=QuoVadis Limited c=BM Validity Date: start date: 21:27:00 MSK Nov 24 2006 end date: 21:23:33 MSK Nov 24 2031 Storage: config Associated Trustpoints: _SmartCallHome_ServerCA- Se ke oa lebala ho hlakisa boema-kepe ho bona hore ASDM ea sebetsa, mohlala:
- Ha re etseng litlhophiso tsa mantlha tsa kotopo:
- Ha re etse hore marang-rang a khoebo a fumanehe ka kotopo, 'me re tlohelle Marang-rang hore e tsamaee ka kotloloho (eseng mokhoa o bolokehileng ka ho fetesisa haeba ho se na ts'ireletso ho moamoheli ea hokelang, hoa khoneha ho kenella ka moamoheli ea tšoaelitsoeng le ho bonts'a data ea khoebo, khetho. kotopo ea leano la petso e tla lumella bohle ba amohelang sephethephethe ho kena ka har'a kotopo. Leha ho le joalo kotopo e arohaneng e etsa hore ho khonehe ho theola heke ea VPN mme o se ke oa sebetsana le sephethephethe sa Marang-rang)
- Ha re faneng ka liaterese ho tloha ho subnet ea 192.168.20.0/24 ho mabotho a kotopo (letamo ho tloha ho liaterese tse 10 ho isa ho tse 30 (bakeng sa node # 1)). Node e 'ngoe le e' ngoe ea sehlopha sa VPN e tlameha ho ba le letamo la eona.
- Re tla etsa netefatso ea mantlha le mosebelisi ea entsoeng sebakeng sa heno ho ASA (Sena ha se khothalletsoe, ona ke mokhoa o bonolo ka ho fetesisa), ho molemo ho etsa netefatso ka LDAP/RADIUS, kapa ho molemo, thae Multi-Factor Authentication (MFA), mohlala Cisco DUO.
! vpn-demo-1(config)# ip local pool vpn-pool 192.168.20.10-192.168.20.30 mask 255.255.255.0 ! vpn-demo-1(config)# access-list split-tunnel standard permit 192.168.0.0 255.255.0.0 ! vpn-demo-1(config)# group-policy SSL-VPN-GROUP-POLICY internal vpn-demo-1(config)# group-policy SSL-VPN-GROUP-POLICY attributes vpn-demo-1(config-group-policy)# vpn-tunnel-protocol ssl-client vpn-demo-1(config-group-policy)# split-tunnel-policy tunnelspecified vpn-demo-1(config-group-policy)# split-tunnel-network-list value split-tunnel vpn-demo-1(config-group-policy)# dns-server value 192.168.99.132 vpn-demo-1(config-group-policy)# default-domain value ashes.cc vpn-demo-1(config)# tunnel-group DefaultWEBVPNGroup general-attributes vpn-demo-1(config-tunnel-general)# default-group-policy SSL-VPN-GROUP-POLICY vpn-demo-1(config-tunnel-general)# address-pool vpn-pool ! vpn-demo-1(config)# username dkazakov password cisco vpn-demo-1(config)# username dkazakov attributes vpn-demo-1(config-username)# service-type remote-access ! vpn-demo-1(config)# ssl trust-point SELF vpn-demo-1(config)# webvpn vpn-demo-1(config-webvpn)# enable outside vpn-demo-1(config-webvpn)# anyconnect image disk0:/anyconnect-win-4.8.03036-webdeploy-k9.pkg vpn-demo-1(config-webvpn)# anyconnect enable !- (KGETHO): Mohlala o ka holimo, re sebelisitse mosebelisi oa lehae ho ITU ho netefatsa basebelisi ba hole, bao ehlileng, ntle le laboratoring, ba sa sebetseng hantle. Ke tla fana ka mohlala oa mokhoa oa ho potlakela ho ikamahanya le maemo bakeng sa ho netefatsa ho LEFOLO seva, mohlala, e sebelisitsoeng Enjene ea Litšebeletso tsa Boitsebiso ba Cisco:
vpn-demo-1(config-aaa-server-group)# dynamic-authorization vpn-demo-1(config-aaa-server-group)# interim-accounting-update vpn-demo-1(config-aaa-server-group)# aaa-server RADIUS (outside) host 192.168.99.134 vpn-demo-1(config-aaa-server-host)# key cisco vpn-demo-1(config-aaa-server-host)# exit vpn-demo-1(config)# tunnel-group DefaultWEBVPNGroup general-attributes vpn-demo-1(config-tunnel-general)# authentication-server-group RADIUS !Ho kopanya hona ho ile ha etsa hore ho khonehe ho kopanya ka potlako mokhoa oa ho netefatsa le tšebeletso ea li-directory tsa AD, empa hape le ho khetholla hore na k'homphieutha e kopantsoeng ke ea AD, ho utloisisa hore na sesebelisoa sena ke sa khoebo kapa sa botho, le ho hlahloba boemo ba sesebelisoa se hokahaneng. .
- Ha re lokiseng Transparent NAT e le hore sephethephethe lipakeng tsa moreki le lisebelisoa tsa marang-rang a marang-rang a se ke a ngoloa:
vpn-demo-1(config-network-object)# subnet 192.168.20.0 255.255.255.0 ! vpn-demo-1(config)# nat (inside,outside) source static any any destination static vpn-users vpn-users no-proxy-arp- (KGETHO): Bakeng sa ho pepesa bareki ba rona Marang-rang ka ASA (ha o sebelisa tunnelall dikgetho) u sebelisa PAT, hammoho le ho tsoa ka sebopeho se tšoanang sa OUTSIDE seo li hokahaneng ho sona, u lokela ho etsa litlhophiso tse latelang.
vpn-demo-1(config-network-object)# nat (outside,outside) source dynamic vpn-users interface vpn-demo-1(config)# nat (inside,outside) source dynamic any interface vpn-demo-1(config)# same-security-traffic permit intra-interface !- Ha u sebelisa sehlopha, ho bohlokoa haholo ho thusa marang-rang a ka hare ho utloisisa hore na ke ASA efe ea ho khutlisetsa sephethephethe ho basebelisi, bakeng sa sena o hloka ho tsamaisa litsela / liaterese tse 32 tse fuoeng bareki.
Hajoale, ha re e-so lokise sehlopha, empa re se re ntse re e-na le liheke tsa VPN tse sebetsang tse ka kopanngoang ka bomong ka FQDN kapa IP.
Re bona moreki ea hokahaneng tafoleng ea ho tsamaisa ea ASA ea pele:
E le hore sehlopha sa rona sa VPN kaofela le marang-rang ohle a khoebo a tsebe tsela e eang ho moreki oa rona, re tla abela sehlomathiso sa moreki ho protocol e matla ea ho tsamaisa, mohlala OSPF:
! vpn-demo-1(config)# route-map RMAP-VPN-REDISTRIBUTE permit 1 vpn-demo-1(config-route-map)# match ip address VPN-REDISTRIBUTE ! vpn-demo-1(config)# router ospf 1 vpn-demo-1(config-router)# network 192.168.255.0 255.255.255.0 area 0 vpn-demo-1(config-router)# log-adj-changes vpn-demo-1(config-router)# redistribute static metric 5000 subnets route-map RMAP-VPN-REDISTRIBUTEHona joale re na le tsela e eang ho moreki ho tloha hekeng ea bobeli ea ASA-2 mme basebelisi ba hokahaneng le liheke tse fapaneng tsa VPN ka har'a sehlopha, ka mohlala, ba ka buisana ka kotloloho ka li-softphone tsa khoebo, hammoho le ho khutlisa sephethephethe ho tsoa mehloling e kopiloeng ke mosebelisi. tla ho heke ea VPN eo u e batlang:
-
Ha re tsoeleng pele ho hlophisa sehlopha sa Meroalo-Ho leka-lekanya.
Aterese ea 192.168.31.40 e tla sebelisoa e le Virtual IP (VIP - bareki bohle ba VPN ba tla qala ho hokela ho eona), ho tloha atereseng ena Master cluster e tla etsa REDIRECT ho node ea cluster e sa imetsoeng. Se lebale ho ngola fetisetsa pele le ho khutlisa rekoto ea DNS ka bobeli bakeng sa aterese e 'ngoe le e' ngoe ea kantle / FQDN ea node ka 'ngoe ea sehlopha, le bakeng sa VIP.
vpn-demo-1(config)# vpn load-balancing vpn-demo-1(config-load-balancing)# interface lbpublic outside vpn-demo-1(config-load-balancing)# interface lbprivate inside vpn-demo-1(config-load-balancing)# priority 10 vpn-demo-1(config-load-balancing)# cluster ip address 192.168.31.40 vpn-demo-1(config-load-balancing)# cluster port 4000 vpn-demo-1(config-load-balancing)# redirect-fqdn enable vpn-demo-1(config-load-balancing)# cluster key cisco vpn-demo-1(config-load-balancing)# cluster encryption vpn-demo-1(config-load-balancing)# cluster port 9023 vpn-demo-1(config-load-balancing)# participate vpn-demo-1(config-load-balancing)#- Re hlahloba ts'ebetso ea sehlopha ka bareki ba babeli ba hokahaneng:
- Ha re etseng hore boiphihlelo ba moreki bo be bobebe haholoanyane ka profaele ea AnyConnect e itlhommeng pele ka ASDM.
Re bolela boemo ka tsela e bonolo mme re amahanya leano la sehlopha sa rona le lona:
Kamora khokahano e latelang ea moreki, profil ena e tla jarolleloa ka bo eona ebe e kenngoa ho moreki oa AnyConnect, kahoo haeba o hloka ho hokela, o hloka feela ho e khetha lethathamong:
Kaha re thehile profil ena ho ASA e le 'ngoe feela re sebelisa ASDM, u seke oa lebala ho pheta mehato ea li-ASA tse ling sehlopheng.
Qetello: Kahoo, ka potlako re ile ra kenya sehlopha sa liheke tse 'maloa tsa VPN tse nang le ho leka-lekanya mojaro o ikemetseng. Ho kenyelletsa li-node tse ncha sehlopheng ho bonolo, ka mokhoa o bonolo o otlolohileng ka ho kenya mechine e mecha ea ASAv kapa ho sebelisa hardware ASAs. Moreki ea ruileng oa AnyConnect a ka ntlafatsa haholo khokahano e sireletsehileng ea hole ka ho sebelisa Boemo (khakanyo ea naha), e sebelisoang ka katleho ka ho fetisisa hammoho le tsamaiso ea centralized control le access accounting Identity Services Engine.
Source: www.habr.com