Kweli nqaku, ndingathanda ukunika imiyalelo yesinyathelo-nge-nyathelo malunga nendlela onokukhawuleza ngayo ukuhambisa esona skimu sinobunzima okwangoku. Ukufikelela kude kwi-VPN ukufikelela kwisiseko AnyConnect kunye neCisco ASA - IQela lokuLawulwa kweVPN.
Intshayelelo: Iinkampani ezininzi kwihlabathi liphela, ngokujonga imeko yangoku ye-COVID-19, zenza iinzame zokudlulisela abasebenzi bazo emsebenzini okude. Ngenxa yotshintsho oluninzi oluya kumsebenzi okude, umthwalo kumasango e-VPN akhoyo eenkampani uyenyuka kakhulu kwaye amandla okukhawuleza ukuwenza ayafuneka. Kwelinye icala, iinkampani ezininzi zinyanzelwa ukuba zikhawuleze ziqonde umbono womsebenzi okude ukusuka ekuqaleni.
Ukunceda amashishini ukuba afezekise ukufikelela okufanelekileyo, okukhuselekileyo, kunye nokwanda kweVPN kubasebenzi ngelona xesha lifutshane linokwenzeka, iCisco inika ilayisenisi yeAnyConnect feature-rich SSL VPN umxhasi ukuya kuthi ga kwiiveki ezili-13.
Ndilungiselele isikhokelo sesinyathelo-nge-nyathelo sokuhanjiswa okulula kwe-VPN Load-Balancing Cluster njengeyona teknoloji ye-VPN eyingozi kakhulu.
Lo mzekelo ungezantsi uya kuba lula ngokwemigaqo yoqinisekiso kunye nogunyaziso lwe-algorithms esetyenzisiweyo, kodwa iya kuba lukhetho olulungileyo lwesiqalo esikhawulezayo (okwangoku akwanelanga kwabaninzi) kunye nokwenzeka kohlengahlengiso olunzulu kwiimfuno zakho ngexesha lokusasazwa. inkqubo.
Ulwazi olufutshane: Itekhnoloji ye-VPN ye-Bancing Balancing Cluster ayiyiyo i-failover kwaye ayikho umsebenzi wokudibanisa kwingqiqo yayo, le teknoloji inokudibanisa imodeli ye-ASA eyahlukileyo ngokupheleleyo (kunye nezithintelo ezithile) ukwenzela ukulayisha ibhalansi i-Remote-Access VPN uxhumano. Akukho kulungelelaniswa kweeseshoni kunye nokucwangciswa phakathi kwee-nodes zeqela elinjalo, kodwa kunokwenzeka ukulayisha ngokuzenzekelayo ibhalansi ye-VPN uxhumano kunye nokuqinisekisa ukunyanzeliswa kwempazamo yoxhumo lwe-VPN kude kube ubuncinane enye i-node esebenzayo ihlala kwiqela. Umthwalo kwi-cluster ulungelelaniswa ngokuzenzekelayo ngokuxhomekeke kumthwalo womsebenzi wee-nodes ngenani leeseshoni ze-VPN.
Kwi-faillover yeendawo ezithile zeqela (ukuba ziyafuneka), ifayile yefayili ingasetyenziswa, ngoko uxhulumaniso olusebenzayo luya kusingathwa yiNqanaba ePhambili yefayile. Ifayile yokugqithiswa kwefayile ayikho imeko efunekayo yokuqinisekisa ukunyamezela kwempazamo ngaphakathi kweqela loThutho-UkuBala, iqela ngokwalo, xa kukho ukungaphumeleli kwe-node, iya kudlulisela iseshoni yomsebenzisi kwenye indawo ephilayo, kodwa ngaphandle kokugcina imeko yoxhulumaniso, oluchanekileyo. inikwe ngumfaki-fayile. Ngokufanelekileyo, kunokwenzeka, ukuba kuyimfuneko, ukudibanisa ezi teknoloji zimbini.
Iqela le-VPN Lomthwalo-Balancing linokuqulatha ngaphezulu kweenodi ezimbini.
I-VPN Load-Bancing Cluster ixhaswa kwi-ASA 5512-X nangaphezulu.
Ekubeni i-ASA nganye ngaphakathi kwe-VPN Load-Balancing cluster yiyunithi ezimeleyo ngokwemimiselo, senza onke amanyathelo oqwalaselo ngamnye kwisixhobo ngasinye.
I-logical topology yomzekelo onikiweyo:
Ubeko olungundoqo:
-
Sisebenzisa iimeko ze-ASAv zeetemplates esizifunayo (ASAv5/10/30/50) kumfanekiso.
-
Sabela ujongano NGAPHANDLE / NGAPHANDLE kwiVLAN efanayo (Ngaphandle kweVLAN yayo, NGAPHAKATHI kweyayo, kodwa ngokubanzi ngaphakathi kweqela, jonga i-topology), kubalulekile ukuba ujongano lohlobo olufanayo lukwicandelo elifanayo le-L2.
-
Iilayisensi:
- Okwangoku ufakelo lwe-ASAv aluyi kuba naziphi na iilayisensi kwaye luya kulinganiselwa kwi-100kbps.
- Ukufakela ilayisenisi, kufuneka wenze ithokheni kwi-Smart-Akhawunti yakho:
https://software.cisco.com/ -> ILayisensi yeSoftware eSmart - Kwifestile evulayo, cofa iqhosha uMqondiso omtsha
- Qinisekisa ukuba kwifestile evuliweyo kukho indawo esebenzayo kwaye ibhokisi yokukhangela ikhangelwe Vumela umsebenzi olawulwa ngaphandle... Ngaphandle kwale ntsimi esebenzayo, awuyi kukwazi ukusebenzisa imisebenzi ye-encryption eyomeleleyo kwaye, ngokufanelekileyo, VPN. Ukuba lo mmandla awusebenzi, nceda uqhagamshelane neqela leakhawunti yakho ngesicelo sokuvula.
- Emva kokucinezela iqhosha Yenza uMqondiso, umqondiso uya kwenziwa esiza kuwusebenzisa ukufumana ilayisenisi ye-ASAv, yikopishe:
- Phinda amanyathelo C,D,E kwi-ASAv nganye ebekiweyo.
- Ukwenza kube lula ukukopa ithokheni, masivumele i-telnet okwethutyana. Makhe siqwalasele i-ASA nganye (umzekelo ongezantsi ubonisa izicwangciso kwi-ASA-1). I-telnet ayisebenzi ngaphandle, ukuba uyayifuna ngokwenene, tshintsha inqanaba lokhuseleko ukuya kwi-100 ukuya ngaphandle, emva koko uyibuyisele.
! ciscoasa(config)# int gi0/0 ciscoasa(config)# nameif outside ciscoasa(config)# ip address 192.168.31.30 255.255.255.0 ciscoasa(config)# no shut ! ciscoasa(config)# int gi0/1 ciscoasa(config)# nameif inside ciscoasa(config)# ip address 192.168.255.2 255.255.255.0 ciscoasa(config)# no shut ! ciscoasa(config)# telnet 0 0 inside ciscoasa(config)# username admin password cisco priv 15 ciscoasa(config)# ena password cisco ciscoasa(config)# aaa authentication telnet console LOCAL ! ciscoasa(config)# route outside 0 0 192.168.31.1 ! ciscoasa(config)# wr !
- Ukubhalisa ithokheni kwilifu le-Smart-Akhawunti, kufuneka unikeze ukufikelela kwi-Intanethi kwi-ASA,
iinkcukacha apha .
Ngamafutshane, i-ASA iyafuneka:
- ukufikelela nge-HTTPS kwi-Intanethi;
- ungqamaniso lwexesha (ngokuchanekileyo ngakumbi, nge-NTP);
- iseva ye-DNS ebhalisiweyo;
- Sitsalela umnxeba kwi-ASA yethu kwaye senze iisetingi zokuvula iphepha-mvume nge-Smart-Account.
! ciscoasa(config)# clock set 19:21:00 Mar 18 2020 ciscoasa(config)# clock timezone MSK 3 ciscoasa(config)# ntp server 192.168.99.136 ! ciscoasa(config)# dns domain-lookup outside ciscoasa(config)# DNS server-group DefaultDNS ciscoasa(config-dns-server-group)# name-server 192.168.99.132 ! ! ΠΡΠΎΠ²Π΅ΡΠΈΠΌ ΡΠ°Π±ΠΎΡΡ DNS: ! ciscoasa(config-dns-server-group)# ping ya.ru Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 87.250.250.242, timeout is 2 seconds: !!!!! ! ! ΠΡΠΎΠ²Π΅ΡΠΈΠΌ ΡΠΈΠ½Ρ ΡΠΎΠ½ΠΈΠ·Π°ΡΠΈΡ NTP: ! ciscoasa(config)# show ntp associations address ref clock st when poll reach delay offset disp *~192.168.99.136 91.189.94.4 3 63 64 1 36.7 1.85 17.5 * master (synced), # master (unsynced), + selected, - candidate, ~ configured ! ! Π£ΡΡΠ°Π½ΠΎΠ²ΠΈΠΌ ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΡ Π½Π°ΡΠ΅ΠΉ ASAv Π΄Π»Ρ Smart-Licensing (Π² ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΠΈΠΈ Ρ ΠΠ°ΡΠΈΠΌ ΠΏΡΠΎΡΠΈΠ»Π΅ΠΌ, Π² ΠΌΠΎΠ΅ΠΌ ΡΠ»ΡΡΠ°Π΅ 100Π Π΄Π»Ρ ΠΏΡΠΈΠΌΠ΅ΡΠ°) ! ciscoasa(config)# license smart ciscoasa(config-smart-lic)# feature tier standard ciscoasa(config-smart-lic)# throughput level 100M ! ! Π ΡΠ»ΡΡΠ°Π΅ Π½Π΅ΠΎΠ±Ρ ΠΎΠ΄ΠΈΠΌΠΎΡΡΠΈ ΠΌΠΎΠΆΠ½ΠΎ Π½Π°ΡΡΡΠΎΠΈΡΡ Π΄ΠΎΡΡΡΠΏ Π² ΠΠ½ΡΠ΅ΡΠ½Π΅Ρ ΡΠ΅ΡΠ΅Π· ΠΏΡΠΎΠΊΡΠΈ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠΉΡΠ΅ ΡΠ»Π΅Π΄ΡΡΡΠΈΠΉ Π±Π»ΠΎΠΊ ΠΊΠΎΠΌΠ°Π½Π΄: !call-home ! http-proxy ip_address port port ! ! ΠΠ°Π»Π΅Π΅ ΠΌΡ Π²ΡΡΠ°Π²Π»ΡΠ΅ΠΌ ΡΠΊΠΎΠΏΠΈΡΠΎΠ²Π°Π½Π½ΡΠΉ ΠΈΠ· ΠΏΠΎΡΡΠ°Π»Π° Smart-Account ΡΠΎΠΊΠ΅Π½ (<token>) ΠΈ ΡΠ΅Π³ΠΈΡΡΡΠΈΡΡΠ΅ΠΌ Π»ΠΈΡΠ΅Π½Π·ΠΈΡ ! ciscoasa(config)# end ciscoasa# license smart register idtoken <token>
- Sijonga ukuba isixhobo sibhalise ngempumelelo ilayisenisi kwaye iinketho zofihlo ziyafumaneka:
-
Seta isiseko se-SSL-VPN kwisango ngalinye
- Okulandelayo, qwalasela ukufikelela nge-SSH kunye ne-ASDM:
ciscoasa(config)# ssh ver 2 ciscoasa(config)# aaa authentication ssh console LOCAL ciscoasa(config)# aaa authentication http console LOCAL ciscoasa(config)# hostname vpn-demo-1 vpn-demo-1(config)# domain-name ashes.cc vpn-demo-1(config)# cry key gen rsa general-keys modulus 4096 vpn-demo-1(config)# ssh 0 0 inside vpn-demo-1(config)# http 0 0 inside ! ! ΠΠΎΠ΄Π½ΠΈΠΌΠ΅ΠΌ ΡΠ΅ΡΠ²Π΅Ρ HTTPS Π΄Π»Ρ ASDM Π½Π° ΠΏΠΎΡΡΡ 445 ΡΡΠΎΠ±Ρ Π½Π΅ ΠΏΠ΅ΡΠ΅ΡΠ΅ΠΊΠ°ΡΡΡΡ Ρ SSL-VPN ΠΏΠΎΡΡΠ°Π»ΠΎΠΌ ! vpn-demo-1(config)# http server enable 445 !
- Ukuze i-ASDM isebenze, kufuneka uqale uyikhuphele kwiwebhusayithi ye-cisco.com, kwimeko yam yile fayile ilandelayo:
- Ukuze umxhasi we-AnyConnect asebenze, kufuneka ulayishe umfanekiso kwi-ASA nganye kumxhasi ngamnye osetyenzisiweyo we-desktop OS (ecetyelwe ukusebenzisa iLinux / Windows / MAC), uya kudinga ifayile ene IPhakheji yokusasazwa kwentloko Kwisihloko:
- Iifayile ezikhutshelweyo zinokulayishwa, umzekelo, kwiseva yeFTP kwaye zifakwe kwi-ASA nganye:
- Siqwalasela i-ASDM kunye nesatifikethi sokuZisayina se-SSL-VPN (kuyacetyiswa ukuba usebenzise isatifikethi esithembekileyo kwimveliso). Iseti ye-FQDN yeDilesi yeQela leVirtual (vpn-demo.ashes.cc), kunye ne-FQDN nganye ehambelana nedilesi yangaphandle yendawo yeqela ngalinye, kufuneka isombulule kwindawo ye-DNS yangaphandle kwidilesi ye-IP yojongano NGAPHANDLE (okanye kwidilesi ephawulweyo ukuba ugqithiso lwezibuko udp/443 luyasetyenziswa (DTLS) kunye ne-tcp/443(TLS)). Iinkcukacha ezithe vetshe kwiimfuno zesatifikethi zichaziwe kwicandelo Ukuqinisekiswa Kwesatifikethi uxwebhu.
! vpn-demo-1(config)# crypto ca trustpoint SELF vpn-demo-1(config-ca-trustpoint)# enrollment self vpn-demo-1(config-ca-trustpoint)# fqdn vpn-demo.ashes.cc vpn-demo-1(config-ca-trustpoint)# subject-name cn=*.ashes.cc, ou=ashes-lab, o=ashes, c=ru vpn-demo-1(config-ca-trustpoint)# serial-number vpn-demo-1(config-ca-trustpoint)# crl configure vpn-demo-1(config-ca-crl)# cry ca enroll SELF % The fully-qualified domain name in the certificate will be: vpn-demo.ashes.cc Generate Self-Signed Certificate? [yes/no]: yes vpn-demo-1(config)# ! vpn-demo-1(config)# sh cry ca certificates Certificate Status: Available Certificate Serial Number: 4d43725e Certificate Usage: General Purpose Public Key Type: RSA (4096 bits) Signature Algorithm: SHA256 with RSA Encryption Issuer Name: serialNumber=9A439T02F95 hostname=vpn-demo.ashes.cc cn=*.ashes.cc ou=ashes-lab o=ashes c=ru Subject Name: serialNumber=9A439T02F95 hostname=vpn-demo.ashes.cc cn=*.ashes.cc ou=ashes-lab o=ashes c=ru Validity Date: start date: 00:16:17 MSK Mar 19 2020 end date: 00:16:17 MSK Mar 17 2030 Storage: config Associated Trustpoints: SELF CA Certificate Status: Available Certificate Serial Number: 0509 Certificate Usage: General Purpose Public Key Type: RSA (4096 bits) Signature Algorithm: SHA1 with RSA Encryption Issuer Name: cn=QuoVadis Root CA 2 o=QuoVadis Limited c=BM Subject Name: cn=QuoVadis Root CA 2 o=QuoVadis Limited c=BM Validity Date: start date: 21:27:00 MSK Nov 24 2006 end date: 21:23:33 MSK Nov 24 2031 Storage: config Associated Trustpoints: _SmartCallHome_ServerCA
- Ungalibali ukukhankanya izibuko ukujonga ukuba iASDM iyasebenza, umzekelo:
- Masenze useto olusisiseko lwetonela:
- Masenze uthungelwano lwenkampani lufumaneke ngetonela, kwaye sivumele i-Intanethi ihambe ngokuthe ngqo (hayi eyona ndlela ikhuselekileyo ukuba akukho zikhuselo kwinginginya edibanisayo, kuyenzeka ukuba ungene ngenginginya owosulelekileyo kwaye ubonise idatha yenkampani, ukhetho. Umgaqo-nkqubo wokwahlula-hlula itonela iyakuvumela zonke iitrafikhi zingene kwitonela. Nangona kunjalo itonela yokwahlula yenza kube lula ukukhuphela isango leVPN kwaye ungaqhubeki nokugcwala kwe-Intanethi)
- Masikhuphe iidilesi ukusuka kwi-subnet ye-192.168.20.0/24 ukuya kubamkeli kwitonela (i-pool ukusuka kwi-10 ukuya kwiidilesi ze-30 (kwi-node #1)). I-node nganye ye-VPN cluster kufuneka ibe ne-pool yayo.
- Siza kwenza uqinisekiso olusisiseko kunye nomsebenzisi owenziwe ekuhlaleni kwi-ASA (Oku akukhuthazwa, le yeyona ndlela ilula), kungcono ukwenza uqinisekiso ngokusebenzisa I-LDAP/RADIUS, okanye ngcono, tie Uqinisekiso lwezinto ezininzi (MFA)umzekelo Cisco DUO.
! vpn-demo-1(config)# ip local pool vpn-pool 192.168.20.10-192.168.20.30 mask 255.255.255.0 ! vpn-demo-1(config)# access-list split-tunnel standard permit 192.168.0.0 255.255.0.0 ! vpn-demo-1(config)# group-policy SSL-VPN-GROUP-POLICY internal vpn-demo-1(config)# group-policy SSL-VPN-GROUP-POLICY attributes vpn-demo-1(config-group-policy)# vpn-tunnel-protocol ssl-client vpn-demo-1(config-group-policy)# split-tunnel-policy tunnelspecified vpn-demo-1(config-group-policy)# split-tunnel-network-list value split-tunnel vpn-demo-1(config-group-policy)# dns-server value 192.168.99.132 vpn-demo-1(config-group-policy)# default-domain value ashes.cc vpn-demo-1(config)# tunnel-group DefaultWEBVPNGroup general-attributes vpn-demo-1(config-tunnel-general)# default-group-policy SSL-VPN-GROUP-POLICY vpn-demo-1(config-tunnel-general)# address-pool vpn-pool ! vpn-demo-1(config)# username dkazakov password cisco vpn-demo-1(config)# username dkazakov attributes vpn-demo-1(config-username)# service-type remote-access ! vpn-demo-1(config)# ssl trust-point SELF vpn-demo-1(config)# webvpn vpn-demo-1(config-webvpn)# enable outside vpn-demo-1(config-webvpn)# anyconnect image disk0:/anyconnect-win-4.8.03036-webdeploy-k9.pkg vpn-demo-1(config-webvpn)# anyconnect enable !
- (NGOKUKHETHA): Kulo mzekelo ungasentla, sisebenzise umsebenzisi wendawo kwi-ITU ukuqinisekisa abasebenzisi abakude, ngokuqinisekileyo, ngaphandle kwebhubhoratri, engasebenzi kakuhle. Ndiza kunika umzekelo wendlela yokulungelelanisa ngokukhawuleza ukuseta ukuqinisekiswa OKWI umncedisi, umzekelo osetyenzisiweyo Cisco Identity Services Engine:
vpn-demo-1(config-aaa-server-group)# dynamic-authorization vpn-demo-1(config-aaa-server-group)# interim-accounting-update vpn-demo-1(config-aaa-server-group)# aaa-server RADIUS (outside) host 192.168.99.134 vpn-demo-1(config-aaa-server-host)# key cisco vpn-demo-1(config-aaa-server-host)# exit vpn-demo-1(config)# tunnel-group DefaultWEBVPNGroup general-attributes vpn-demo-1(config-tunnel-general)# authentication-server-group RADIUS !
Olu hlanganiso lwenze ukuba kwenzeke ukuba kungekuphela nje ukudibanisa ngokukhawuleza inkqubo yokuqinisekisa kunye nenkonzo yolawulo lwe-AD, kodwa ukwahlula ukuba ikhompyutha edibeneyo yeye-AD, ukuqonda ukuba esi sixhobo sinobumbano okanye somntu, kunye nokuvavanya imeko yesixhobo esixhunyiwe. .
- Masiqwalasele i-Transparent NAT ukuze i-traffic phakathi komxhasi kunye nemithombo yenethiwekhi yenkampani ayibhalwanga:
vpn-demo-1(config-network-object)# subnet 192.168.20.0 255.255.255.0 ! vpn-demo-1(config)# nat (inside,outside) source static any any destination static vpn-users vpn-users no-proxy-arp
- (NGOKUZIKHETHELA): Ukuveza abathengi bethu kwi-Intanethi nge-ASA (xa usebenzisa i-tunnelle iinketho) usebenzisa iPAT, kunye nokuphuma ngendlela efanayo NGAPHANDLE ujongano apho zidityaniswe khona, kufuneka wenze ezi zicwangciso zilandelayo.
vpn-demo-1(config-network-object)# nat (outside,outside) source dynamic vpn-users interface vpn-demo-1(config)# nat (inside,outside) source dynamic any interface vpn-demo-1(config)# same-security-traffic permit intra-interface !
- Xa usebenzisa i-cluster, kubaluleke kakhulu ukwenza ukuba inethiwekhi yangaphakathi iqonde ukuba yeyiphi i-ASA yokubuyisela i-traffic kubasebenzisi, kuba oku kufuneka usasaze iindlela / iidilesi ze-32 ezikhutshelwe abathengi.
Okwangoku, asikaqulunqi iqela, kodwa sele sisebenza ngamasango e-VPN anokudibaniswa ngabanye nge-FQDN okanye i-IP.
Sibona umxhasi oqhagamshelweyo kwitafile yomzila ye-ASA yokuqala:
Ukuze yonke i-cluster yethu ye-VPN kunye nenethiwekhi yonke ye-corporate yazi indlela eya kumxhasi wethu, siya kuphinda sisasaze isimaphambili somthengi kwi-protocol yomzila, umzekelo, i-OSPF:
! vpn-demo-1(config)# route-map RMAP-VPN-REDISTRIBUTE permit 1 vpn-demo-1(config-route-map)# match ip address VPN-REDISTRIBUTE ! vpn-demo-1(config)# router ospf 1 vpn-demo-1(config-router)# network 192.168.255.0 255.255.255.0 area 0 vpn-demo-1(config-router)# log-adj-changes vpn-demo-1(config-router)# redistribute static metric 5000 subnets route-map RMAP-VPN-REDISTRIBUTE
Ngoku sinendlela eya kumxhasi ukusuka kwisango lesibini le-ASA-2 kunye nabasebenzisi abaqhagamshelwe kwiisango ezahlukeneyo zeVPN ngaphakathi kweqela, umzekelo, ukunxibelelana ngokuthe ngqo nge-softphone yenkampani, kunye nokubuyisela i-traffic kwizibonelelo eziceliwe ngumsebenzisi. yiza kwisango elifunwayo leVPN:
-
Masiqhubele phambili ekuqwalaseleni iqela loThungelwano loThutho.
Idilesi 192.168.31.40 iya kusetyenziswa njenge-IP yeVirtual (VIP - bonke abathengi be-VPN baya kuqala ukuxhuma kuyo), ukusuka kule dilesi i-Master Cluster iya kwenza i-REDIRECT kwi-node ye-cluster engaphantsi. Ungalibali ukubhala phambili kwaye uguqule irekhodi ye-DNS zombini kwidilesi nganye yangaphandle / FQDN yenode nganye yeqela, kunye ne-VIP.
vpn-demo-1(config)# vpn load-balancing vpn-demo-1(config-load-balancing)# interface lbpublic outside vpn-demo-1(config-load-balancing)# interface lbprivate inside vpn-demo-1(config-load-balancing)# priority 10 vpn-demo-1(config-load-balancing)# cluster ip address 192.168.31.40 vpn-demo-1(config-load-balancing)# cluster port 4000 vpn-demo-1(config-load-balancing)# redirect-fqdn enable vpn-demo-1(config-load-balancing)# cluster key cisco vpn-demo-1(config-load-balancing)# cluster encryption vpn-demo-1(config-load-balancing)# cluster port 9023 vpn-demo-1(config-load-balancing)# participate vpn-demo-1(config-load-balancing)#
- Sijonga ukusebenza kweqela kunye nabaxhasi ababini abaqhagamshelweyo:
- Masenze ukuba ulwazi lomthengi lube lula ngakumbi ngeprofayile ye-AnyConnect ezenzekelayo nge-ASDM.
Siyibiza iprofayile ngendlela efanelekileyo kwaye sinxulumanisa ipolisi yethu yeqela kunye nayo:
Emva koqhagamshelo olulandelayo lomxhasi, le profayile iya kukhutshelwa ngokuzenzekelayo kwaye ifakwe kumxhasi we-AnyConnect, ke ukuba ufuna ukunxibelelana, yikhethe kuluhlu:
Kuba senze le profayile kwi-ASA enye kuphela usebenzisa i-ASDM, ungalibali ukuphinda amanyathelo kwezinye ii-ASAs kwiqela.
Isiphelo: Ke, sathumela ngokukhawuleza iqela lamasango amaninzi eVPN anokulinganisa okuzenzekelayo komthwalo. Ukongeza ii-nodes ezintsha kwiqela kulula, kunye nokulinganisa okulula okuthe tye ngokubeka oomatshini abatsha be-ASAv okanye ukusebenzisa ii-ASA zehardware. Umxhasi otyebileyo we-AnyConnect unokwandisa kakhulu uqhagamshelo olukhuselekileyo olukude ngokusebenzisa i Isimo (uqikelelo lwelizwe), eyona isetyenziswa ngokufanelekileyo ngokubambisana nenkqubo yolawulo olusembindini kunye nokufikelela kwi-accounting Injini yeeNkonzo zesazisi.
umthombo: www.habr.com