Ninu nkan yii Emi yoo fẹ lati pese awọn itọnisọna ni igbese-nipasẹ-igbesẹ lori bii o ṣe le yara mu ero ti iwọn julọ ni akoko yii Wiwọle latọna jijin VPN orisun wiwọle AnyConnect og Cisco ASA - Akopọ Iwontunwosi fifuye VPN.
Iṣaaju: Ọpọlọpọ awọn ile-iṣẹ ni ayika agbaye, nitori ipo lọwọlọwọ pẹlu COVID-19, n ṣe awọn ipa lati gbe awọn oṣiṣẹ wọn lọ si iṣẹ latọna jijin. Nitori iyipada kaakiri si iṣẹ latọna jijin, fifuye lori awọn ẹnu-ọna VPN ti o wa ti awọn ile-iṣẹ pọ si ni itara ati agbara iyara pupọ lati ṣe iwọn wọn nilo. Ni apa keji, ọpọlọpọ awọn ile-iṣẹ ni a fi agbara mu lati ni iyara Titunto si imọran ti iṣẹ latọna jijin lati ibere.
Lati ṣe iranlọwọ fun awọn iṣowo ni kiakia lati ṣe irọrun, aabo, ati iraye si VPN ti iwọn fun awọn oṣiṣẹ, Sisiko n pese awọn iwe-aṣẹ ọsẹ 13 fun ẹya-ọlọrọ AnyConnect SSL-VPN alabara. .
.
Mo ti pese awọn ilana igbesẹ-nipasẹ-igbesẹ fun aṣayan ti o rọrun fun gbigbe iṣupọ-iwọntunwọnsi VPN kan bi imọ-ẹrọ VPN ti iwọn julọ.
Apẹẹrẹ ti o wa ni isalẹ yoo jẹ ohun ti o rọrun lati oju wiwo ti ijẹrisi ati awọn algoridimu aṣẹ ti a lo, ṣugbọn yoo jẹ aṣayan ti o dara fun ibẹrẹ iyara (eyiti o jẹ nkan ti ọpọlọpọ eniyan ko ni bayi) pẹlu iṣeeṣe ti isọdi-jinlẹ si awọn aini rẹ lakoko ilana imuṣiṣẹ.
Alaye kukuru: Imọ-ẹrọ iṣupọ fifuye VPN kii ṣe ikuna tabi iṣẹ ikojọpọ ni ori abinibi rẹ; imọ-ẹrọ yii le ṣajọpọ awọn awoṣe ASA ti o yatọ patapata (pẹlu awọn ihamọ kan) lati le gbe iwọntunwọnsi Awọn isopọ Latọna-Wiwọle VPN. Ko si amuṣiṣẹpọ ti awọn akoko ati awọn atunto laarin awọn apa ti iru iṣupọ kan, ṣugbọn o ṣee ṣe lati gbe iwọntunwọnsi laifọwọyi awọn asopọ VPN ati rii daju ifarada aṣiṣe ti awọn asopọ VPN titi o kere ju oju ipade ti nṣiṣe lọwọ wa ninu iṣupọ. Ẹru inu iṣupọ jẹ iwọntunwọnsi laifọwọyi da lori iṣẹ ṣiṣe ti awọn apa nipasẹ nọmba awọn akoko VPN.
Fun ifarada ẹbi ti awọn apa iṣupọ kan pato (ti o ba nilo), o le lo faili kan, nitorinaa asopọ ti n ṣiṣẹ yoo jẹ ilọsiwaju nipasẹ Node akọkọ ti faili. Oluṣakoso faili kii ṣe ipo pataki fun aridaju ifarada aṣiṣe laarin iṣupọ Iwontunwọnsi Load; ni iṣẹlẹ ti ikuna ipade, iṣupọ funrararẹ yoo gbe igba olumulo si ipade ifiwe miiran, ṣugbọn laisi mimu ipo asopọ mọ, eyiti o jẹ deede kini kini oluṣakoso pese. Nitorinaa, awọn imọ-ẹrọ meji wọnyi le ni idapo ti o ba jẹ dandan.
Akopọ-iwọntunwọnsi fifuye VPN le ni diẹ sii ju awọn apa meji ninu.
Idiwọn-iwọntunwọnsi VPN jẹ atilẹyin lori ASA 5512-X ati giga julọ.
Niwọn igba ti ASA kọọkan laarin iṣupọ-iwọntunwọnsi VPN jẹ ẹyọ ominira ni awọn ofin awọn eto, a ṣe gbogbo awọn igbesẹ iṣeto ni ọkọọkan lori ẹrọ kọọkan.
Topology ọgbọn ti apẹẹrẹ ti a fun ni:
Ibẹrẹ Ibẹrẹ:
-
A ran awọn apẹẹrẹ ASAv ti awọn awoṣe ti a nilo (ASAv5/10/30/50) lati aworan.
-
A fi awọn atọkun inu / ita si VLAN kanna (Ni ita ni VLAN tirẹ, INU ninu tirẹ, ṣugbọn o wọpọ laarin iṣupọ, wo topology), o ṣe pataki pe awọn atọkun ti iru kanna wa ni apakan L2 kanna.
-
Awọn iwe-aṣẹ:
- Ni akoko fifi sori ẹrọ, ASAv kii yoo ni awọn iwe-aṣẹ eyikeyi ati pe yoo ni opin si 100kbit / iṣẹju-aaya.
- Lati fi iwe-aṣẹ sori ẹrọ, o nilo lati ṣe agbekalẹ ami-ami kan sinu akọọlẹ Smart-Account rẹ: -> Smart Software asẹ
- Ninu ferese ti o ṣii, tẹ bọtini naa Titun àmi
- Rii daju pe aaye ti o wa ninu window ti o ṣi nṣiṣẹ ati pe a ti ṣayẹwo apoti naa Gba iṣẹ ṣiṣe iṣakoso okeere laayeLaisi aaye ti nṣiṣe lọwọ, iwọ kii yoo ni anfani lati lo awọn iṣẹ fifi ẹnọ kọ nkan ti o lagbara ati, ni ibamu, VPN. Ti aaye yii ko ba ṣiṣẹ, jọwọ kan si ẹgbẹ akọọlẹ rẹ lati beere imuṣiṣẹ.
- Lẹhin titẹ bọtini naa Ṣẹda Tokini, A o ṣẹda aami kan ti a yoo lo lati gba iwe-aṣẹ fun ASAv, daakọ rẹ:
- Jẹ ki a tun awọn igbesẹ C,D,E fun ASAv kọọkan ti a fi ranṣẹ.
- Lati jẹ ki o rọrun lati daakọ ami naa, jẹ ki a mu telnet ṣiṣẹ fun igba diẹ. Jẹ ki a tunto ASA kọọkan (apẹẹrẹ ni isalẹ ṣe apejuwe awọn eto lori ASA-1). telnet lati ita ko ṣiṣẹ, ti o ba nilo gaan, yi ipele-aabo pada si 100 si ita, lẹhinna yi pada pada.
! ciscoasa(config)# int gi0/0 ciscoasa(config)# nameif outside ciscoasa(config)# ip address 192.168.31.30 255.255.255.0 ciscoasa(config)# no shut ! ciscoasa(config)# int gi0/1 ciscoasa(config)# nameif inside ciscoasa(config)# ip address 192.168.255.2 255.255.255.0 ciscoasa(config)# no shut ! ciscoasa(config)# telnet 0 0 inside ciscoasa(config)# username admin password cisco priv 15 ciscoasa(config)# ena password cisco ciscoasa(config)# aaa authentication telnet console LOCAL ! ciscoasa(config)# route outside 0 0 192.168.31.1 ! ciscoasa(config)# wr !- Lati forukọsilẹ ami ami kan ninu awọsanma Smart-Account, o gbọdọ pese iraye si Intanẹẹti si ASA, .
Ni kukuru, ASA nilo:
- Wiwọle Ayelujara nipasẹ HTTPS;
- amuṣiṣẹpọ akoko (diẹ sii ni deede nipasẹ NTP);
- olupin DNS ti a forukọsilẹ;
- A lọ nipasẹ telnet si ASA wa ati ṣe awọn eto lati mu iwe-aṣẹ ṣiṣẹ nipasẹ Smart-Account.
! ciscoasa(config)# clock set 19:21:00 Mar 18 2020 ciscoasa(config)# clock timezone MSK 3 ciscoasa(config)# ntp server 192.168.99.136 ! ciscoasa(config)# dns domain-lookup outside ciscoasa(config)# DNS server-group DefaultDNS ciscoasa(config-dns-server-group)# name-server 192.168.99.132 ! ! Проверим работу DNS: ! ciscoasa(config-dns-server-group)# ping ya.ru Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 87.250.250.242, timeout is 2 seconds: !!!!! ! ! Проверим синхронизацию NTP: ! ciscoasa(config)# show ntp associations address ref clock st when poll reach delay offset disp *~192.168.99.136 91.189.94.4 3 63 64 1 36.7 1.85 17.5 * master (synced), # master (unsynced), + selected, - candidate, ~ configured ! ! Установим конфигурацию нашей ASAv для Smart-Licensing (в соответствии с Вашим профилем, в моем случае 100М для примера) ! ciscoasa(config)# license smart ciscoasa(config-smart-lic)# feature tier standard ciscoasa(config-smart-lic)# throughput level 100M ! ! В случае необходимости можно настроить доступ в Интернет через прокси используйте следующий блок команд: !call-home ! http-proxy ip_address port port ! ! Далее мы вставляем скопированный из портала Smart-Account токен (<token>) и регистрируем лицензию ! ciscoasa(config)# end ciscoasa# license smart register idtoken <token>- A ṣayẹwo pe ẹrọ naa ti forukọsilẹ ni aṣeyọri ati awọn aṣayan fifi ẹnọ kọ nkan wa:
-
Ṣiṣeto ipilẹ SSL-VPN lori ẹnu-ọna kọọkan
- Nigbamii, a tunto iwọle nipasẹ SSH ati ASDM:
ciscoasa(config)# ssh ver 2 ciscoasa(config)# aaa authentication ssh console LOCAL ciscoasa(config)# aaa authentication http console LOCAL ciscoasa(config)# hostname vpn-demo-1 vpn-demo-1(config)# domain-name ashes.cc vpn-demo-1(config)# cry key gen rsa general-keys modulus 4096 vpn-demo-1(config)# ssh 0 0 inside vpn-demo-1(config)# http 0 0 inside ! ! Поднимем сервер HTTPS для ASDM на порту 445 чтобы не пересекаться с SSL-VPN порталом ! vpn-demo-1(config)# http server enable 445 !- Fun ASDM lati ṣiṣẹ, o gbọdọ kọkọ ṣe igbasilẹ lati cisco.com, ninu ọran mi o jẹ faili atẹle:
- Fun alabara AnyConnect lati ṣiṣẹ, o nilo lati ṣe igbasilẹ aworan kan si ASA kọọkan fun tabili tabili alabara kọọkan ti a lo (ti a gbero lati lo Linux/Windows/MAC), iwọ yoo nilo faili kan pẹlu Headend imuṣiṣẹ Package Ninu akọle:
- Awọn faili ti a gbasile le jẹ ikojọpọ, fun apẹẹrẹ, si olupin FTP kan ati gbejade si ASA kọọkan:
- A tunto ASDM ati Iwe-ẹri Afọwọsi Ara-ẹni fun SSL-VPN (o gba ọ niyanju lati lo ijẹrisi igbẹkẹle ni iṣelọpọ). FQDN ti iṣeto ti iṣupọ Foju Adirẹsi (vpn-demo.ashes.cc), ati FQDN kọọkan ti o ni nkan ṣe pẹlu adirẹsi ita ti ipade iṣupọ kọọkan gbọdọ jẹ ipinnu ni agbegbe DNS ita si adiresi IP ti wiwo OUTSIDE (tabi si adiresi ti o ya aworan ti o ba ti lo udp/443 firanšẹ siwaju ibudo (DTLS) ati tcp/443 (TLS)). Alaye alaye lori awọn ibeere fun ijẹrisi jẹ pato ni apakan Ijẹrisi Ijẹrisi iwe aṣẹ.
! vpn-demo-1(config)# crypto ca trustpoint SELF vpn-demo-1(config-ca-trustpoint)# enrollment self vpn-demo-1(config-ca-trustpoint)# fqdn vpn-demo.ashes.cc vpn-demo-1(config-ca-trustpoint)# subject-name cn=*.ashes.cc, ou=ashes-lab, o=ashes, c=ru vpn-demo-1(config-ca-trustpoint)# serial-number vpn-demo-1(config-ca-trustpoint)# crl configure vpn-demo-1(config-ca-crl)# cry ca enroll SELF % The fully-qualified domain name in the certificate will be: vpn-demo.ashes.cc Generate Self-Signed Certificate? [yes/no]: yes vpn-demo-1(config)# ! vpn-demo-1(config)# sh cry ca certificates Certificate Status: Available Certificate Serial Number: 4d43725e Certificate Usage: General Purpose Public Key Type: RSA (4096 bits) Signature Algorithm: SHA256 with RSA Encryption Issuer Name: serialNumber=9A439T02F95 hostname=vpn-demo.ashes.cc cn=*.ashes.cc ou=ashes-lab o=ashes c=ru Subject Name: serialNumber=9A439T02F95 hostname=vpn-demo.ashes.cc cn=*.ashes.cc ou=ashes-lab o=ashes c=ru Validity Date: start date: 00:16:17 MSK Mar 19 2020 end date: 00:16:17 MSK Mar 17 2030 Storage: config Associated Trustpoints: SELF CA Certificate Status: Available Certificate Serial Number: 0509 Certificate Usage: General Purpose Public Key Type: RSA (4096 bits) Signature Algorithm: SHA1 with RSA Encryption Issuer Name: cn=QuoVadis Root CA 2 o=QuoVadis Limited c=BM Subject Name: cn=QuoVadis Root CA 2 o=QuoVadis Limited c=BM Validity Date: start date: 21:27:00 MSK Nov 24 2006 end date: 21:23:33 MSK Nov 24 2031 Storage: config Associated Trustpoints: _SmartCallHome_ServerCA- Lati ṣayẹwo iṣẹ ti ASDM, maṣe gbagbe lati pato ibudo, fun apẹẹrẹ:
- Jẹ ki a ṣe awọn eto oju eefin ipilẹ:
- A yoo jẹ ki nẹtiwọọki ile-iṣẹ ni iraye si nipasẹ oju eefin kan, ati so Intanẹẹti taara (kii ṣe ọna aabo julọ ni isansa ti awọn igbese aabo lori agbalejo sisopọ, o ṣee ṣe lati wọ inu agbalejo ti o ni akoran ati data ile-iṣẹ iṣelọpọ, aṣayan pipin-eefin-eto imulo tunnelall yoo gba gbogbo ogun ijabọ sinu eefin. Sibẹsibẹ Pipin-Efin jẹ ki o ṣee ṣe lati yọkuro ẹnu-ọna VPN ati kii ṣe ilana ijabọ Intanẹẹti alejo gbigba)
- A yoo fun awọn ọmọ ogun ni oju eefin pẹlu awọn adirẹsi lati subnet 192.168.20.0/24 ( adagun kan ti awọn adirẹsi 10 si 30 (fun ipade #1)). Oju ipade kọọkan ninu iṣupọ gbọdọ ni adagun VPN tirẹ.
- Jẹ ki a ṣe ijẹrisi ipilẹ pẹlu olumulo ti a ṣẹda ni agbegbe lori ASA (Eyi ko ṣe iṣeduro, eyi ni ọna ti o rọrun julọ), o dara lati ṣe ijẹrisi nipasẹ LDAP/RADIUS, tabi dara julọ sibẹsibẹ, tai Ijeri Olona-ifosiwewe (MFA)fun apẹẹrẹ Cisco DUO.
! vpn-demo-1(config)# ip local pool vpn-pool 192.168.20.10-192.168.20.30 mask 255.255.255.0 ! vpn-demo-1(config)# access-list split-tunnel standard permit 192.168.0.0 255.255.0.0 ! vpn-demo-1(config)# group-policy SSL-VPN-GROUP-POLICY internal vpn-demo-1(config)# group-policy SSL-VPN-GROUP-POLICY attributes vpn-demo-1(config-group-policy)# vpn-tunnel-protocol ssl-client vpn-demo-1(config-group-policy)# split-tunnel-policy tunnelspecified vpn-demo-1(config-group-policy)# split-tunnel-network-list value split-tunnel vpn-demo-1(config-group-policy)# dns-server value 192.168.99.132 vpn-demo-1(config-group-policy)# default-domain value ashes.cc vpn-demo-1(config)# tunnel-group DefaultWEBVPNGroup general-attributes vpn-demo-1(config-tunnel-general)# default-group-policy SSL-VPN-GROUP-POLICY vpn-demo-1(config-tunnel-general)# address-pool vpn-pool ! vpn-demo-1(config)# username dkazakov password cisco vpn-demo-1(config)# username dkazakov attributes vpn-demo-1(config-username)# service-type remote-access ! vpn-demo-1(config)# ssl trust-point SELF vpn-demo-1(config)# webvpn vpn-demo-1(config-webvpn)# enable outside vpn-demo-1(config-webvpn)# anyconnect image disk0:/anyconnect-win-4.8.03036-webdeploy-k9.pkg vpn-demo-1(config-webvpn)# anyconnect enable !- (Aṣayan): Ninu apẹẹrẹ ti o wa loke, a lo olumulo agbegbe kan lori ogiriina lati jẹrisi awọn olumulo latọna jijin, eyiti o jẹ lilo diẹ ayafi ninu yàrá. Emi yoo fun apẹẹrẹ bi o ṣe le ṣe adaṣe iṣeto ni iyara fun ijẹrisi lori rediosi olupin, lo fun apẹẹrẹ Cisco Identity Services Engine:
vpn-demo-1(config-aaa-server-group)# dynamic-authorization vpn-demo-1(config-aaa-server-group)# interim-accounting-update vpn-demo-1(config-aaa-server-group)# aaa-server RADIUS (outside) host 192.168.99.134 vpn-demo-1(config-aaa-server-host)# key cisco vpn-demo-1(config-aaa-server-host)# exit vpn-demo-1(config)# tunnel-group DefaultWEBVPNGroup general-attributes vpn-demo-1(config-tunnel-general)# authentication-server-group RADIUS !Isopọpọ yii jẹ ki o ṣee ṣe kii ṣe lati yara ṣepọ ilana ijẹrisi pẹlu iṣẹ itọsọna AD, ṣugbọn tun ṣe iyatọ boya kọnputa ti o sopọ jẹ ti AD, loye boya o jẹ ẹrọ ile-iṣẹ tabi ti ara ẹni, ati ṣe ayẹwo ipo ti asopọ ti a ti sopọ. ẹrọ.
- Jẹ ki a tunto NAT Transparent ki ijabọ laarin alabara ati awọn orisun nẹtiwọọki ti nẹtiwọọki ile-iṣẹ ko ni dabaru pẹlu:
vpn-demo-1(config-network-object)# subnet 192.168.20.0 255.255.255.0 ! vpn-demo-1(config)# nat (inside,outside) source static any any destination static vpn-users vpn-users no-proxy-arp- (Aṣayan): Lati ṣafihan awọn alabara wa si Intanẹẹti nipasẹ ASA (nigbati o ba lo tunnelall awọn aṣayan) ni lilo PAT, ati jade nipasẹ wiwo ita kanna lati ibiti wọn ti sopọ, o nilo lati ṣe awọn eto atẹle
vpn-demo-1(config-network-object)# nat (outside,outside) source dynamic vpn-users interface vpn-demo-1(config)# nat (inside,outside) source dynamic any interface vpn-demo-1(config)# same-security-traffic permit intra-interface !- O ṣe pataki pupọ nigba lilo iṣupọ kan lati jẹ ki nẹtiwọọki inu lati loye kini ASA lati ṣe ipadabọ ijabọ si awọn olumulo; fun eyi o jẹ dandan lati tun pin awọn ipa-ọna / awọn adirẹsi 32 ti a fun si awọn alabara.
Ni akoko yii, a ko ti tunto iṣupọ naa, ṣugbọn a ti ṣiṣẹ tẹlẹ awọn ẹnu-ọna VPN si eyiti o le sopọ ni ẹyọkan nipasẹ FQDN tabi IP.
A rii alabara ti o sopọ ni tabili ipa-ọna ti ASA akọkọ:
Ki gbogbo iṣupọ VPN wa ati gbogbo nẹtiwọọki ile-iṣẹ mọ ipa-ọna si alabara wa, a yoo tun pin ipin-iṣaaju alabara sinu ilana ipa-ọna agbara, fun apẹẹrẹ OSPF:
! vpn-demo-1(config)# route-map RMAP-VPN-REDISTRIBUTE permit 1 vpn-demo-1(config-route-map)# match ip address VPN-REDISTRIBUTE ! vpn-demo-1(config)# router ospf 1 vpn-demo-1(config-router)# network 192.168.255.0 255.255.255.0 area 0 vpn-demo-1(config-router)# log-adj-changes vpn-demo-1(config-router)# redistribute static metric 5000 subnets route-map RMAP-VPN-REDISTRIBUTEBayi a ni ipa ọna si alabara lati ẹnu-ọna ASA-2 keji ati awọn olumulo ti o sopọ si oriṣiriṣi awọn ẹnu-ọna VPN laarin iṣupọ le, fun apẹẹrẹ, ibasọrọ taara nipasẹ foonu alagbeka kan, gẹgẹ bi ipadabọ ipadabọ lati awọn orisun ti olumulo beere yoo de. ni ẹnu-ọna VPN ti o fẹ:
-
Jẹ ki a tẹsiwaju lati ṣeto iṣupọ-Iwọntunwọnsi Ẹru.
Adirẹsi naa 192.168.31.40 yoo ṣee lo bi IP Foju (VIP - gbogbo awọn alabara VPN yoo sopọ si akọkọ), lati adirẹsi yii Cluster Master yoo TUNTUN si ipade iṣupọ ti o kere si. Maṣe gbagbe lati forukọsilẹ siwaju ati yiyipada awọn igbasilẹ DNS mejeeji fun kọọkan ita adirẹsi/FQDN ti kọọkan iṣupọ ipade, ati fun VIP.
vpn-demo-1(config)# vpn load-balancing vpn-demo-1(config-load-balancing)# interface lbpublic outside vpn-demo-1(config-load-balancing)# interface lbprivate inside vpn-demo-1(config-load-balancing)# priority 10 vpn-demo-1(config-load-balancing)# cluster ip address 192.168.31.40 vpn-demo-1(config-load-balancing)# cluster port 4000 vpn-demo-1(config-load-balancing)# redirect-fqdn enable vpn-demo-1(config-load-balancing)# cluster key cisco vpn-demo-1(config-load-balancing)# cluster encryption vpn-demo-1(config-load-balancing)# cluster port 9023 vpn-demo-1(config-load-balancing)# participate vpn-demo-1(config-load-balancing)#- A ṣayẹwo iṣẹ iṣupọ pẹlu awọn alabara meji ti o sopọ:
- Jẹ ki a jẹ ki iriri alabara rọrun diẹ sii pẹlu profaili AnyConnect ti a ṣe igbasilẹ laifọwọyi nipasẹ ASDM.
A lorukọ profaili naa ni ọna ti o rọrun ati pe eto imulo ẹgbẹ wa pọ pẹlu rẹ:
Lẹhin asopọ alabara atẹle, profaili yii yoo ṣe igbasilẹ laifọwọyi ati fi sii ni alabara AnyConnect, nitorinaa ti o ba nilo lati sopọ, o kan nilo lati yan lati atokọ naa:
Niwọn igba ti lilo ASDM a ṣẹda profaili yii lori ASA kan ṣoṣo, maṣe gbagbe lati tun awọn igbesẹ lori awọn ASA ti o ku ninu iṣupọ naa.
Ipari: Nitorinaa, a yara gbe iṣupọ kan ti ọpọlọpọ awọn ẹnu-ọna VPN pẹlu iwọntunwọnsi fifuye laifọwọyi. Ṣafikun awọn apa tuntun si iṣupọ jẹ irọrun, iyọrisi iwọn iwọn petele ti o rọrun nipasẹ gbigbe awọn ẹrọ foju ASAv tuntun tabi lilo ASAs ohun elo. Onibara AnyConnect ti o ni ẹya-ara le ṣe alekun awọn agbara asopọ isakoṣo latọna jijin rẹ ti o ni aabo pupọ nipa lilo awọn Iduro (awọn igbelewọn ipinlẹ), lilo daradara julọ ni apapo pẹlu iṣakoso iwọle si aarin ati eto ṣiṣe iṣiro Idanimọ Services Engine.
orisun: www.habr.com