Kulesi sihloko, ngithanda ukukunikeza imiyalelo yesinyathelo ngesinyathelo yokuthi ungakhipha kanjani ngokushesha isikimu esingakala kakhulu okwamanje. I-VPN yokufinyelela kude ukufinyelela okusekelwe AnyConnect futhi Cisco ASA - I-VPN Load Bancing Cluster.
Isingeniso: Izinkampani eziningi emhlabeni jikelele, ngenxa yesimo samanje se-COVID-19, zenza imizamo yokudlulisela abasebenzi bazo emsebenzini okude. Ngenxa yoshintsho olukhulu oluya emsebenzini okude, umthwalo emasangweni ezinkampani akhona e-VPN ukhula kakhulu futhi nekhono elisheshayo lokuzikala liyadingeka. Ngakolunye uhlangothi, izinkampani eziningi ziphoqeleka ukuthi ziwuqonde ngokushesha umqondo womsebenzi okude kusukela ekuqaleni.
Ukuze usize amabhizinisi afinyelele ukufinyelela kwe-VPN okulula, okuvikelekile, nokunokwehla kwe-VPN yabasebenzi ngesikhathi esifushane ngangokunokwenzeka, i-Cisco inikezela ngelayisensi iklayenti le-SSL VPN elinothile ngesici se-AnyConnect isikhathi esingafika emavikini angu-13.
Ngilungiselele umhlahlandlela wesinyathelo ngesinyathelo sokuthunyelwa okulula kwe-VPN Load-Bancing Cluster njengobuchwepheshe be-VPN obuyingozi kakhulu.
Isibonelo esingezansi sizoba lula ngokwemibandela yokuqinisekisa nokugunyazwa kwe-algorithms esetshenzisiwe, kodwa kuzoba inketho enhle yokuqala ngokushesha (okwamanje akwenele kwabaningi) kanye nethuba lokuzivumelanisa ngokujulile nezidingo zakho ngesikhathi sokuthunyelwa. inqubo.
Ulwazi olufushane: Ubuchwepheshe be-VPN Load Balancing Cluster akuyona into ehlulekayo futhi akuwona umsebenzi wokuhlanganisa ngomqondo wawo wendabuko, lobu buchwepheshe bungahlanganisa amamodeli e-ASA ahluke ngokuphelele (nemikhawulo ethile) ukuze kulayishwe ibhalansi ukuxhumana kwe-Remote-Access VPN. Akukho ukuvumelanisa kwezikhathi nokucushwa phakathi kwama-node eqoqo elinjalo, kodwa kungenzeka ukulayisha ngokuzenzakalelayo ibhalansi ye-VPN uxhumano nokuqinisekisa ukubekezelelana kwephutha kokuxhumeka kwe-VPN kuze kube yilapho okungenani i-node eyodwa esebenzayo ihlala ku-cluster. Umthwalo kuqoqo ubhalansiswa ngokuzenzakalelayo kuye ngomthwalo womsebenzi wamanodi ngenani lamaseshini e-VPN.
Ukuze uthole i-faillover yama-node athile eqoqo (uma kudingekile), i-filer ingasetshenziswa, ngakho uxhumano olusebenzayo luzosingathwa yi-Primary node yefayela. I-fileover ayisona isimo esidingekayo sokuqinisekisa ukubekezelelana kwephutha ngaphakathi kweqoqo Lokulinganisa Lomthwalo, iqoqo ngokwalo, uma kwenzeka ukwehluleka kwe-node, lizodlulisela iseshini yomsebenzisi kwenye indawo ephilayo, kodwa ngaphandle kokulondoloza isimo sokuxhuma, esinembile. kuhlinzekwe ifayili. Ngokuvumelana nalokho, kungenzeka, uma kunesidingo, ukuhlanganisa lobu buchwepheshe obubili.
Iqoqo le-VPN Load-Bancing lingaqukatha amanodi angaphezu kwamabili.
I-VPN Load-Bancing Cluster isekelwa ku-ASA 5512-X nangaphezulu.
Njengoba i-ASA ngayinye ngaphakathi kweqoqo le-VPN Load-Bancing iyiyunithi ezimele ngokuya ngezilungiselelo, senza zonke izinyathelo zokumisa ngakunye kudivayisi ngayinye.
I-logical topology yesibonelo esinikeziwe:
Ukuthunyelwa Okuyinhloko:
-
Sisebenzisa izimo ze-ASAv zezifanekiso esizidingayo (ASAv5/10/30/50) esithombeni.
-
Sabela izixhumanisi zangaphakathi / NGAPHANDLE kuma-VLAN afanayo (Ngaphandle kwe-VLAN yayo, NGAPHAKATHI ngokwayo, kodwa ngokuvamile ngaphakathi kweqoqo, bheka i-topology), kubalulekile ukuthi izixhumanisi zohlobo olufanayo zibe segmenti efanayo ye-L2.
-
Amalayisense:
- Okwamanje ukufakwa kwe-ASAv ngeke kube namalayisensi futhi kuzokhawulelwa ku-100kbps.
- Ukuze ufake ilayisensi, udinga ukwenza ithokheni ku-Smart-Akhawunti yakho:
https://software.cisco.com/ -> Ilayisensi Yesofthiwe Ehlakaniphile - Ewindini elivulayo, chofoza inkinobho Ithokheni Entsha
- Qiniseka ukuthi efasiteleni elivulayo kunenkambu esebenzayo futhi umaki wokuhlola uyahlolwa Vumela ukusebenza okulawulwa ukuthekelisa⦠Ngaphandle kwale nkambu esebenzayo, ngeke ukwazi ukusebenzisa imisebenzi yokubethela okuqinile futhi, ngokufanelekile, i-VPN. Uma le nkambu ingasebenzi, sicela uxhumane nethimba le-akhawunti yakho ngesicelo sokuvula.
- Ngemva kokucindezela inkinobho Dala Ithokheni, kuzokwenziwa ithokheni esizolisebenzisa ukuze sithole ilayisensi ye-ASAv, siyikopishe:
- Phinda izinyathelo C,D,E nge-ASAv ngayinye esetshenzisiwe.
- Ukwenza kube lula ukukopisha ithokheni, masivumele i-telnet okwesikhashana. Ake silungiselele i-ASA ngayinye (isibonelo esingezansi sibonisa izilungiselelo ku-ASA-1). i-telnet ayisebenzi nabangaphandle, uma uyidinga ngempela, shintsha ileveli yokuphepha iye ku-100 uye ngaphandle, bese uyibuyisela emuva.
! ciscoasa(config)# int gi0/0 ciscoasa(config)# nameif outside ciscoasa(config)# ip address 192.168.31.30 255.255.255.0 ciscoasa(config)# no shut ! ciscoasa(config)# int gi0/1 ciscoasa(config)# nameif inside ciscoasa(config)# ip address 192.168.255.2 255.255.255.0 ciscoasa(config)# no shut ! ciscoasa(config)# telnet 0 0 inside ciscoasa(config)# username admin password cisco priv 15 ciscoasa(config)# ena password cisco ciscoasa(config)# aaa authentication telnet console LOCAL ! ciscoasa(config)# route outside 0 0 192.168.31.1 ! ciscoasa(config)# wr !
- Ukuze ubhalise ithokheni efwini le-Smart-Akhawunti, kufanele unikeze ukufinyelela kwe-inthanethi kwe-ASA,
imininingwane lapha .
Ngamafuphi, i-ASA iyadingeka:
- ukufinyelela nge-HTTPS ku-inthanethi;
- ukuvumelanisa isikhathi (ngokufanele kakhulu, nge-NTP);
- iseva ye-DNS ebhalisiwe;
- Sithintana ne-ASA yethu futhi senza izilungiselelo ukuze senze ilayisense isebenze nge-Smart-Account.
! ciscoasa(config)# clock set 19:21:00 Mar 18 2020 ciscoasa(config)# clock timezone MSK 3 ciscoasa(config)# ntp server 192.168.99.136 ! ciscoasa(config)# dns domain-lookup outside ciscoasa(config)# DNS server-group DefaultDNS ciscoasa(config-dns-server-group)# name-server 192.168.99.132 ! ! ΠΡΠΎΠ²Π΅ΡΠΈΠΌ ΡΠ°Π±ΠΎΡΡ DNS: ! ciscoasa(config-dns-server-group)# ping ya.ru Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 87.250.250.242, timeout is 2 seconds: !!!!! ! ! ΠΡΠΎΠ²Π΅ΡΠΈΠΌ ΡΠΈΠ½Ρ ΡΠΎΠ½ΠΈΠ·Π°ΡΠΈΡ NTP: ! ciscoasa(config)# show ntp associations address ref clock st when poll reach delay offset disp *~192.168.99.136 91.189.94.4 3 63 64 1 36.7 1.85 17.5 * master (synced), # master (unsynced), + selected, - candidate, ~ configured ! ! Π£ΡΡΠ°Π½ΠΎΠ²ΠΈΠΌ ΠΊΠΎΠ½ΡΠΈΠ³ΡΡΠ°ΡΠΈΡ Π½Π°ΡΠ΅ΠΉ ASAv Π΄Π»Ρ Smart-Licensing (Π² ΡΠΎΠΎΡΠ²Π΅ΡΡΡΠ²ΠΈΠΈ Ρ ΠΠ°ΡΠΈΠΌ ΠΏΡΠΎΡΠΈΠ»Π΅ΠΌ, Π² ΠΌΠΎΠ΅ΠΌ ΡΠ»ΡΡΠ°Π΅ 100Π Π΄Π»Ρ ΠΏΡΠΈΠΌΠ΅ΡΠ°) ! ciscoasa(config)# license smart ciscoasa(config-smart-lic)# feature tier standard ciscoasa(config-smart-lic)# throughput level 100M ! ! Π ΡΠ»ΡΡΠ°Π΅ Π½Π΅ΠΎΠ±Ρ ΠΎΠ΄ΠΈΠΌΠΎΡΡΠΈ ΠΌΠΎΠΆΠ½ΠΎ Π½Π°ΡΡΡΠΎΠΈΡΡ Π΄ΠΎΡΡΡΠΏ Π² ΠΠ½ΡΠ΅ΡΠ½Π΅Ρ ΡΠ΅ΡΠ΅Π· ΠΏΡΠΎΠΊΡΠΈ ΠΈΡΠΏΠΎΠ»ΡΠ·ΡΠΉΡΠ΅ ΡΠ»Π΅Π΄ΡΡΡΠΈΠΉ Π±Π»ΠΎΠΊ ΠΊΠΎΠΌΠ°Π½Π΄: !call-home ! http-proxy ip_address port port ! ! ΠΠ°Π»Π΅Π΅ ΠΌΡ Π²ΡΡΠ°Π²Π»ΡΠ΅ΠΌ ΡΠΊΠΎΠΏΠΈΡΠΎΠ²Π°Π½Π½ΡΠΉ ΠΈΠ· ΠΏΠΎΡΡΠ°Π»Π° Smart-Account ΡΠΎΠΊΠ΅Π½ (<token>) ΠΈ ΡΠ΅Π³ΠΈΡΡΡΠΈΡΡΠ΅ΠΌ Π»ΠΈΡΠ΅Π½Π·ΠΈΡ ! ciscoasa(config)# end ciscoasa# license smart register idtoken <token>
- Sihlola ukuthi idivayisi ibhalise ngempumelelo ilayisense futhi izinketho zokubethela ziyatholakala:
-
Setha i-SSL-VPN eyisisekelo esangweni ngalinye
- Okulandelayo, lungiselela ukufinyelela nge-SSH ne-ASDM:
ciscoasa(config)# ssh ver 2 ciscoasa(config)# aaa authentication ssh console LOCAL ciscoasa(config)# aaa authentication http console LOCAL ciscoasa(config)# hostname vpn-demo-1 vpn-demo-1(config)# domain-name ashes.cc vpn-demo-1(config)# cry key gen rsa general-keys modulus 4096 vpn-demo-1(config)# ssh 0 0 inside vpn-demo-1(config)# http 0 0 inside ! ! ΠΠΎΠ΄Π½ΠΈΠΌΠ΅ΠΌ ΡΠ΅ΡΠ²Π΅Ρ HTTPS Π΄Π»Ρ ASDM Π½Π° ΠΏΠΎΡΡΡ 445 ΡΡΠΎΠ±Ρ Π½Π΅ ΠΏΠ΅ΡΠ΅ΡΠ΅ΠΊΠ°ΡΡΡΡ Ρ SSL-VPN ΠΏΠΎΡΡΠ°Π»ΠΎΠΌ ! vpn-demo-1(config)# http server enable 445 !
- Ukuze i-ASDM isebenze, kufanele uqale uyilande kuwebhusayithi ye-cisco.com, kimina yifayela elilandelayo:
- Ukuze iklayenti le-AnyConnect lisebenze, udinga ukulayisha isithombe ku-ASA ngayinye ku-OS ngayinye yeklayenti esetshenzisiwe (ehlelelwe ukusebenzisa i-Linux / Windows / MAC), uzodinga ifayela eline Iphakheji Lokuthunyelwa Kwekhanda Esihlokweni:
- Amafayela alandiwe angalayishwa, isibonelo, kuseva ye-FTP futhi alayishwe ku-ASA ngayinye ngayinye:
- Silungiselela i-ASDM kanye nesitifiketi Sokuzisayina se-SSL-VPN (kuyanconywa ukuthi usebenzise isitifiketi esithenjiwe ekukhiqizeni). Isethi ye-FQDN Yekheli Le-Virtual Cluster (vpn-demo.ashes.cc), kanye ne-FQDN ngayinye ehlotshaniswa nekheli langaphandle lenodi yeqoqo ngalinye, kufanele ixazulule endaweni ye-DNS yangaphandle ekhelini le-IP le-OUTSIDE interface (noma ekhelini elifakwe kumephu uma ukudlulisela ngembobo udp/443 kusetshenziswa (DTLS) kanye ne-tcp/443(TLS)). Imininingwane enemininingwane ngezidingo zesitifiketi icaciswe esigabeni Ukuqinisekiswa Kwesitifiketi imibhalo.
! vpn-demo-1(config)# crypto ca trustpoint SELF vpn-demo-1(config-ca-trustpoint)# enrollment self vpn-demo-1(config-ca-trustpoint)# fqdn vpn-demo.ashes.cc vpn-demo-1(config-ca-trustpoint)# subject-name cn=*.ashes.cc, ou=ashes-lab, o=ashes, c=ru vpn-demo-1(config-ca-trustpoint)# serial-number vpn-demo-1(config-ca-trustpoint)# crl configure vpn-demo-1(config-ca-crl)# cry ca enroll SELF % The fully-qualified domain name in the certificate will be: vpn-demo.ashes.cc Generate Self-Signed Certificate? [yes/no]: yes vpn-demo-1(config)# ! vpn-demo-1(config)# sh cry ca certificates Certificate Status: Available Certificate Serial Number: 4d43725e Certificate Usage: General Purpose Public Key Type: RSA (4096 bits) Signature Algorithm: SHA256 with RSA Encryption Issuer Name: serialNumber=9A439T02F95 hostname=vpn-demo.ashes.cc cn=*.ashes.cc ou=ashes-lab o=ashes c=ru Subject Name: serialNumber=9A439T02F95 hostname=vpn-demo.ashes.cc cn=*.ashes.cc ou=ashes-lab o=ashes c=ru Validity Date: start date: 00:16:17 MSK Mar 19 2020 end date: 00:16:17 MSK Mar 17 2030 Storage: config Associated Trustpoints: SELF CA Certificate Status: Available Certificate Serial Number: 0509 Certificate Usage: General Purpose Public Key Type: RSA (4096 bits) Signature Algorithm: SHA1 with RSA Encryption Issuer Name: cn=QuoVadis Root CA 2 o=QuoVadis Limited c=BM Subject Name: cn=QuoVadis Root CA 2 o=QuoVadis Limited c=BM Validity Date: start date: 21:27:00 MSK Nov 24 2006 end date: 21:23:33 MSK Nov 24 2031 Storage: config Associated Trustpoints: _SmartCallHome_ServerCA
- Ungakhohlwa ukucacisa ichweba ukuze uhlole ukuthi i-ASDM iyasebenza, isibonelo:
- Ake senze izilungiselelo eziyisisekelo zomhubhe:
- Masenze inethiwekhi yebhizinisi itholakale emhubheni, futhi sivumele i-inthanethi ihambe ngokuqondile (hhayi indlela ephephe kunazo zonke uma kungekho ukuvikela kumsingathi oxhumayo, kungenzeka ukuthi ungene ngomsingathi onegciwane futhi ubonise idatha yenkampani, inketho umhubhe wenqubomgomo yokuhlukanisa umhubhe izovumela yonke ithrafikhi yomsingathi emhubheni. Noma kunjalo umhubhe ohlukanisiwe yenza kube nokwenzeka ukukhulula isango le-VPN futhi ungacubunguli ithrafikhi ye-inthanethi yomsingathi)
- Masikhiphe amakheli asuka ku-subnet ethi 192.168.20.0/24 kuya kubasingathi emhubheni (ichibi elisuka kumakheli ayi-10 kuye kwangama-30 (enodi #1)). I-node ngayinye yeqoqo le-VPN kufanele ibe ne-pool yayo.
- Sizokwenza ukuqinisekiswa okuyisisekelo nomsebenzisi odalwe endaweni ku-ASA (Lokhu akunconywa, lena indlela elula), kungcono ukwenza ubuqiniso ngokusebenzisa I-LDAP/RADIUS, noma okungcono, bopha I-Multi-Factor Authentication (MFA)ngokwesibonelo I-Cisco DUO.
! vpn-demo-1(config)# ip local pool vpn-pool 192.168.20.10-192.168.20.30 mask 255.255.255.0 ! vpn-demo-1(config)# access-list split-tunnel standard permit 192.168.0.0 255.255.0.0 ! vpn-demo-1(config)# group-policy SSL-VPN-GROUP-POLICY internal vpn-demo-1(config)# group-policy SSL-VPN-GROUP-POLICY attributes vpn-demo-1(config-group-policy)# vpn-tunnel-protocol ssl-client vpn-demo-1(config-group-policy)# split-tunnel-policy tunnelspecified vpn-demo-1(config-group-policy)# split-tunnel-network-list value split-tunnel vpn-demo-1(config-group-policy)# dns-server value 192.168.99.132 vpn-demo-1(config-group-policy)# default-domain value ashes.cc vpn-demo-1(config)# tunnel-group DefaultWEBVPNGroup general-attributes vpn-demo-1(config-tunnel-general)# default-group-policy SSL-VPN-GROUP-POLICY vpn-demo-1(config-tunnel-general)# address-pool vpn-pool ! vpn-demo-1(config)# username dkazakov password cisco vpn-demo-1(config)# username dkazakov attributes vpn-demo-1(config-username)# service-type remote-access ! vpn-demo-1(config)# ssl trust-point SELF vpn-demo-1(config)# webvpn vpn-demo-1(config-webvpn)# enable outside vpn-demo-1(config-webvpn)# anyconnect image disk0:/anyconnect-win-4.8.03036-webdeploy-k9.pkg vpn-demo-1(config-webvpn)# anyconnect enable !
- (NGOKUZITHANDELA): Esibonelweni esingenhla, sisebenzise umsebenzisi wasendaweni ku-ITU ukuze sigunyaze abasebenzisi abakude, okuyiqiniso, ngaphandle kwaselabhorethri, engasebenzi kahle. Ngizonikeza isibonelo sendlela yokulungisa ngokushesha isilungiselelo sokuqinisekisa kuso RADIUS iseva, isibonelo esetshenziswa Cisco Identity Services Engine:
vpn-demo-1(config-aaa-server-group)# dynamic-authorization vpn-demo-1(config-aaa-server-group)# interim-accounting-update vpn-demo-1(config-aaa-server-group)# aaa-server RADIUS (outside) host 192.168.99.134 vpn-demo-1(config-aaa-server-host)# key cisco vpn-demo-1(config-aaa-server-host)# exit vpn-demo-1(config)# tunnel-group DefaultWEBVPNGroup general-attributes vpn-demo-1(config-tunnel-general)# authentication-server-group RADIUS !
Lokhu kuhlanganiswa kwenze kwaba nokwenzeka hhayi kuphela ukuhlanganisa ngokushesha inqubo yokuqinisekisa nesevisi yohla lwemibhalo ye-AD, kodwa futhi nokuhlukanisa ukuthi ikhompuyutha exhunyiwe ingeye-AD, ukuqonda ukuthi ingabe lolu cingo luyinkampani noma olomuntu siqu, kanye nokuhlola isimo sedivayisi exhunyiwe. .
- Ake silungiselele i-Transparent NAT ukuze ithrafikhi phakathi kweklayenti nezinsiza zenethiwekhi yenkampani ingabhalwa phansi:
vpn-demo-1(config-network-object)# subnet 192.168.20.0 255.255.255.0 ! vpn-demo-1(config)# nat (inside,outside) source static any any destination static vpn-users vpn-users no-proxy-arp
- (NGOKUZITHANDELA): Ukuze siveze amakhasimende ethu ku-inthanethi nge-ASA (uma usebenzisa i-tunnel ongakhetha kukho) usebenzisa i-PAT, kanye nokuphuma ngendlela efanayo NGAPHANDLE axhunywe kuyo, udinga ukwenza izilungiselelo ezilandelayo:
vpn-demo-1(config-network-object)# nat (outside,outside) source dynamic vpn-users interface vpn-demo-1(config)# nat (inside,outside) source dynamic any interface vpn-demo-1(config)# same-security-traffic permit intra-interface !
- Uma usebenzisa iqoqo, kubaluleke kakhulu ukunika amandla inethiwekhi yangaphakathi ukuthi iqonde ukuthi iyiphi i-ASA ehambisa ithrafikhi yokubuyisela kubasebenzisi, ngenxa yalokhu udinga ukusabalalisa kabusha imizila / amakheli angama-32 anikezwe amaklayenti.
Okwamanje, asikakalungiseleli iqoqo, kodwa sesivele sinamasango e-VPN asebenzayo angaxhunywa ngawodwa nge-FQDN noma i-IP.
Sibona iklayenti elixhunyiwe kuthebula lomzila le-ASA yokuqala:
Ukuze yonke iqoqo lethu le-VPN kanye nayo yonke inethiwekhi yebhizinisi yazi indlela eya kuklayenti lethu, sizosabalalisa kabusha isiqalo seklayenti kuphrothokholi yomzila eguquguqukayo, isibonelo i-OSPF:
! vpn-demo-1(config)# route-map RMAP-VPN-REDISTRIBUTE permit 1 vpn-demo-1(config-route-map)# match ip address VPN-REDISTRIBUTE ! vpn-demo-1(config)# router ospf 1 vpn-demo-1(config-router)# network 192.168.255.0 255.255.255.0 area 0 vpn-demo-1(config-router)# log-adj-changes vpn-demo-1(config-router)# redistribute static metric 5000 subnets route-map RMAP-VPN-REDISTRIBUTE
Manje sesinomzila oya kuklayenti osuka esangweni lesibili le-ASA-2 futhi abasebenzisi abaxhumeke kumasango ahlukene e-VPN ngaphakathi kweqoqo bangakwazi, isibonelo, ukuxhumana ngokuqondile ngefoni ephathekayo yenkampani, kanye nokubuyisa ithrafikhi evela kuzinsiza ezicelwe umsebenzisi. woza esangweni le-VPN oyifunayo:
-
Masiqhubekele ekulungiseleleni iqoqo Lokulinganisa Lomthwalo.
Ikheli elithi 192.168.31.40 lizosetshenziswa njenge-Virtual IP (VIP - wonke amaklayenti e-VPN azoxhuma kuwo ekuqaleni), kusukela kuleli kheli Iqoqo Eliyinhloko lizokwenza i-REDIRECT ibe nodi yeqoqo engalayishiwe kancane. Ungakhohlwa ukubhala phambili futhi uhlehlise irekhodi le-DNS kokubili ikheli ngalinye langaphandle / i-FQDN yenodi ngayinye yeqoqo, kanye neye-VIP.
vpn-demo-1(config)# vpn load-balancing vpn-demo-1(config-load-balancing)# interface lbpublic outside vpn-demo-1(config-load-balancing)# interface lbprivate inside vpn-demo-1(config-load-balancing)# priority 10 vpn-demo-1(config-load-balancing)# cluster ip address 192.168.31.40 vpn-demo-1(config-load-balancing)# cluster port 4000 vpn-demo-1(config-load-balancing)# redirect-fqdn enable vpn-demo-1(config-load-balancing)# cluster key cisco vpn-demo-1(config-load-balancing)# cluster encryption vpn-demo-1(config-load-balancing)# cluster port 9023 vpn-demo-1(config-load-balancing)# participate vpn-demo-1(config-load-balancing)#
- Sihlola ukusebenza kweqoqo ngamaklayenti amabili axhunyiwe:
- Masenze okwenziwa yikhasimende kube lula kakhulu ngephrofayela ye-AnyConnect elayishwe ngokuzenzakalelayo nge-ASDM.
Siqamba iphrofayela ngendlela elula futhi sihlobanisa inqubomgomo yethu yeqembu nayo:
Ngemuva kokuxhumeka okulandelayo kweklayenti, le phrofayela izolandwa ngokuzenzakalelayo futhi ifakwe kuklayenti le-AnyConnect, ngakho-ke uma udinga ukuxhuma, vele uyikhethe ohlwini:
Njengoba sidale le phrofayela ku-ASA eyodwa kuphela sisebenzisa i-ASDM, ungakhohlwa ukuphinda izinyathelo kwamanye ama-ASA kuqoqo.
Isiphetho: Ngakho-ke, sithumele ngokushesha iqoqo lamasango amaningana e-VPN anokulinganisa okuzenzakalelayo komthwalo. Ukwengeza ama-node amasha kuqoqo kulula, ngokukala okuvundlile okulula ngokufaka imishini emisha ye-ASAv noma ukusebenzisa i-Hardware ASAs. Iklayenti le-AnyConnect elicebile lingathuthukisa kakhulu ukuxhumeka okukude okuphephile ngokusebenzisa i Ukuma (izilinganiso zesimo), esetshenziswa ngempumelelo kakhulu ngokuhambisana nohlelo lokulawula okumaphakathi nokubalwa kokufinyelela Injini Yezinsizakalo Zomazisi.
Source: www.habr.com