Está en la página 1de 34

N 5- VPN + FAILOVER+ ROUTING+ VLAN+ AAA IPSec VPNs

Chng ny s ni v mng ring o VPN s dng giao thc psec. Giao thc ny c a vo ASA v c s dng kt ni an ton gia cc LAN xa v mt a l qua mt kt ni Internet (Site to Site VPN) hay cho php cc user xa kt ni vi mng trung tm (Remote Access VPN). Trong chng ny s tp trung chnh v hai loi VPN Trc khi i vo chi tit cu hnh IPSec VPN, ta s i vo miu t ngn gn nguyn l ca giao thc IPSec c ci hiu ng n v VPN IPSec l g? IP Security (IPSec) l mt chun m IETF, chun ny cho php m ha d liu khi giao tip. N l mt giao thc ph hp cho vic cung cp tnh bo mt, nguyn vn, xc thc d liu. Mt mng VPN l mt kt ni bo mt nh ng hm ring qua mt ng truyn khng bo mt nh Internet. V l IPSec l mt giao thc l tng xy dng cc mng ring o VPN qua internet. IPSec lm vic tng mng, ng gi v chng thc cc packet gia ASA v cc thit b khc tham gia vo mng VPN nh l Router Cisco, Firewall Cisco hay VPN Client Nhng chun v giao thc PSec sau c s dng o ESP (Encapsulation Security Payload): y l giao thc u tin trong hai giao thc quan to nn chun IPSec. N cung cp tnh nguyn vn, xc thc, bo mt d liu. ESP c s dng m ha payload ca gi tin IP o AH (Authentication Header): y l giao thc th 2 trong hai giao thc quan trng ca IPSec. N cung cp tnh nguyn vn, xc thc, v d tr. Giao thc ny khng cung caaos m ha, nhng n hot ng nh mt ch k s in chc chn gi tin khng b xm phm o Internet Key Exchange (IKE): y l c ch c s dng bi ASA cho vic giao i kha m ha mt cch b mt, xc thc cc IPSec peer v thng lng cc tham s IPSec. o DES,3DES,AES: Tt c nhng ci ny l c ch m ha c cung cp bi ASA Firewall. DES l thut ton m ha yu nht (s dng key 56 bit) v AES l thut ton m ha mnh nht (s dng 128,192,256 bit m ha). 3DES l s la chn m ha tm trung s dng 168 bit m ha. o DH (Diffie-Hellman Group): y l giao thc to public key v c s dng bi IKE thit lp key phin kt ni o MD5,SHA-1: y l c hai thut ton Hash c s dng chng thc gi tin. SHA mnh hn MD5 o SA (Security Association): Mt SA l mt kt ni gia 2 IPSec peer. Mi IPSec peer duy tr mt CSDL SA trong b nh ca n, ni cha cc tham s SA. SA c xc nh duy nht nh vo a ch IP ca peer y, giao thc bo mt, v ch s bo mt (SPI)

Cch lm vic ca IPSec

C 5 bc chnh sau : o Interesting Traffic : Thit b IPSec nhn bit lung d liu cn bo v o Phase 1(ISAKMP) : Thit b IPSec thng lng cc chnh sch bo mt IKE v thit lp mt knh bo mt cho lin lc gia cc IPSec Peer o Phase 2(IPSec) : Cc thit b IPSec thng lng chnh sch bo mt IPSec bo v d liu o Data Tranfer : Data c truyn bo mt gi cc IPSec peer da vo cc tham s IPSec v cc key c thng lng trong cc Phase trc o IPSec Tunnel Terminated : IPSec Sas ngt kt ni khi timeout

Cc loi kt ni: SITE-TO-SITE IPSEc VPN

Site-to-Site IPSec VPN i khi c gi l LAN-to-LAN. Ci tn ni ln iu , loi VPN ny kt ni hai LAN cch xa v mt vt l li vi nhau thng qua mng Internet. Thng thng th LAN s dng a ch dnh ring nh c ch ra trong hnh trn. Nu khng c kt ni VPN th 2 LAN trn s khng th giao tip c vi nhau. Bng vic cu hnh Site-to-Site IPSec VPN gia hai thit b ASA firewall, chng ta c th thit lp mt ng hm bo mt qua kt ni Internet, v y cc traffic ca LAN vo trong ng hm ny. Kt qu l host trong mng 192.168.1.0/24 c th truy cp trc tip n cc host trong mng 192.168.2.0/24 v ngc li. ng hm IPSec c thit lp kt ni gia hai a ch IP Public ca 2 Firewall ASA l 100.100.100.1 v 200.200.200.1 Remote Access VPN

Loi IPSec VPN thc 2 m chng ni l Remote Access VPN. Remote User truy cp vo mng ca LAN s phi s dng Cisco VPN Client. Loi VPN ny cho php remote User thit lp kt ni bo mt IPSec VPN qua Internet n LAN ca cng ty. Remote User phi c phn mm Cisco VPN Client ci t trn my tnh c nhn ca user. Phn mm ny cho php bn thit lp kt ni n LAN ca cng ty. Sau khi VPN c thit lp gia remote user v ASA firewall, user s c ch nh a ch private IP t mt pool c nh ngha trc, v sau cho php remote user truy cp vo LAN Topo mng trn ASA firewall bo v mng Corporate LAN v remote User vi VPN client thit lp kt ni bo mt n ASA. IP vi di 192.168.20.0/24 s c cp pht cho VPN Client lin lc vi Internal Corporate Network 192.168.1.0/24. Mt khi Remote Access VPN c thit lp, remote user mc nh s khng c kh nng truy cp bt c ci g ngoi internet ngoi tr mng Corporate LAN. X l iu ny bng cch cu hnh chc nng Split tunneling trn ASA

Hng dn cu hnh SITE-to-SITE IPSec VPN

Bc 1: Cu hnh Interesting traffic u tin chng ta cn nh ngha traffic m chng ta quan tm v traffic ny s c m ha. Bng cch s dng ACL chng ta c th xc nh c traffic no cn c qun l bi ASA. Trong hnh trn, chng ta mun tt c cc traffic gia mng 192.168.1.0/24 v 192.168.2.0/24 c m ha

Mt vn quan trng phi xem xt l trong trng hp s dng NAT trn firewall cho cc truy cp Internet thng thng. Bi v IPSec khng lm vic vi NAT, chng ta cn phi loi tr traffic IPSec khi NAT. S dng NAT 0 gii quyt vn ny.

Bc 2: Cu hnh Phase 1 (ISAKMP) Cch thc hot ng ca Phase 1 c s dng thit lp knh giao tip bo mt cho vic truyn d liu. phase 1, cc VPN peer trao i key b mt, xc thc nhau, thng lng cc chnh sch bo mt IKE Trong phase ny chng ta cu hnh isakmp policy, phi trng vi policy c cu hnh peer bn kia. Isakmp policy ny ni cho cc peer khc tham s bo mt no phi c s dng trong VPN (nh l giao thc m ha, thut ton hash, phng thc chng thc, DH, lifetime) nh sau

Mt vi ISAKMP POLICY c th c cu hnh o ng mt vi yu cu khc nhau t cc peer khc nhau. Ch s u tin xc nh duy nht mi Policy. Nhng tham s sau c th c s dng to mt ISAKMP Policy mnh M ha: AES Hash: sha Chng thc: Pre-share Nhm: 2 hoc 5 Lifetime: 3600 (SA s ht hn v c thng lng li trong 1 gi) iu tip theo ta cn xc nh l pre-shared key v loi VPN (SITE-to-Site, Remote Access hay WebVPN). c cu hnh bi cu lnh tunnel-group

Cu hnh:

Bc 3: Cu hnh Phase 2(IPSec) Sau khi ng hm bo mt c thit lp trong phase 1, bc tip theo l thit lp VPN thng lng cc tham s bo mt IPSec, ci m s c s dng bo v d liu trong ng hm. iu ny c thc hin trong Phase 2 ca IPSec. Trong Phase ny cc chc nng sau s c thc hin: Thng lng cc tham s bo mt IPSec v tp cc bin i PSec Thit lp cc IPSec SA Thng lng li cc IPSec SA theo giai on m bo tnh bo mt Mc tiu ca IKE Phase 2 l thit lp phin kt ni IPSec mt cch bo mt gia cc peer. Trc khi iu xy ra, mi bn thng lng mc bo mt (m ha v thut ton xc thc cho phin). Cc giao thc c nhm thnh cc sets v c gi l transform sets. Tp IPSec transform c trao i gia cc peer v chng phi ging nhau gia cc peer phin c th c thit lp nh dng cu lnh cu hnh mt transform set:

Nhng transform sau (giao thc/thut ton) c th c s dng trong transform1 v transform2

Transform Esp-des Esp-3des Esp-aes Esp-aes-192 Esp-aes-256 Esp-md5-hmac Esp-sha-hmac Esp-none Esp-null

M t ESP transform s dng DES 56 bits ESP transform s dng 3DES 168 bits Esp transform s dng AES-128 Esp transform s dng AES-192 Esp transform s dng AES-256 Esp transform s dng HMAC-MD5 cho chng thc Esp transform s dng HMAC-SHA cho chng thc ESP khng chng thc Esp khng m ha

Mt s ch hu ch khi bn chn Transform protocols cung cp tnh bo mt (m ha) th s dng transform cho vic m ha ESP nh l 5 ESP u tin trong bng chng thc th s dng MD5-HMAC hay SHA-HMAC SHA l mnh hn MD5 nhng chm hn Sau khi cu hnh transform set trn c 2 IPSEc peer, chng ta cn phi cu hnh crypto map, ci m cha tt c cc tham s Phase 2 IPSec. Sau Crypto map c p dng vo interface firewall (thng l Outside) ni m IPSec s c thit lp

Tham s seq-num trong crypto map c s dng ch ra nhiu entries map cng tn cho mi trng hp khi m chng ta c nhiu hn 1 IPSec peer trn firewall (v d ASA trong m hnh hub-and-spoke) Hon thnh cu hnh cho c 2 firewall i vi vic thit lp Phase 2

Bc 4 : Kim tra d liu c m ha Kim tra ng hm c thit lp ? Cu lnh show crypto isakmp sa kim tra SA c thit lp hay cha ? Trng thi ca ng hm up hay down hay ang chy.

Kim tra d liu c c m ha? Cu lnh show crypto ipsec sa xc nhn vic d liu c c m ha v gii m thnh cng hay khng?

Cu hnh Remote Access VPN

Nhiu cu lnh cu hnh tng t nh cu hnh Site-to-Site VPN, c bit l IKE Phase 1 v Phase 2. Tng t a ch IP Pool phi c cu hnh trn firewall cho vic cp pht ng a ch cho remote user Bc 1: Cu hnh IP Pool nh dng cu lnh nh sau:

Trong v d ny chng ta mun ch nh a ch cho remote user t di 192.168.20.0/24 Bc 2: M ha traffic v khng NAT: Tng t nh Site-to-Site VPN, chng ta cn xc nh ACL t Internal n remote user (192.168.20.0/24) loi b khi NAT

Bc 3: Cu hnh Group Policy Group policy cho php bn phn tch cc remote user theo cch khc nhau thnh cc nhm vi cc thuc tnh khc nhau. V d ngi qun tr h thng c ch nh trong nhm c truy cp fulltime 24h, trong khi remote user bnh thng c ch nh vo mt nhm khc c quyn truy cp t 9h sng n 5h chiu. Group policy cng cung cp a ch DNS hoc WINS server, lc kt ni, thi gian timeout C php nh sau:

V d cu hnh:

Ga s rng tt c cc remote user s cng mt group policy c tn gi l company-cpnpolicy nh c cu hnh nh trn. Policy ny ch nh a ch DNS v WINS server phn gii tn min trong internal domain v hostname. N c thit lp thi gian timeout l 30 pht. Bc 4: Cu hnh username cho vic chng thc Remote Access Khi mt remote user kt ni bng VPN Client, th s c yu cu nhp thng tin username v password trn mn hnh ng nhp chng thc vi firewall. V l chng ta cn to ra usernames v password cho vic chng thc ny C php:

V d cu hnh: Bc 5: Cu hnh Phase 1 (ISAKMP Policy) Tng t nhue Site-to-Site VPN

Bc 6: Cu hnh Phase 2 (IPSec Parameters) Bc ny cng tng t nh Site-to-Site VPN

Bc 7: Cu hnh Tunnel Group cho Remote Access Vic cu hnh Tunnel Group l tri tim ca Remote Access VPN. N kt hp vi nhau Group Policy c cu hnh trc , IP pool, pre-shared key C php:

Group name l rt quan trng bi v chng ta s phi ch nh chnh xc cng tn khi cu hnh VPN client Software V d cu hnh:

Bc 8: Cu hnh VPN Client software

Sau khi ci t VPN Client, bt ng dng v chn New to mt i tng kt ni mi

Tn ca kt ni l vpn v miu t. Trong textbox Host nh ip public mt ngoi ca ASA . Nhp cc thng tin username/password ca Group phi ging nh tunnel-group namev preshared-key t bc 7. Trong v d cu hnh ny, Group Authentication Name l vpnclient v password (pre-shared-key) l groupkey123. Sau save lu cu hnh

Sau khi lu cu hnh ci t, tr li Connection Entries Tab v chn Connect khi to kt ni Remote Access VPN

Sau khi khi to kt ni VPN, remote user s c yu cu nhp thng tin username/password trn mn hnh ng nhp chng thc vi firewall

Sau khi chng thc thnh cng vi firewall. Mt ng hm bo mt Remote Access c thit lp. Nu bn vo CMD ri ipconfig /all trn my tnh ca remote user, bn s thy a ch ip thuc di 192.168.20.0/25 c ch nh ti interface VPN o. iu ny cho php remote user c ton quyn truy cp n mng Corporate LAN

Cu hnh kh nng Firewall Cisco ASA Firewall l thnh phn quan trng trong t c h thng mng no v thng mt vi dch v quan trng trong doanh nghip ph thuc vo kh nng sn sng ca Firewall. V l tnh d phng ca Firewall phi c tch hp Trong chng ny chng ta s miu t nng chu li ca firewall vi ch Active/Standby. y l cch thc cu hnh ph bin nht trong hu ht h thng mng. ASA cng cung cp ch chu li kiu Active/Active M hnh Active/Standby Trong m hnh Active/Standby, mt trong hai firewall c ch nh ng vai tr lm Active gii quyt tt c cc traffic v cc chc nng bo mt. Firewall cn li duy tr ch ch v t ng m nhim gii quyt tt c cc traffic nu Firewall Active b li Chc nng chu li ca stateful firewall y cc thng tin v trng thi kt ni t firewall Active n firewall Standby. Say chc nng chu li s hot ng, thng tin ca kt nh nhau c sn ti firewall standby, ci t ng tr thnh active m khng ngt kt ni ca bt c user no. Thng tin v tnh trng kt ni c ng b gia active v standby bao gm di a ch global pool, tnh trng kt ni v thng tin bng NAT v tnh trng cc kt ni TCP/UDP v rt nhiu chi tit khc

M hnh mng trn ch ra cp firewall gi chc nng failover theo ch Active/Standby. Cng Interface inside c kt vo cng mt Internal Switch v Outside kt ni vo cng mt External Switch. Mt cable cho kt ni gia hai thit b Firewall nh l LAN Failover Link. Trong sut qu trnh hot ng bnh thng, tt c cc traffic c y thng qua Firewall Active, ni m x l tt c cc giao tip inbound v outbound. Nu s kin Active Firewall b li (v d nh interface b down hay firewall b li) th Standby Firewall s m nhim bng cch nhn a ch Ip ca Active Firewall m tt c cc traffic s tip tc c i qua m khng c s gim on. Tt cc cc thng tin v tnh trng kt ni c ng b thng qua mt kt ni Lan gi l LAN Failover Link cho Standby Firewall bit c tnh trng ca Active Firewall Yu cu Mt vi yu cu v phn cng v phn mm cho c hai firewall c th chy chc nng failover Phi cng nn tng h iu hnh Phi cng cu hnh phn cng Phi cng ch hot ng (routed hay transparent, single hay multiple context) Phi cng dung lng Flash v Ram Phi cng chc nng bn quyn (loi m ha, s lng context , s lng VPN peers) Phi c bn quyn phn mm chy chc nng failover LAN Failover Link Nh c ch ra v d h thng mng trn, mt kt ni vt l LAN gia hai firewall. iu ny l yu cu bt buc i vi chc nng failover. Mt interface Ethernet phi c d tr cho LAN Failover Link. Link ny c th l mt cable cho Ethernet kt ni trc tip gia hai Firewall Cu hnh Active/Standby Stateful Failover

Bc 1: Chun b Active Firewall Chn mt trong nhng firewalll lm chc nng Active. Kt ni cable mng cho mi Interface m bn s s dng lm Active Firewall v kt ni n n mt Switch. Standby Firewall phi ngt kt ni ngay. Thit lp interface ca Active Firewall tc c nh. V d bn s dng cu lnh Speed 100 v dulplex full ch cu hnh Interface. Tng t cng cho php chc nng PortFast trn port Switch kt ni n Interface ca Firewall

D tr hai a ch IP cho mi Interface ca Firewall v quyt nh xem ci no c ch nh lm Active, ci no lm Standby. Hai a ch IP cho mi Interface phi cng subnet. V d trong m hnh mng trn, gi s Inside Interface chng ta s s dng 192.168.1.1/24 cho Active Firewall, v 192.168.1.2 cho Standby Firewall. Tng t Outside Interface s l 100.100.100.1 cho Active v 100.100.100.2 cho Standby. Tng t chn a ch mng con cho vic s dng LAN Failover Link (Interface G0/2 trong v d trn). Ga s s dng 192.169.99.0/24 Bc 2: Cu hnh LAN Failover Link trn Active Firewall Trong topo trn, chng ta s s dng cng Gigabit Ethernet G0/2 nh l LAN Failover Link. C php nh sau:

V d cu hnh:

Bc 3: Cu hnh a ch IP cho Interface ca Active Firewall

Bc 4: Cu hnh theo di trn Interface ca Active Firewall Mt trong nhng s kin to ra c ch Failover l s c xy ra trn Interface ca firewall. CHng ta cn ch nh ra Interface cn phi theo doi m chuyn qua ch Standby khi interface li. Trong v d chng ta cn theo di trn c inside v outside

Bc 5: Cu hnh LAN Failover Link trn Standby Firewall Sau khi Active Firewall c cu hnh, chng ta cn phi cu hnh Standby firewall. Cu hnh duy nht c yu cu cho Standby Firewall l LAN Failover Link. Ta khi ng Standby

Firewall ln v kt ni Interface no n Switch tng ng. Khng kt ni LAN Failover Link gia hai Firewall. Ch kt ni bng console cable v cu hnh nh sau:

Ch rng s khc nhau duy nht gia hai firewall l Secondary. Mc du chng ta ang cu hnh Standby Firewall, vic cu hnh a ch IP phi ging nh IP trn Active Firewall Bc 6: Khi ng li Standby Firewall S dng cu lnh write memory lu cu hnh Standby Firewall. Kt ni LAN Failover Link gia hai firewall v khi ng li Standby Firewall Sau khi Standby Firewall khi ng, cu hnh ca Active Firewall s c nhn bn ti Standby Firewall. Nhng thng bo sau s xut hin trn Active Firewall

Chng ta cn s dng Write Memory trn active Firewall lu tt c cc cu hnh trn c Active v Standy Firewall T by gi, bt c cu hnh thm no c lm ch trn Active Firewall n s t ng nhn bn ti Standby Firewall. Write memory trn Active Firewall s lu cu hnh c hai firewall Cui cng s dng Show failover kim tra xem c ch failover c thc s lm vic nh mong i

Authentication Authorization Accounting (AAA)

AAA l c ch iu khin ph hp c s dng bi cc thit b mng iu khin vic truy cp mng. Chng thc (Authentication) l c ch ph bin nht c s dng xc nh User l ai. Vic cp quyn (Authorization) c s dng cp php quyn cho User c th c lm nhng g trong mng. Accouting c s dng thng k User lm g trong h thng, theo di nhng g User ang thc hin. Trong phn ny chng ta s tp trung hu ht vo chng thc (Authentication) s dng AAA Server nh Cisco Access Control Server Cisco ASA c ba kiu chng thc Chng thc User truy cp vo chnh Firewall ASA Chng thc User truy cp HTTP,HTTPS,Telnet v FTP thng qua ASA. Phng thc chng thc ny c gi l Cut-through-proxy Chng thc User truy cp t xa thng qua IPSec hay SSL VPN Tunnel (Tunnel Access Authentication)

ASA Firewall s dng Externa AAA Server. Nh ni trn, AAA Server l Cisco Secure ACS Server (Access Control Server). Server ny cung cp hai giao thc chng thc l RADIUS v TACACS. Mt AAA Server cung cp gii php tp trung bng vic a ra dch v chng thc n tt c cc thit b trong mng (Firewall, Router, Switch ). Li ch ln nht ca AAA Server l bn c th lu tr CSDL tp trung Username/Password v th bn khng cn phi cu hnh Local Username/Password trn mi thit b mng, v vy gip gim thiu ti a chi ph qun tr v gia tng chnh sch bo mt, chng thc trn ton h thng

Theo m hnh trn, my trm ca ngi qun tr c th truy cp firewall bng cable console hay thng qua vic s dng SSH, TELNET, HTTP. Trc khi cho php truy cp, ASA s yu cu user admin chng thc quyn hn ca mnh. Username/Password c Admin cung cp v ASA gi thng tin ny n AAA Server cho vic chng thc. Nu vic chng thc l hp l, AAA Server s tr li Access Accept ASA cho php Admin User truy cp Ch : Trc khi ASA Firewall c th chng thc TELNET, SSH hay HTTP, u tin bn cn phi cu hnh ASA cho php cc giao thc qun l s dng telnet,ssh,http V d cu hnh:

S dng truy cp SSH c th c s dng trn tt c cc interface cu firewall ASA (inside, outside, dmz). Truy cp s dng Telnet ch c cho php trn Inside Interface Cu hnh chng thc s dng External AAA Server u tin xc nh nhm AAA Server

Sau ch nh Server chng thc. Bn cn phi nh ngha a ch IP ca AAA Server v pre-shared key, key ny cng phi c cu hnh trn AAA Server

Cu hnh ASA Firewall yu cu chng thc t AAA Server V d :

Ch : Cisco khuyn co nn s dng thm chc nng chng thc cc b (Local Authentication) trn ASA. iu ny c ngha rng khi AAA Server b li v nhiu l do th ASA Firewall s s dng Local Username/Password nh l phng thc chng thc ph Chng thc bng Cut-through-Proxy cho kt ni Telnet,FTP,HTTP(S) Chc nng Cut-through-Proxy ca ASA cho php ASA nhn bit User khi truy cp cc dch v Telnet, Ftp, Http. Firewall ASA u tin kim tra phin lm vic Telnet,Ftp,Http v chng thc ngi dng bng AAA Server. Nu vic chng thc thnh cng, phin lm vic ca User s c chuyn tip n Server ch.

T m hnh trn, Webserver (10.0.0.1) trong DMZ c NAT tnh thnh 50.1.1.1 trn Outside. Tng t nh vy FTP Server (10.0.0.2) c NAT thnh 50.1.1.2 trn Outside. Khi mt user bn ngoi Internet c gng truy cp vo Webserver hay FTP Server, ASA s to ra mt mn hnh chng thc cho User. Sau khi User nhp thng tin chng thc ca mnh, ASA s truy vn AAA Server cho vic chng thc. Nu chng thc thnh cng, phin lm vic ca User s c ASA chuyn tip n Server ch

Khi s dng Cut-through-Proxy bn hy chc chn rng Inbound ACL u tin phi cho php kt ni. Nu Inbound ACL cm cc kt ni t ngoi vo, th Cut-through-Proxy s khng thc hin Cu hnh Cut-Through-Proxy chng thc s dng External AAA Server u tin ch nh nhm AAA Server

Sau ch nh Server chng thc. Bn cn phi nh ngha a ch IP ca AAA Server v pre-shared key, key ny cng phi c cu hnh trn AAA Server

Cho php chng thc Cut-through-Proxy bng cch ch nh traffic no c chng thc

V d:

Giao thc nh tuyn trn ASA u tin bn cn bit rng ASA Firewall khng c y chc nng nh mt Router. Tuy nhin n vn c bng nh tuyn. N s dng bng ny quyt nh ng i tt nht n mng ch. Sau nu gi tin p ng c cc rule trong firewall, n s c nh tuyn bi firewall v ti ch Cisco ASA Firewall cung cp c nh tuyn tnh v ng. Ba giao thc nh tuyn tnh l RIP,EGRP,OSPF. Cisco khuyn co s dng nh tuyn tnh trn Firewall ASA thay v s dng nh tuyn ng. Bi v vic s dng nh tuyn ng to c hi cho hacker khm ph c h tng h thng mng cc b ca ta. Nu bn khng

cu nh tuyn ng tt th c kh nng thng tin qung b mng con cc b ra bn ngoi- mng khng tin tng Tuy nhin c mt vi trng hp m nh tuyn tnh cn thit. Nh l trong mt h thng mng ln, ni m ASA Firewall ng gia mng cc b v data center. Trong trng hp nh vy ta s c li ch t vic s dng nh tuyn ng bi v ta khng phi cu hnh hng t nh tuyn tnh v bn cng khng phi lo lng mi nguy him l cc mng con i vi mng khng tin tng (V ASA nm sau bn trong mng Campus) Ch : i vi h thng mng nh, ch cn s dng nh tuyn tnh. S dng default static route y tt c lu lng ra ngoi internet v cng s dng static route khi c nhiu hn 1 mng khng kt ni trc tip Bt c mng no kt ni trc tip n ASA th s khng cn phi cu hnh bt c nh tuyn tnh no c bi v Firewall ASA nhn bit c mng ny Nu ASA c kt ni n mt Router bin (gia mng tin tng v khng tin tng) th ta cu hnh y tt c cc lu lng ra ngoi Outside Interface (mng khng tin tng) v sau cu hnh static Route hng n cc mng trong Internal Nu ASA nm su trong mng campus vi nhiu mng Internal th nn cu hnh nh tuyn ng nh tuyn tnh C ba loi nh tuyn tnh Kt ni trc tip nh tuyn thng thng nh tuyn mc nh i vi kt ni trc tip Kt ni trc tip thng t ng c to ra trong bng nh tuyn ca ASA khi bn cu hnh a ch Ip trn cc interface ca ASA. V d, nu bn cu hnh a ch IP 192.168.1.10/24 trn Inside Interface ca ASA th c route 192.168.1.0 255.255.255.0 s t ng c tao ra trong bng nh tuyn i vi nh tuyn thng thng v nh tuyn mc nh

Cu hnh nh tuyn tnh trn ASA ging nhu l ni cho Firewall bit cch gi gi tin n ch theo mt con ng no cho trc S dng cu lnh route to nh tuyn tnh hay nh tuyn mc nh. nh dng cu lnh nh sau:

[interface-name]: y l interface m gi tin s ra ngoi [destination-network] [netmask]: y l mng ch v subnetmask chng ta mun gi tin n [gateway]: Thit b mng tip theo m ASA s gi gi tin n V d:

i vi nh tuyn mc nh (default route) thng c s dng y lu lng ra internet, bn nn thit lp network/netmask l 0.0.0.0 0.0.0.0. Tt c lu lng m ASA khng hiu th s y ra 100.1.1.1 Show route kim tra bng nh tuyn

Kim sot nh tuyn tnh (Static Route Tracking)

Khi bn cu hnh nh tuyn tnh trn ASA, tuyn ng vn trong sut trong bng nh tuyn. Cch duy nht cho nh tuyn tnh xa khi bng nh tuyn l khi mt Interface vt l b li. Trong tt c cc trng hp khc, nh l remote default gateway b down, ASA s vn tip tc gi gi tin n gateway m khng bit rng n down ri Bt u t ASA phin bn 7.2 v v sau, chc nng Static Route Tracking c a vo. ASA kim sot sn sng ca cc static route bng cch gi cc gi tin ICMP Echo qua ng nh tuyn tnh v i tr li. Nu tuyn ng chnh b li th tuyn ng th hai s c s dng. Chc nng ny hu ch khi bn mun khi to d phng ng truyn ISP

Trong h thng mng trn Eth0/0 (outside) c kt ni n Primary ISP v Eth0/1 (backup) c kt ni n Secondary ISP. Hai nh tuyn mc nh (default route) s c cu hnh (mi ci cho mt ISP) v ng thi s dng tnh nng Tracking. Tuyn ng cho Primary ISP s c kim tra bng vic s dng gi ICMP Echo Request. Nu gi tin echo reply khng c nhn trong mt khong thi gian nh sn th tuyn ng tnh th 2 s c s dng l Secondary ISP. Tuy nhin ch rng m hnh mng trn ch ph hp cho giao tip outbound (T mng cc b LAN ra Internet) Cu hnh Static Route Tracking S dng cu lnh sla monitor ch nh giao thc gim st (v d nh ICMP), a ch cn kim sot (v d nh Gateway Router ca nh cung cp dch v) v thi gian ti a cho vic kim sot tracking S dng cu lnh sla monitor schedule lit k qua trnh gim st (thng qu trnh gim st ny c thit lp l mi mi (forever) nhng qung thi gian v thi im bt u c th ty chnh c) nh ngha tuyn ng tnh chnh (primary static route) kim sot bng cch s dng cu lnh route theo sau vi ty chn track nh ngha backup static route v thit lp metric cao hn primary static route V d cu hnh:

nh tuyn ng s dng RIP RIP l mt trong nhng giao thc nh tuyn ng c nht. Mc du n khng c s dng trong nhiu h thng mng hin i nhng vn thy trong mt vi trng hp. ASA phin bn 7.x ch c th chy Rip v qung b default route. Tuy nhin n khng th nhn gi tin qung b RIP t Router lng ging v sau qung b nhng route ny ti cc Router khc. Tuy nhin t phin bn ASA 8.x, ASA h tr y tnh nng RIP c V1 v V2. Tuy nhin vic s dng RIPv1 khng c khuyn khch bi v n khng h tr vic chng thc Routing Update Cu hnh RIP Vic cu hnh RIP trn ASA tng t nh Cisco Router. Rip c cu hnh bng cch s dng cu lnh router rip

Cu lnh no auto-summarize ch chy vi RIPv2. N t ng v hiu ha chc nng t tng hp a ch IP. V d nu bn c mt Route 10.1.3.0/24, bn mun qung b Route ny bng nh tuyn RIP, mc nh n s tng hp a ch thnh 10.0.0.0/8 bi ASA. Bn s dng no auto-summarize qung b Route ny 10.1.3.0/24. Cu hnh chng thc RIP trn Interface nh sau:

M hnh bn di l mt v d s dng RIP vi mt mng nhiu Router

Ga s ASA gia mng Campus v mng Data Center. Tt c cc Router lng ging trong mng Inside chy RIP

nh tuyn OSPF

OSPF l giao thc nh tuyn ng da trn trng thi ng lin kt hn l vc t khong cch cho vic ti u chn ng. iu ny tt hn v c kh nng m rng hn nh tuyn RIP. y l l do ti sao OSPF c s dng rng ri trong mng doanh nghip. OSPF c th rt phc tp. Trong phn ny chng ta tip tc tho lun nhng thnh phn c p dng ch yu vo thc t v s tho lun nhng chc nng v nhng trng hp s dng nhiu nht trong h thng mng thc t (Ch Ipv6 hin ti khng c h tr bi ASA khi chy OSPF) Cu hnh OSPF

OSPF cu hnh da trn cc vng (Area). cu hnh OSPF chng ta cn to process chy nh tuyn OSPF (c th cu hnh 2 process CHO asa), ch nh a ch IP ha hp vi process nh tuyn v sau ch nh ID Area vi mi a ch mng. Tng t RIPv2, chng ta cng cn cu hnh chng thc MD5 cho nhng cp nht nh tuyn OSPF

cu hnh chng thc MD5 OSPF, bn cn phi cho php chng thc trn mi Area (trong process nh tuyn) v cng cu hnh chng thc MD5 di cu hnh Interface

Chng ta s nhn cc v d ca OSPF thng c s dng trong thc t. V d u tin m t Cisco ASA trong m hnh mng doanh nghip lm vic nh mt Router bin ABR v v d th 2 ch ra Firewall ASA qung b default route vo trong mng Internal thng qua OSPF V d 1: ASA gia chc nng lm OSPF ABR

Trong v d trn, Firewall ASA gia Datacenter v Campus. Tt c cc router trong Data Center chy OSPF vng 0. Tri li tt c cc Router trong mng Campus chy OSPF vng 1. ASA lm vic nh l Router bin. Chng ta gi s rng khng c NAT trn ASA (no nat-control). Chnh sch Firewall c th c gia tng nh vic s dng ACL trn c Inside v Outside Interface

V d: Qung co Default route vo trong mng

Trong v d trn, ASA c default route ra ngoi mng Campus v qung b default route ny vo trong mng ni b (Data Center). iu ny c ngha rng tt c cc Router trong mng ni b (chy OSPF vng 0) s yu cu default route y lu lng ra ngoi Internet qua Router gn n nht n ASA

nh tuyn ng EIGRP EIGRP l phin bn nng cao ca IGRP. EIGRP l giao thc c quyn ca Cisco v n ch hot ng trn cc thit b ca Cisco. ASA h tr EIGRP t phin bn 8.0 v v sau. Mc du EIGRP rt

d dng s dng v tnh linh ng. Nhng nh qun tr mng v nhng ngi thit k mng thng do d khi s dng EIGRP v s ph thuc vo thit b. Cu hnh EIGRP Vic cu hnh EIGRP trn ASA l rt ging vi trn Cisco Router. n gin bn ch cn phi bt qu trnh EIGRP ln bng cch ch nh h s t qun AS v sau cu hnh di a ch mng m ASA s qung b bng giao thc nh tuyn n cc Router chy EIGRP hng xm

Chng thc MD5 cho vic Update cc Route cng c h tr di cu hnh Interface

Ch rng: Tt c cc Router phi thuc v cng mt h t qun v c cng key MD5. [key ID] l t
0-255 V d cu hnh:

CU HNH ANYCONNECT WEBVPN Trong phn ny chng ta s m t chc nng mi VPN c h tr bi ASA l Anyconnect WebVPN, chc nng ny s dng SSL v chng trnh Java client to mt ng hm cho vic truy cp t xa cho ngi dng. Trc khi i vo chi tit ca Anyconnect WebVPN hy n tp li kin thc v cng ngh VPN c h tr bi ASA Firewall Tng quan v cng ngh VPN ca ASA Cisco cung cp mt vi phng thc khi to VPN trn ASA nhng chng thng c phn loi l IPSec Based VPN hoc SSL Based VPN. Phn loi u tin s dng giao thc IPSec cho vic giao tip bo mt trong khi phn loi th hai s dng SSL. SSL Based VPN cng c gi l WebVPN. Hai loi VPN chung c h tr bi ASA c phn chia thnh cc cng ngh VPN sau IPSec Based VPNs:

Lan-to-Lan IPSec VPN: c s dng kt ni nhng mng LAN xa thng qua mt knh truyn khng bo mt (nh Internet). Cng ngh ny chy gia ASA-to-ASA hay ASA-to-Cisco Router Remote Access vi IPSec VPN Client: Phn mm VPN Client c ci t trn my tnh c nhn ca ngi dng cung cp truy cp n mng trung tm. N s dng giao thc IPSec v cung cp y cc kt ni vo h thng mng cho ngi dng. SSL Based VPNs (WebVPN): Clientless Mode WebVPN: y l phng thc khi to u tin ca SSL WebVPN c h tr bi ASA phin bn 7.0 v sau ny. N gip ngi dng thit lp kt ni VPN mt cch bo mt s dng ng hm bng cch s dng trnh duyt web. Li ch ca iu ny l khng cn ohaanf mm hay phn cng. Tuy nhin ch c mt vi ng dng hn ch mi c th truy cp c AnyConnect WebVPN: Client chy bng Java c ci t trn my tnh c nhn ngi dng cung cp ng hm bo mt SSL n mng trung tm. Cung cp y kt ni (tng t nh IPSec Remote Access). Tt c cc ng dng mng trung tm u c truy cp t xa. So snh gia cc cng ngh WebVPN Trong phn ny chng ta s ch tp trung co AnyConnect WebVPN. Chng ta s khng mt thi gian vo Clientless WebVPN bi v chng ta tin tng rng li ch ca vic s dng AnyConnect thay v Clientless l nhiu hn. chng minh iu ang ni, chng ta hy nhn vo s khc bit gia hai ch WebVPN v chc chn rng bn s hiu ti sao chng ta li tp trung vo AnyConnect Clientless WebVPN khng yu cu bt c VPN Client no ci t trn my tnh c nhn ca ngi dng. N ch s dng mt trnh duyt web thng thng. Bng cch truy cp trn trnh duyt n a ch http://[ a ch outside ca ASA] v chng thc vi firewall v c truy cp n Web Portal. Mc d Web Portal ny, user c th truy cp hn ch mt s ng dng mng ni b. Mt cch c bit ch c cc ng dng Web ni b (HTTP,HTTPs), email Server (POP3,SMTP,IMAP), Windows File chia s, v mt s lng cc chnh sch nh TCP (Telnet) c th c truy cp. Nh vy s khng c y truy cp vo mng ni b bng vic s dng Clientless VPN. AnyConnect WebVPN, mt khc cung caaos y kt ni mng cho remote user. ASA Firewall lm vic nh AnyConnect VPN Server, ch nh a ch IP n remote user v cho php ngi dng truy cp h thng mng. Nh vy tt c cc giao thc IP v chc nng ng dng thng qua ng hm VPN m khng c vn g. V d, mt remote user sau khi chng thc thnh cng vi AnyConnect VPN c th s dng Remote Desktop v truy cp Windows Terminal Server bn trong mng ni b. Mc du chng trnh khch chy trn Java c yu cu ci t trn my tnh c nhn ca ngi dng, chng trnh khch ny c th c cung cp ng cho user t ASA. Ngi dng c th s dng trnh duyt Web kt ni n Firewall ASA v download chng trnh khch Java v. Chng trnh ny c dung lng nh tm 3MB v c lu tr trn b nh Flash ca ASA Tng quan v AnyConnect WebVPN AnyConnect WebVPN bo v d liu tng mng v cc tng trn (tunnel-mode). N cung cp cng chc nng truy cp t xa nh Cisco IPSec VPN. C hai phin bn ca tunnel-mode WebVPN client c ch ra nh sau:

ASA phin bn 7.0 n 7.2, WebVPN Client c gi l SVC (SSL VPN Client). T phin bn 8.0 v sau, Client c gi l AnyConnect WebVPN client. Mc du chng ta s ch tp trung vo

AnyConnect client, nhng vic cu hnh cho c 2 phin bn client (SVC v AnyConnect ) l nh nhau trn ASA. Tng quan v hot ng ca AnyConnect VPN M hnh di ch ra topo h thng mng vi ASA v ngi dng t xa truy cp vi AnyConnect VPN

T m hnh trn, ASA Firewall c cu hnh lm AnyConnect WebVPN Server. Ngi dng truy cp t xa thng qua Internet v a ch IP ca my ngi dng l 10.1.1.1. Ngi dng ng sau Router c chy NAT/PAT v c a ch IP private c NAT thnh IP Public bi NAT Router. Khi ngi dng t xa truy cp v chng thc thnh cng ti ASA bng AnyConnect Client, ASA s ch nh a ch IP t di IP c nh ngha trc (nh v d trn l di 192.168.5.1-192.168.5.20). T m hnh trn, ASA ch nh a ch IP 192.168.5.1 cho ngi dng t xa. iu ny c ngha rng ngi dng c kt ni o vo mng ni b LAN ng sau Firewall ASA Tng quan hot ng c miu t trn gi s rng AnyConnect c ci t trn my tnh c nhn ca ngi dng. Chng ta hy nhn nhng ty chn bn di c th ci t AnyConnect Client C hai cch thc ci t AnyConnect cho Client S dng Clientless WebVPN portal Ci t bng tay bi ngi dng Vic s dng Clientless Web Portal, u tin ngi dng phi kt ni v chng thc ti ASA bng chng trnh duyt Web bo mt v chng trnh Java AnyConnect Client t ng c ti v v ci t trn my tnh (Ngi dng c th click vo tab AnyConnect trn WebVPN Portal download phn mm client). lm c iu ny th chng trnh java (.pkg extension) c lu tr trn b nh Flash bi Administrator Vi phng thc ci t bng tay, ngi qun tr mng phi ti chng trnh Java Client ph hp (Microsoft MSI package installer hay mt trong nhng phin bn OS khc) t Website ca Cisco v cung cp file ti ngi dng cho vic ci t bng tay. Vi phng thc ny ngi dng khng cn phi ng nhp vo ch Clientless khi to SSL VPN tunnel. Tng bc cu hnh AnyConnect Chng ta s tp trung vo ty chn ci t t ng AnyConnect. V d chng trnh AnyConnect Client c lu tr trn b nh flash ASA v c ti v bi ngi dng. M hnh di s c s dng m t tng bc cu hnh

Bc 1: Lu tr file PKG vo b nh flash trn ASA. u tin bn cn phi ti v mt trong nhng file .pkg t Cisco Website. V d nh file client Windows c nh dng nh sau: anyconnect-win-x.x.xxxxk9.pkg. copy file PKG vo b nh flash:

Ga s rng chng ta ti v AnyConnect Client trn my tnh c IP: 192.168.1.1. Chng ta s s dng TFTP Server trn my tnh lu copy file ti ASA

Bc 2: ng nht file PKG trn flash bng cch ni cho ASA ni m file c lu tr, cho php dch v WebVPN AnyConnect trn Outside ASA Interface

Ch : S 1 cui file l th t ca file trong b nh flash. N c s dng khi bn c nhiu hn mt file lu tr trn b nh flash (v d AnyConnect client cho Windows v MAC) Bc 3: Loi b traffic ca SSL WebVPN khi ACL trn Outside Interface. Mc nh WebVPN khng c loi b khi vic kim tra ca ACL. Mt khi traffic c ng gi, n s c kim tra bi Inbound ACL p dng trn Outside Interface. Bn phi cho php permit d liu c ng gi trong ACL hay s dng sysopt connection permit-vpn.

Bc 4: Bc ny l ty chn nhng thc s hu ch. Tt c cc kt ni SSL VPN gia remote user v ASA chy HTTPs (cng 443). iu ny c ngha rng ngi dng phi s dng https://[a ch IP public ca ASA trn trnh duyt. Bi v hu ht ngi dng qun https bn c th cu hnh chuyn cng. iu ny c ngha rng nu ngi dng kt ni ti cng 80 ASA s t ng chuyn sang cng 443

Bc 5: To mt di a ch mng ASA ch nh a ch ngi dng bn ngoi. T m hnh trn chng ta thy rng sau khi ngi dng bn ngoi c chng thc, ASA ch nh a ch IP n ngi dng bn ngoi t di a ch nh ngha trc : 192.168.5.1 -192.168.5.20

Bc 6: Khi to NAT loi b, khng cho NAT cc lu lng VPN . Chng ta lm iu ny bi v cc lu lng c ng gi s khng c i qua NAT

Bc 7: To Group Policy cho ngi dng dng AnyConnect WebVPN. Group Policy ny cho php bn to ring r ngi dng vo cc nhm khc nhau vi cc thuc tnh khc nhau. Cc thuc tnh ny c th c cu hnh nh DNS server, split-tunnel, cch chng trnh Client Anyconnect WebVPN c ti v (t ng hay sau khi chng thc)

Lm r mt vi thng s Svc keep-installer {installed | none} : installed ngha l chng trnh Client vn c ci t trong sut trn my tnh ngi dng thm ch ngt kt ni. Mc nh chng trnh Client s b xa sau khi ngi dng ngt kt ni khi AnyConnect

Svc ask {none | enable [default {webvpn |svc} timeout value]} : Cu lnh ny ni cho ASA cch m chng trnh khch AnyConnect s c ti v my ngi dng nh th no Svc ask none default webvpn: ASA hin th ngay lp tc WebPortal. y l cu hnh mc nh Svc ask none default svc: Ti chng trnh khch AnyConnect mt cch t ng Svc asl enable default svc timeout 20: Ngi dng s c mt yu cu ci t chng trnh khch AnyConnect Client. Nu khng lm g trong khong 20 giy th chng trnh khch AnyConnect c ti v v ci t t ng

Bc 8: To Tunnel Group. Tunnel Group phi tng tc vi Group Policy c cu hnh trn. N kt hp Group Policy vi di a ch IP m chng ta cu hnh sn cho ngi dng t xa nh dng nh sau:

V d:

Bc 9: To ti khon cc b trn ASA s c s dng cho vic chng thc AnyConnect

Cu hnh hon chnh:

Thit lp kt ni AnyConnect WebVPN 1. Truy cp vo ASA bng a ch Public https://[ outside interface]

2.

Enter username/password (ssluser1). Chn nhm ngi dng

3.

Thit lp kt ni SSL VPN

4.

Phn mm ActiveX phi c ci t trn my tnh ca bn trc khi ti v AnyConnect Client. Bn s thy ca s Window di khi kt ni c thit lp