N 5- VPN + FAILOVER+ ROUTING+ VLAN+ AAA

IPSec VPNs
Chng ny s ni v mng ring o VPN s dng giao thc psec. Giao thc ny c a vo ASA
v c s dng kt ni an ton gia cc LAN xa v mt a l qua mt kt ni Internet (Site to
Site VPN) hay cho php cc user xa kt ni vi mng trung tm (Remote Access VPN). Trong
chng ny s tp trung chnh v hai loi VPN
Trc khi i vo chi tit cu hnh IPSec VPN, ta s i vo miu t ngn gn nguyn l ca
giao thc IPSec c ci hiu ng n v VPN
IPSec l g?
-

IP Security (IPSec) l mt chun m IETF, chun ny cho php m ha d liu khi giao tip.
N l mt giao thc ph hp cho vic cung cp tnh bo mt, nguyn vn, xc thc d liu.
Mt mng VPN l mt kt ni bo mt nh ng hm ring qua mt ng truyn khng
bo mt nh Internet. V l IPSec l mt giao thc l tng xy dng cc mng ring
o VPN qua internet.
IPSec lm vic tng mng, ng gi v chng thc cc packet gia ASA v cc thit b
khc tham gia vo mng VPN nh l Router Cisco, Firewall Cisco hay VPN Client
Nhng chun v giao thc PSec sau c s dng
o ESP (Encapsulation Security Payload): y l giao thc u tin trong hai giao
thc quan to nn chun IPSec. N cung cp tnh nguyn vn, xc thc, bo mt d
liu. ESP c s dng m ha payload ca gi tin IP
o AH (Authentication Header): y l giao thc th 2 trong hai giao thc quan trng
ca IPSec. N cung cp tnh nguyn vn, xc thc, v d tr. Giao thc ny khng
cung caaos m ha, nhng n hot ng nh mt ch k s in chc chn gi tin
khng b xm phm
o Internet Key Exchange (IKE): y l c ch c s dng bi ASA cho vic giao
i kha m ha mt cch b mt, xc thc cc IPSec peer v thng lng cc tham
s IPSec.
o DES,3DES,AES: Tt c nhng ci ny l c ch m ha c cung cp bi ASA
Firewall. DES l thut ton m ha yu nht (s dng key 56 bit) v AES l thut
ton m ha mnh nht (s dng 128,192,256 bit m ha). 3DES l s la chn m
ha tm trung s dng 168 bit m ha.
o DH (Diffie-Hellman Group): y l giao thc to public key v c s dng bi
IKE thit lp key phin kt ni
o MD5,SHA-1: y l c hai thut ton Hash c s dng chng thc gi tin.
SHA mnh hn MD5
o SA (Security Association): Mt SA l mt kt ni gia 2 IPSec peer. Mi IPSec peer
duy tr mt CSDL SA trong b nh ca n, ni cha cc tham s SA. SA c xc
nh duy nht nh vo a ch IP ca peer y, giao thc bo mt, v ch s bo mt
(SPI)

Cch lm vic ca IPSec

C 5 bc chnh sau :
o Interesting Traffic : Thit b IPSec nhn bit lung d liu cn bo v
o Phase 1(ISAKMP) : Thit b IPSec thng lng cc chnh sch bo mt IKE v thit
lp mt knh bo mt cho lin lc gia cc IPSec Peer
o Phase 2(IPSec) : Cc thit b IPSec thng lng chnh sch bo mt IPSec bo v
d liu
o Data Tranfer : Data c truyn bo mt gi cc IPSec peer da vo cc tham s
IPSec v cc key c thng lng trong cc Phase trc
o IPSec Tunnel Terminated : IPSec Sas ngt kt ni khi timeout

Cc loi kt ni:
-

SITE-TO-SITE IPSEc VPN

Site-to-Site IPSec VPN i khi c gi l LAN-to-LAN. Ci tn ni ln iu , loi

VPN ny kt ni hai LAN cch xa v mt vt l li vi nhau thng qua mng Internet.
Thng thng th LAN s dng a ch dnh ring nh c ch ra trong hnh trn. Nu
khng c kt ni VPN th 2 LAN trn s khng th giao tip c vi nhau. Bng vic cu
hnh Site-to-Site IPSec VPN gia hai thit b ASA firewall, chng ta c th thit lp mt
ng hm bo mt qua kt ni Internet, v y cc traffic ca LAN vo trong ng hm
ny. Kt qu l host trong mng 192.168.1.0/24 c th truy cp trc tip n cc host trong
mng 192.168.2.0/24 v ngc li. ng hm IPSec c thit lp kt ni gia hai a ch
IP Public ca 2 Firewall ASA l 100.100.100.1 v 200.200.200.1
Remote Access VPN

Loi IPSec VPN thc 2 m chng ni l Remote Access VPN. Remote User truy cp vo
mng ca LAN s phi s dng Cisco VPN Client. Loi VPN ny cho php remote User thit
lp kt ni bo mt IPSec VPN qua Internet n LAN ca cng ty. Remote User phi c phn
mm Cisco VPN Client ci t trn my tnh c nhn ca user. Phn mm ny cho php bn
thit lp kt ni n LAN ca cng ty. Sau khi VPN c thit lp gia remote user v ASA
firewall, user s c ch nh a ch private IP t mt pool c nh ngha trc, v sau
cho php remote user truy cp vo LAN
Topo mng trn ASA firewall bo v mng Corporate LAN v remote User vi VPN client
thit lp kt ni bo mt n ASA. IP vi di 192.168.20.0/24 s c cp pht cho VPN
Client lin lc vi Internal Corporate Network 192.168.1.0/24. Mt khi Remote Access
VPN c thit lp, remote user mc nh s khng c kh nng truy cp bt c ci g ngoi
internet ngoi tr mng Corporate LAN. X l iu ny bng cch cu hnh chc nng Split
tunneling trn ASA

Hng dn cu hnh
-

SITE-to-SITE IPSec VPN

Bc 1: Cu hnh Interesting traffic

u tin chng ta cn nh ngha traffic m chng ta quan tm v traffic ny
s c m ha. Bng cch s dng ACL chng ta c th xc nh c
traffic no cn c qun l bi ASA. Trong hnh trn, chng ta mun tt c
cc traffic gia mng 192.168.1.0/24 v 192.168.2.0/24 c m ha

Mt vn quan trng phi xem xt l trong trng hp s dng NAT trn

firewall cho cc truy cp Internet thng thng. Bi v IPSec khng lm vic
vi NAT, chng ta cn phi loi tr traffic IPSec khi NAT. S dng NAT 0
gii quyt vn ny.

Bc 2: Cu hnh Phase 1 (ISAKMP)

Cch thc hot ng ca Phase 1 c s dng thit lp knh giao tip
bo mt cho vic truyn d liu. phase 1, cc VPN peer trao i key b
mt, xc thc nhau, thng lng cc chnh sch bo mt IKE Trong phase
ny chng ta cu hnh isakmp policy, phi trng vi policy c cu hnh
peer bn kia. Isakmp policy ny ni cho cc peer khc tham s bo mt no
phi c s dng trong VPN (nh l giao thc m ha, thut ton hash,
phng thc chng thc, DH, lifetime) nh sau

Mt vi ISAKMP POLICY c th c cu hnh o ng mt vi yu cu

khc nhau t cc peer khc nhau. Ch s u tin xc nh duy nht mi
Policy.
Nhng tham s sau c th c s dng to mt ISAKMP Policy mnh
M ha: AES
Hash: sha
Chng thc: Pre-share
Nhm: 2 hoc 5
Lifetime: 3600 (SA s ht hn v c thng lng li
trong 1 gi)
iu tip theo ta cn xc nh l pre-shared key v loi VPN (SITE-to-Site,
Remote Access hay WebVPN). c cu hnh bi cu lnh tunnel-group

Cu hnh:

Bc 3: Cu hnh Phase 2(IPSec)

Sau khi ng hm bo mt c thit lp trong phase 1, bc tip theo l
thit lp VPN thng lng cc tham s bo mt IPSec, ci m s c s
dng bo v d liu trong ng hm. iu ny c thc hin trong
Phase 2 ca IPSec. Trong Phase ny cc chc nng sau s c thc hin:
Thng lng cc tham s bo mt IPSec v tp cc bin i
PSec
Thit lp cc IPSec SA
Thng lng li cc IPSec SA theo giai on m bo
tnh bo mt
Mc tiu ca IKE Phase 2 l thit lp phin kt ni IPSec mt cch bo mt
gia cc peer. Trc khi iu xy ra, mi bn thng lng mc bo
mt (m ha v thut ton xc thc cho phin). Cc giao thc c nhm
thnh cc sets v c gi l transform sets. Tp IPSec transform c trao
i gia cc peer v chng phi ging nhau gia cc peer phin c th
c thit lp
nh dng cu lnh cu hnh mt transform set:

Nhng transform sau (giao thc/thut ton) c th c s dng trong

transform1 v transform2

Transform
Esp-des
Esp-3des
Esp-aes
Esp-aes-192
Esp-aes-256
Esp-md5-hmac
Esp-sha-hmac
Esp-none
Esp-null

M t
ESP transform s dng DES 56 bits
ESP transform s dng 3DES 168
bits
Esp transform s dng AES-128
Esp transform s dng AES-192
Esp transform s dng AES-256
Esp transform s dng HMAC-MD5
cho chng thc
Esp transform s dng HMAC-SHA
cho chng thc
ESP khng chng thc
Esp khng m ha

Mt s ch hu ch khi bn chn Transform protocols

cung cp tnh bo mt (m ha) th s dng transform cho
vic m ha ESP nh l 5 ESP u tin trong bng
chng thc th s dng MD5-HMAC hay SHA-HMAC
SHA l mnh hn MD5 nhng chm hn
Sau khi cu hnh transform set trn c 2 IPSEc peer, chng ta cn phi cu
hnh crypto map, ci m cha tt c cc tham s Phase 2 IPSec. Sau
Crypto map c p dng vo interface firewall (thng l Outside) ni m
IPSec s c thit lp

Tham s seq-num trong crypto map c s dng ch ra nhiu entries map

cng tn cho mi trng hp khi m chng ta c nhiu hn 1 IPSec peer trn firewall (v d
ASA trong m hnh hub-and-spoke)
Hon thnh cu hnh cho c 2 firewall i vi vic thit lp Phase 2

Bc 4 : Kim tra d liu c m ha

-

Kim tra ng hm c thit lp ?

Cu lnh show crypto isakmp sa kim tra SA c thit lp hay cha ? Trng thi ca
ng hm up hay down hay ang chy.

Kim tra d liu c c m ha?

Cu lnh show crypto ipsec sa xc nhn vic d liu c c m ha v gii m thnh cng
hay khng?

Cu hnh Remote Access VPN

Nhiu cu lnh cu hnh tng t nh cu hnh Site-to-Site VPN, c bit l IKE Phase 1 v
Phase 2. Tng t a ch IP Pool phi c cu hnh trn firewall cho vic cp pht ng a
ch cho remote user
Bc 1: Cu hnh IP Pool
nh dng cu lnh nh sau:

Trong v d ny chng ta mun ch nh a ch cho remote user t di 192.168.20.0/24

-

Bc 2: M ha traffic v khng NAT:

Tng t nh Site-to-Site VPN, chng ta cn xc nh ACL t Internal n remote user
(192.168.20.0/24) loi b khi NAT

Bc 3: Cu hnh Group Policy

Group policy cho php bn phn tch cc remote user theo cch khc nhau thnh cc nhm
vi cc thuc tnh khc nhau. V d ngi qun tr h thng c ch nh trong nhm c truy
cp fulltime 24h, trong khi remote user bnh thng c ch nh vo mt nhm khc c
quyn truy cp t 9h sng n 5h chiu. Group policy cng cung cp a ch DNS hoc WINS
server, lc kt ni, thi gian timeout
C php nh sau:

V d cu hnh:

Ga s rng tt c cc remote user s cng mt group policy c tn gi l company-cpnpolicy nh c cu hnh nh trn. Policy ny ch nh a ch DNS v WINS server phn gii tn
min trong internal domain v hostname. N c thit lp thi gian timeout l 30 pht.
-

Bc 4: Cu hnh username cho vic chng thc Remote Access

Khi mt remote user kt ni bng VPN Client, th s c yu cu nhp thng tin username
v password trn mn hnh ng nhp chng thc vi firewall. V l chng ta cn to ra
usernames v password cho vic chng thc ny
C php:

V d cu hnh:
-

Bc 5: Cu hnh Phase 1 (ISAKMP Policy)

Tng t nhue Site-to-Site VPN

Bc 6: Cu hnh Phase 2 (IPSec Parameters)

Bc ny cng tng t nh Site-to-Site VPN

Bc 7: Cu hnh Tunnel Group cho Remote Access

Vic cu hnh Tunnel Group l tri tim ca Remote Access VPN. N kt hp vi nhau Group
Policy c cu hnh trc , IP pool, pre-shared key
C php:

Group name l rt quan trng bi v chng ta s phi ch nh chnh xc cng tn khi cu hnh
VPN client Software
V d cu hnh:

Bc 8: Cu hnh VPN Client software

Sau khi ci t VPN Client, bt ng dng v chn New to mt i tng kt ni mi

Tn ca kt ni l vpn v miu t. Trong textbox Host nh ip public mt ngoi ca ASA .

Nhp cc thng tin username/password ca Group phi ging nh tunnel-group namev preshared-key t bc 7. Trong v d cu hnh ny, Group Authentication Name l vpnclient
v password (pre-shared-key) l groupkey123. Sau save lu cu hnh

Sau khi lu cu hnh ci t, tr li Connection Entries Tab v chn Connect khi to kt

ni Remote Access VPN

Sau khi khi to kt ni VPN, remote user s c yu cu nhp thng tin username/password
trn mn hnh ng nhp chng thc vi firewall

Sau khi chng thc thnh cng vi firewall. Mt ng hm bo mt Remote Access c

thit lp. Nu bn vo CMD ri ipconfig /all trn my tnh ca remote user, bn s thy a ch ip
thuc di 192.168.20.0/25 c ch nh ti interface VPN o. iu ny cho php remote user c ton
quyn truy cp n mng Corporate LAN

Cu hnh kh nng Firewall

Cisco ASA Firewall l thnh phn quan trng trong t c h thng mng no v thng mt
vi dch v quan trng trong doanh nghip ph thuc vo kh nng sn sng ca Firewall. V
l tnh d phng ca Firewall phi c tch hp
Trong chng ny chng ta s miu t nng chu li ca firewall vi ch Active/Standby.
y l cch thc cu hnh ph bin nht trong hu ht h thng mng. ASA cng cung cp
ch chu li kiu Active/Active
M hnh Active/Standby
Trong m hnh Active/Standby, mt trong hai firewall c ch nh ng vai tr lm Active
gii quyt tt c cc traffic v cc chc nng bo mt. Firewall cn li duy tr ch ch
v t ng m nhim gii quyt tt c cc traffic nu Firewall Active b li
Chc nng chu li ca stateful firewall y cc thng tin v trng thi kt ni t firewall
Active n firewall Standby. Say chc nng chu li s hot ng, thng tin ca kt nh
nhau c sn ti firewall standby, ci t ng tr thnh active m khng ngt kt ni ca bt c
user no. Thng tin v tnh trng kt ni c ng b gia active v standby bao gm di a
ch global pool, tnh trng kt ni v thng tin bng NAT v tnh trng cc kt ni TCP/UDP
v rt nhiu chi tit khc

M hnh mng trn ch ra cp firewall gi chc nng failover theo ch Active/Standby.

Cng Interface inside c kt vo cng mt Internal Switch v Outside kt ni vo cng
mt External Switch. Mt cable cho kt ni gia hai thit b Firewall nh l LAN Failover
Link. Trong sut qu trnh hot ng bnh thng, tt c cc traffic c y thng qua
Firewall Active, ni m x l tt c cc giao tip inbound v outbound. Nu s kin Active
Firewall b li (v d nh interface b down hay firewall b li) th Standby Firewall s m
nhim bng cch nhn a ch Ip ca Active Firewall m tt c cc traffic s tip tc c
i qua m khng c s gim on. Tt cc cc thng tin v tnh trng kt ni c ng b
thng qua mt kt ni Lan gi l LAN Failover Link cho Standby Firewall bit c tnh
trng ca Active Firewall
Yu cu
Mt vi yu cu v phn cng v phn mm cho c hai firewall c th chy chc nng
failover
Phi cng nn tng h iu hnh
Phi cng cu hnh phn cng
Phi cng ch hot ng (routed hay transparent, single hay multiple
context)
Phi cng dung lng Flash v Ram
Phi cng chc nng bn quyn (loi m ha, s lng context , s lng
VPN peers)
Phi c bn quyn phn mm chy chc nng failover
LAN Failover Link
Nh c ch ra v d h thng mng trn, mt kt ni vt l LAN gia hai firewall. iu
ny l yu cu bt buc i vi chc nng failover. Mt interface Ethernet phi c d tr
cho LAN Failover Link. Link ny c th l mt cable cho Ethernet kt ni trc tip gia hai
Firewall
Cu hnh Active/Standby Stateful Failover

Bc 1: Chun b Active Firewall

Chn mt trong nhng firewalll lm chc nng Active. Kt ni cable mng cho mi
Interface m bn s s dng lm Active Firewall v kt ni n n mt Switch.
Standby Firewall phi ngt kt ni ngay. Thit lp interface ca Active Firewall tc
c nh. V d bn s dng cu lnh Speed 100 v dulplex full ch cu hnh
Interface. Tng t cng cho php chc nng PortFast trn port Switch kt ni n
Interface ca Firewall

D tr hai a ch IP cho mi Interface ca Firewall v quyt nh xem ci no c

ch nh lm Active, ci no lm Standby. Hai a ch IP cho mi Interface phi cng
subnet. V d trong m hnh mng trn, gi s Inside Interface chng ta s s dng
192.168.1.1/24 cho Active Firewall, v 192.168.1.2 cho Standby Firewall. Tng t
Outside Interface s l 100.100.100.1 cho Active v 100.100.100.2 cho Standby.
Tng t chn a ch mng con cho vic s dng LAN Failover Link (Interface
G0/2 trong v d trn). Ga s s dng 192.169.99.0/24
Bc 2: Cu hnh LAN Failover Link trn Active Firewall
Trong topo trn, chng ta s s dng cng Gigabit Ethernet G0/2 nh l LAN Failover Link.
C php nh sau:

V d cu hnh:

Bc 3: Cu hnh a ch IP cho Interface ca Active Firewall

Bc 4: Cu hnh theo di trn Interface ca Active Firewall

Mt trong nhng s kin to ra c ch Failover l s c xy ra trn Interface ca firewall.
CHng ta cn ch nh ra Interface cn phi theo doi m chuyn qua ch Standby khi
interface li. Trong v d chng ta cn theo di trn c inside v outside

Bc 5: Cu hnh LAN Failover Link trn Standby Firewall

Sau khi Active Firewall c cu hnh, chng ta cn phi cu hnh Standby firewall. Cu hnh
duy nht c yu cu cho Standby Firewall l LAN Failover Link. Ta khi ng Standby

Firewall ln v kt ni Interface no n Switch tng ng. Khng kt ni LAN Failover

Link gia hai Firewall. Ch kt ni bng console cable v cu hnh nh sau:

Ch rng s khc nhau duy nht gia hai firewall l Secondary. Mc du chng ta ang
cu hnh Standby Firewall, vic cu hnh a ch IP phi ging nh IP trn Active Firewall
-

Bc 6: Khi ng li Standby Firewall

S dng cu lnh write memory lu cu hnh Standby Firewall. Kt ni LAN Failover
Link gia hai firewall v khi ng li Standby Firewall
Sau khi Standby Firewall khi ng, cu hnh ca Active Firewall s c nhn bn ti
Standby Firewall. Nhng thng bo sau s xut hin trn Active Firewall

Chng ta cn s dng Write Memory trn active Firewall lu tt c cc cu hnh trn c

Active v Standy Firewall
T by gi, bt c cu hnh thm no c lm ch trn Active Firewall n s t ng nhn
bn ti Standby Firewall. Write memory trn Active Firewall s lu cu hnh c hai firewall
Cui cng s dng Show failover kim tra xem c ch failover c thc s lm vic nh
mong i

Authentication Authorization Accounting (AAA)

AAA l c ch iu khin ph hp c s dng bi cc thit b mng iu khin vic truy

cp mng. Chng thc (Authentication) l c ch ph bin nht c s dng xc nh
User l ai. Vic cp quyn (Authorization) c s dng cp php quyn cho User c th
c lm nhng g trong mng. Accouting c s dng thng k User lm g trong h
thng, theo di nhng g User ang thc hin. Trong phn ny chng ta s tp trung hu ht
vo chng thc (Authentication) s dng AAA Server nh Cisco Access Control Server
-

Cisco ASA c ba kiu chng thc

Chng thc User truy cp vo chnh Firewall ASA
Chng thc User truy cp HTTP,HTTPS,Telnet v FTP thng qua ASA.
Phng thc chng thc ny c gi l Cut-through-proxy
Chng thc User truy cp t xa thng qua IPSec hay SSL VPN Tunnel
(Tunnel Access Authentication)

ASA Firewall s dng Externa AAA Server. Nh ni trn, AAA Server l Cisco Secure
ACS Server (Access Control Server). Server ny cung cp hai giao thc chng thc l
RADIUS v TACACS. Mt AAA Server cung cp gii php tp trung bng vic a ra dch
v chng thc n tt c cc thit b trong mng (Firewall, Router, Switch ). Li ch ln
nht ca AAA Server l bn c th lu tr CSDL tp trung Username/Password v th bn
khng cn phi cu hnh Local Username/Password trn mi thit b mng, v vy gip gim
thiu ti a chi ph qun tr v gia tng chnh sch bo mt, chng thc trn ton h thng

Theo m hnh trn, my trm ca ngi qun tr c th truy cp firewall bng cable console
hay thng qua vic s dng SSH, TELNET, HTTP. Trc khi cho php truy cp, ASA s yu
cu user admin chng thc quyn hn ca mnh. Username/Password c Admin cung cp
v ASA gi thng tin ny n AAA Server cho vic chng thc. Nu vic chng thc l hp
l, AAA Server s tr li Access Accept ASA cho php Admin User truy cp
Ch : Trc khi ASA Firewall c th chng thc TELNET, SSH hay HTTP, u tin bn
cn phi cu hnh ASA cho php cc giao thc qun l s dng telnet,ssh,http
V d cu hnh:

S dng truy cp SSH c th c s dng trn tt c cc interface cu firewall ASA (inside,

outside, dmz). Truy cp s dng Telnet ch c cho php trn Inside Interface
Cu hnh chng thc s dng External AAA Server
u tin xc nh nhm AAA Server

Sau ch nh Server chng thc. Bn cn phi nh ngha a ch IP ca

AAA Server v pre-shared key, key ny cng phi c cu hnh trn AAA
Server

Cu hnh ASA Firewall yu cu chng thc t AAA Server

V d :

Ch : Cisco khuyn co nn s dng thm chc nng chng thc cc b

(Local Authentication) trn ASA. iu ny c ngha rng khi AAA Server b
li v nhiu l do th ASA Firewall s s dng Local Username/Password
nh l phng thc chng thc ph
Chng thc bng Cut-through-Proxy cho kt ni Telnet,FTP,HTTP(S)
Chc nng Cut-through-Proxy ca ASA cho php ASA nhn bit User khi truy cp cc dch
v Telnet, Ftp, Http. Firewall ASA u tin kim tra phin lm vic Telnet,Ftp,Http v chng
thc ngi dng bng AAA Server. Nu vic chng thc thnh cng, phin lm vic ca User
s c chuyn tip n Server ch.

T m hnh trn, Webserver (10.0.0.1) trong DMZ c NAT tnh thnh 50.1.1.1 trn
Outside. Tng t nh vy FTP Server (10.0.0.2) c NAT thnh 50.1.1.2 trn Outside. Khi
mt user bn ngoi Internet c gng truy cp vo Webserver hay FTP Server, ASA s to ra
mt mn hnh chng thc cho User. Sau khi User nhp thng tin chng thc ca mnh, ASA
s truy vn AAA Server cho vic chng thc. Nu chng thc thnh cng, phin lm vic ca
User s c ASA chuyn tip n Server ch

Khi s dng Cut-through-Proxy bn hy chc chn rng Inbound ACL u tin phi cho php
kt ni. Nu Inbound ACL cm cc kt ni t ngoi vo, th Cut-through-Proxy s khng thc
hin
Cu hnh Cut-Through-Proxy chng thc s dng External AAA Server
u tin ch nh nhm AAA Server

Sau ch nh Server chng thc. Bn cn phi nh ngha a ch IP ca AAA

Server v pre-shared key, key ny cng phi c cu hnh trn AAA Server

Cho php chng thc Cut-through-Proxy bng cch ch nh traffic no c chng

thc

V d:

Giao thc nh tuyn trn ASA

u tin bn cn bit rng ASA Firewall khng c y chc nng nh mt Router.
Tuy nhin n vn c bng nh tuyn. N s dng bng ny quyt nh ng i
tt nht n mng ch. Sau nu gi tin p ng c cc rule trong firewall,
n s c nh tuyn bi firewall v ti ch
Cisco ASA Firewall cung cp c nh tuyn tnh v ng. Ba giao thc nh tuyn
tnh l RIP,EGRP,OSPF. Cisco khuyn co s dng nh tuyn tnh trn Firewall
ASA thay v s dng nh tuyn ng. Bi v vic s dng nh tuyn ng to c
hi cho hacker khm ph c h tng h thng mng cc b ca ta. Nu bn khng

cu nh tuyn ng tt th c kh nng thng tin qung b mng con cc b ra bn

ngoi- mng khng tin tng
Tuy nhin c mt vi trng hp m nh tuyn tnh cn thit. Nh l trong mt h
thng mng ln, ni m ASA Firewall ng gia mng cc b v data center. Trong
trng hp nh vy ta s c li ch t vic s dng nh tuyn ng bi v ta khng
phi cu hnh hng t nh tuyn tnh v bn cng khng phi lo lng mi nguy him
l cc mng con i vi mng khng tin tng (V ASA nm sau bn trong mng
Campus)
Ch :
i vi h thng mng nh, ch cn s dng nh tuyn tnh. S
dng default static route y tt c lu lng ra ngoi internet v
cng s dng static route khi c nhiu hn 1 mng khng kt ni trc
tip
Bt c mng no kt ni trc tip n ASA th s khng cn phi cu
hnh bt c nh tuyn tnh no c bi v Firewall ASA nhn bit
c mng ny
Nu ASA c kt ni n mt Router bin (gia mng tin tng v
khng tin tng) th ta cu hnh y tt c cc lu lng ra ngoi
Outside Interface (mng khng tin tng) v sau cu hnh static
Route hng n cc mng trong Internal
Nu ASA nm su trong mng campus vi nhiu mng Internal th
nn cu hnh nh tuyn ng
nh tuyn tnh
C ba loi nh tuyn tnh
Kt ni trc tip
nh tuyn thng thng
nh tuyn mc nh
i vi kt ni trc tip
Kt ni trc tip thng t ng c to ra trong bng nh tuyn ca ASA khi bn cu hnh
a ch Ip trn cc interface ca ASA. V d, nu bn cu hnh a ch IP 192.168.1.10/24 trn
Inside Interface ca ASA th c route 192.168.1.0 255.255.255.0 s t ng c tao ra trong
bng nh tuyn
i vi nh tuyn thng thng v nh tuyn mc nh

Cu hnh nh tuyn tnh trn ASA ging nhu l ni cho Firewall bit cch gi gi tin n
ch theo mt con ng no cho trc
S dng cu lnh route to nh tuyn tnh hay nh tuyn mc nh. nh dng cu lnh
nh sau:

[interface-name]: y l interface m gi tin s ra ngoi

[destination-network] [netmask]: y l mng ch v subnetmask chng ta mun gi tin n
[gateway]: Thit b mng tip theo m ASA s gi gi tin n
V d:

i vi nh tuyn mc nh (default route) thng c s dng y lu lng ra internet,

bn nn thit lp network/netmask l 0.0.0.0 0.0.0.0. Tt c lu lng m ASA khng hiu th
s y ra 100.1.1.1
Show route kim tra bng nh tuyn

Kim sot nh tuyn tnh (Static Route Tracking)

Khi bn cu hnh nh tuyn tnh trn ASA, tuyn ng vn trong sut trong bng nh
tuyn. Cch duy nht cho nh tuyn tnh xa khi bng nh tuyn l khi mt Interface vt l
b li. Trong tt c cc trng hp khc, nh l remote default gateway b down, ASA s vn
tip tc gi gi tin n gateway m khng bit rng n down ri
Bt u t ASA phin bn 7.2 v v sau, chc nng Static Route Tracking c a vo.
ASA kim sot sn sng ca cc static route bng cch gi cc gi tin ICMP Echo qua
ng nh tuyn tnh v i tr li. Nu tuyn ng chnh b li th tuyn ng th hai s
c s dng. Chc nng ny hu ch khi bn mun khi to d phng ng truyn ISP

Trong h thng mng trn Eth0/0 (outside) c kt ni n Primary ISP v Eth0/1 (backup)
c kt ni n Secondary ISP. Hai nh tuyn mc nh (default route) s c cu hnh
(mi ci cho mt ISP) v ng thi s dng tnh nng Tracking. Tuyn ng cho Primary
ISP s c kim tra bng vic s dng gi ICMP Echo Request. Nu gi tin echo reply
khng c nhn trong mt khong thi gian nh sn th tuyn ng tnh th 2 s c s
dng l Secondary ISP. Tuy nhin ch rng m hnh mng trn ch ph hp cho giao tip
outbound (T mng cc b LAN ra Internet)
Cu hnh Static Route Tracking
S dng cu lnh sla monitor ch nh giao thc gim st (v d nh ICMP), a
ch cn kim sot (v d nh Gateway Router ca nh cung cp dch v) v thi gian
ti a cho vic kim sot tracking
S dng cu lnh sla monitor schedule lit k qua trnh gim st (thng qu
trnh gim st ny c thit lp l mi mi (forever) nhng qung thi gian v thi
im bt u c th ty chnh c)
nh ngha tuyn ng tnh chnh (primary static route) kim sot bng cch s
dng cu lnh route theo sau vi ty chn track
nh ngha backup static route v thit lp metric cao hn primary static route
V d cu hnh:

nh tuyn ng s dng RIP

RIP l mt trong nhng giao thc nh tuyn ng c nht. Mc du n khng c s dng
trong nhiu h thng mng hin i nhng vn thy trong mt vi trng hp. ASA phin bn
7.x ch c th chy Rip v qung b default route. Tuy nhin n khng th nhn gi tin qung
b RIP t Router lng ging v sau qung b nhng route ny ti cc Router khc. Tuy
nhin t phin bn ASA 8.x, ASA h tr y tnh nng RIP c V1 v V2. Tuy nhin vic
s dng RIPv1 khng c khuyn khch bi v n khng h tr vic chng thc Routing
Update
Cu hnh RIP
Vic cu hnh RIP trn ASA tng t nh Cisco Router. Rip c cu hnh bng cch s
dng cu lnh router rip

Cu lnh no auto-summarize ch chy vi RIPv2. N t ng v hiu ha chc nng t

tng hp a ch IP. V d nu bn c mt Route 10.1.3.0/24, bn mun qung b Route ny
bng nh tuyn RIP, mc nh n s tng hp a ch thnh 10.0.0.0/8 bi ASA. Bn s dng
no auto-summarize qung b Route ny 10.1.3.0/24.
Cu hnh chng thc RIP trn Interface nh sau:

M hnh bn di l mt v d s dng RIP vi mt mng nhiu Router

Ga s ASA gia mng Campus v mng Data Center. Tt c cc Router lng ging trong mng
Inside chy RIP

nh tuyn OSPF

OSPF l giao thc nh tuyn ng da trn trng thi ng lin kt hn l vc t khong cch cho
vic ti u chn ng. iu ny tt hn v c kh nng m rng hn nh tuyn RIP. y l l do
ti sao OSPF c s dng rng ri trong mng doanh nghip. OSPF c th rt phc tp. Trong phn
ny chng ta tip tc tho lun nhng thnh phn c p dng ch yu vo thc t v s tho lun
nhng chc nng v nhng trng hp s dng nhiu nht trong h thng mng thc t (Ch Ipv6
hin ti khng c h tr bi ASA khi chy OSPF)
Cu hnh OSPF

OSPF cu hnh da trn cc vng (Area). cu hnh OSPF chng ta cn to process chy nh tuyn
OSPF (c th cu hnh 2 process CHO asa), ch nh a ch IP ha hp vi process nh tuyn v sau
ch nh ID Area vi mi a ch mng. Tng t RIPv2, chng ta cng cn cu hnh chng thc
MD5 cho nhng cp nht nh tuyn OSPF

cu hnh chng thc MD5 OSPF, bn cn phi cho php chng thc trn mi Area (trong process
nh tuyn) v cng cu hnh chng thc MD5 di cu hnh Interface

Chng ta s nhn cc v d ca OSPF thng c s dng trong thc t. V d u tin m t Cisco

ASA trong m hnh mng doanh nghip lm vic nh mt Router bin ABR v v d th 2 ch ra
Firewall ASA qung b default route vo trong mng Internal thng qua OSPF
V d 1: ASA gia chc nng lm OSPF ABR

Trong v d trn, Firewall ASA gia Datacenter v Campus. Tt c cc router trong Data Center
chy OSPF vng 0. Tri li tt c cc Router trong mng Campus chy OSPF vng 1. ASA lm vic
nh l Router bin. Chng ta gi s rng khng c NAT trn ASA (no nat-control). Chnh sch
Firewall c th c gia tng nh vic s dng ACL trn c Inside v Outside Interface

V d: Qung co Default route vo trong mng

Trong v d trn, ASA c default route ra ngoi mng Campus v qung b default route ny vo
trong mng ni b (Data Center). iu ny c ngha rng tt c cc Router trong mng ni b (chy
OSPF vng 0) s yu cu default route y lu lng ra ngoi Internet qua Router gn n nht n
ASA

nh tuyn ng EIGRP
EIGRP l phin bn nng cao ca IGRP. EIGRP l giao thc c quyn ca Cisco v n ch hot
ng trn cc thit b ca Cisco. ASA h tr EIGRP t phin bn 8.0 v v sau. Mc du EIGRP rt

d dng s dng v tnh linh ng. Nhng nh qun tr mng v nhng ngi thit k mng thng
do d khi s dng EIGRP v s ph thuc vo thit b.
Cu hnh EIGRP
Vic cu hnh EIGRP trn ASA l rt ging vi trn Cisco Router. n gin bn ch cn phi bt qu
trnh EIGRP ln bng cch ch nh h s t qun AS v sau cu hnh di a ch mng m ASA s
qung b bng giao thc nh tuyn n cc Router chy EIGRP hng xm

Chng thc MD5 cho vic Update cc Route cng c h tr di cu hnh Interface

Ch rng: Tt c cc Router phi thuc v cng mt h t qun v c cng key MD5. [key ID] l t
0-255
V d cu hnh:

CU HNH ANYCONNECT WEBVPN

Trong phn ny chng ta s m t chc nng mi VPN c h tr bi ASA l Anyconnect WebVPN, chc
nng ny s dng SSL v chng trnh Java client to mt ng hm cho vic truy cp t xa cho ngi
dng. Trc khi i vo chi tit ca Anyconnect WebVPN hy n tp li kin thc v cng ngh VPN c h
tr bi ASA Firewall
-

Tng quan v cng ngh VPN ca ASA

Cisco cung cp mt vi phng thc khi to VPN trn ASA nhng chng thng c phn loi l
IPSec Based VPN hoc SSL Based VPN. Phn loi u tin s dng giao thc IPSec cho vic giao
tip bo mt trong khi phn loi th hai s dng SSL. SSL Based VPN cng c gi l WebVPN. Hai
loi VPN chung c h tr bi ASA c phn chia thnh cc cng ngh VPN sau
IPSec Based VPNs:

Lan-to-Lan IPSec VPN: c s dng kt ni nhng mng LAN xa

thng qua mt knh truyn khng bo mt (nh Internet). Cng ngh ny
chy gia ASA-to-ASA hay ASA-to-Cisco Router
Remote Access vi IPSec VPN Client: Phn mm VPN Client c ci t
trn my tnh c nhn ca ngi dng cung cp truy cp n mng trung
tm. N s dng giao thc IPSec v cung cp y cc kt ni vo h
thng mng cho ngi dng.
SSL Based VPNs (WebVPN):
Clientless Mode WebVPN: y l phng thc khi to u tin ca SSL
WebVPN c h tr bi ASA phin bn 7.0 v sau ny. N gip ngi
dng thit lp kt ni VPN mt cch bo mt s dng ng hm bng
cch s dng trnh duyt web. Li ch ca iu ny l khng cn ohaanf
mm hay phn cng. Tuy nhin ch c mt vi ng dng hn ch mi c
th truy cp c
AnyConnect WebVPN: Client chy bng Java c ci t trn my tnh
c nhn ngi dng cung cp ng hm bo mt SSL n mng trung
tm. Cung cp y kt ni (tng t nh IPSec Remote Access). Tt c
cc ng dng mng trung tm u c truy cp t xa.
So snh gia cc cng ngh WebVPN
Trong phn ny chng ta s ch tp trung co AnyConnect WebVPN. Chng ta s khng mt
thi gian vo Clientless WebVPN bi v chng ta tin tng rng li ch ca vic s dng AnyConnect
thay v Clientless l nhiu hn. chng minh iu ang ni, chng ta hy nhn vo s khc bit gia
hai ch WebVPN v chc chn rng bn s hiu ti sao chng ta li tp trung vo AnyConnect
Clientless WebVPN khng yu cu bt c VPN Client no ci t trn my tnh c nhn ca
ngi dng. N ch s dng mt trnh duyt web thng thng. Bng cch truy cp trn trnh duyt n
a ch http://[ a ch outside ca ASA] v chng thc vi firewall v c truy cp n Web Portal.
Mc d Web Portal ny, user c th truy cp hn ch mt s ng dng mng ni b. Mt cch c bit
ch c cc ng dng Web ni b (HTTP,HTTPs), email Server (POP3,SMTP,IMAP), Windows File
chia s, v mt s lng cc chnh sch nh TCP (Telnet) c th c truy cp. Nh vy s khng c
y truy cp vo mng ni b bng vic s dng Clientless VPN.
AnyConnect WebVPN, mt khc cung caaos y kt ni mng cho remote user. ASA
Firewall lm vic nh AnyConnect VPN Server, ch nh a ch IP n remote user v cho php ngi
dng truy cp h thng mng. Nh vy tt c cc giao thc IP v chc nng ng dng thng qua ng
hm VPN m khng c vn g. V d, mt remote user sau khi chng thc thnh cng vi
AnyConnect VPN c th s dng Remote Desktop v truy cp Windows Terminal Server bn trong
mng ni b. Mc du chng trnh khch chy trn Java c yu cu ci t trn my tnh c nhn
ca ngi dng, chng trnh khch ny c th c cung cp ng cho user t ASA. Ngi dng c
th s dng trnh duyt Web kt ni n Firewall ASA v download chng trnh khch Java v.
Chng trnh ny c dung lng nh tm 3MB v c lu tr trn b nh Flash ca ASA
Tng quan v AnyConnect WebVPN
AnyConnect WebVPN bo v d liu tng mng v cc tng trn (tunnel-mode). N cung cp cng
chc nng truy cp t xa nh Cisco IPSec VPN. C hai phin bn ca tunnel-mode WebVPN client
c ch ra nh sau:

ASA phin bn 7.0 n 7.2, WebVPN Client c gi l SVC (SSL VPN Client). T phin bn 8.0
v sau, Client c gi l AnyConnect WebVPN client. Mc du chng ta s ch tp trung vo

AnyConnect client, nhng vic cu hnh cho c 2 phin bn client (SVC v AnyConnect ) l nh nhau
trn ASA.
-

Tng quan v hot ng ca AnyConnect VPN

M hnh di ch ra topo h thng mng vi ASA v ngi dng t xa truy cp vi AnyConnect VPN

T m hnh trn, ASA Firewall c cu hnh lm AnyConnect WebVPN Server. Ngi dng truy cp
t xa thng qua Internet v a ch IP ca my ngi dng l 10.1.1.1. Ngi dng ng sau Router c
chy NAT/PAT v c a ch IP private c NAT thnh IP Public bi NAT Router. Khi ngi dng
t xa truy cp v chng thc thnh cng ti ASA bng AnyConnect Client, ASA s ch nh a ch IP
t di IP c nh ngha trc (nh v d trn l di 192.168.5.1-192.168.5.20). T m hnh trn,
ASA ch nh a ch IP 192.168.5.1 cho ngi dng t xa. iu ny c ngha rng ngi dng c
kt ni o vo mng ni b LAN ng sau Firewall ASA
Tng quan hot ng c miu t trn gi s rng AnyConnect c ci t trn my tnh
c nhn ca ngi dng. Chng ta hy nhn nhng ty chn bn di c th ci t AnyConnect
Client
C hai cch thc ci t AnyConnect cho Client
S dng Clientless WebVPN portal
Ci t bng tay bi ngi dng
Vic s dng Clientless Web Portal, u tin ngi dng phi kt ni v chng thc ti
ASA bng chng trnh duyt Web bo mt v chng trnh Java AnyConnect Client t ng
c ti v v ci t trn my tnh (Ngi dng c th click vo tab AnyConnect trn
WebVPN Portal download phn mm client). lm c iu ny th chng trnh java
(.pkg extension) c lu tr trn b nh Flash bi Administrator
Vi phng thc ci t bng tay, ngi qun tr mng phi ti chng trnh Java Client ph
hp (Microsoft MSI package installer hay mt trong nhng phin bn OS khc) t Website
ca Cisco v cung cp file ti ngi dng cho vic ci t bng tay. Vi phng thc ny
ngi dng khng cn phi ng nhp vo ch Clientless khi to SSL VPN tunnel.
-

Tng bc cu hnh AnyConnect

Chng ta s tp trung vo ty chn ci t t ng AnyConnect. V d chng trnh AnyConnect
Client c lu tr trn b nh flash ASA v c ti v bi ngi dng. M hnh di s c s
dng m t tng bc cu hnh

Bc 1:
Lu tr file PKG vo b nh flash trn ASA. u tin bn cn phi ti v mt trong nhng file .pkg t
Cisco Website. V d nh file client Windows c nh dng nh sau: anyconnect-win-x.x.xxxxk9.pkg.
copy file PKG vo b nh flash:

Ga s rng chng ta ti v AnyConnect Client trn my tnh c IP: 192.168.1.1. Chng ta

s s dng TFTP Server trn my tnh lu copy file ti ASA

Bc 2:
ng nht file PKG trn flash bng cch ni cho ASA ni m file c lu tr, cho php dch v
WebVPN AnyConnect trn Outside ASA Interface

Ch : S 1 cui file l th t ca file trong b nh flash. N c s dng khi bn c nhiu hn mt

file lu tr trn b nh flash (v d AnyConnect client cho Windows v MAC)
Bc 3:
Loi b traffic ca SSL WebVPN khi ACL trn Outside Interface. Mc nh WebVPN khng c
loi b khi vic kim tra ca ACL. Mt khi traffic c ng gi, n s c kim tra bi Inbound
ACL p dng trn Outside Interface. Bn phi cho php permit d liu c ng gi trong ACL hay
s dng sysopt connection permit-vpn.

Bc 4:
Bc ny l ty chn nhng thc s hu ch. Tt c cc kt ni SSL VPN gia remote user v ASA
chy HTTPs (cng 443). iu ny c ngha rng ngi dng phi s dng https://[a ch IP public
ca ASA trn trnh duyt. Bi v hu ht ngi dng qun https bn c th cu hnh chuyn cng. iu
ny c ngha rng nu ngi dng kt ni ti cng 80 ASA s t ng chuyn sang cng 443

Bc 5:
To mt di a ch mng ASA ch nh a ch ngi dng bn ngoi. T m hnh trn chng ta
thy rng sau khi ngi dng bn ngoi c chng thc, ASA ch nh a ch IP n ngi dng bn
ngoi t di a ch nh ngha trc : 192.168.5.1 -192.168.5.20

Bc 6:
Khi to NAT loi b, khng cho NAT cc lu lng VPN . Chng ta lm iu ny bi v cc lu
lng c ng gi s khng c i qua NAT

Bc 7:
To Group Policy cho ngi dng dng AnyConnect WebVPN. Group Policy ny cho php bn to
ring r ngi dng vo cc nhm khc nhau vi cc thuc tnh khc nhau. Cc thuc tnh ny c th
c cu hnh nh DNS server, split-tunnel, cch chng trnh Client Anyconnect WebVPN c ti
v (t ng hay sau khi chng thc)

Lm r mt vi thng s
Svc keep-installer {installed | none} : installed ngha l chng trnh Client vn c ci t trong
sut trn my tnh ngi dng thm ch ngt kt ni. Mc nh chng trnh Client s b xa sau khi
ngi dng ngt kt ni khi AnyConnect

Svc ask {none | enable [default {webvpn |svc} timeout value]} : Cu lnh ny ni cho ASA cch m
chng trnh khch AnyConnect s c ti v my ngi dng nh th no

Svc ask none default webvpn: ASA hin th ngay lp tc WebPortal. y l cu hnh mc
nh
Svc ask none default svc: Ti chng trnh khch AnyConnect mt cch t ng
Svc asl enable default svc timeout 20: Ngi dng s c mt yu cu ci t chng trnh
khch AnyConnect Client. Nu khng lm g trong khong 20 giy th chng trnh khch
AnyConnect c ti v v ci t t ng

Bc 8: To Tunnel Group. Tunnel Group phi tng tc vi Group Policy c cu hnh trn. N
kt hp Group Policy vi di a ch IP m chng ta cu hnh sn cho ngi dng t xa
nh dng nh sau:

V d:

Bc 9: To ti khon cc b trn ASA s c s dng cho vic chng thc AnyConnect

Cu hnh hon chnh:

Thit lp kt ni AnyConnect WebVPN

1. Truy cp vo ASA bng a ch Public https://[ outside interface]

2.

Enter username/password (ssluser1). Chn nhm ngi dng

3.

Thit lp kt ni SSL VPN

4.

Phn mm ActiveX phi c ci t trn my tnh ca bn trc khi ti v AnyConnect

Client. Bn s thy ca s Window di khi kt ni c thit lp