Professional Documents
Culture Documents
92184513 Tai Liệu cấu hinh CISCO ASA PDF
92184513 Tai Liệu cấu hinh CISCO ASA PDF
IPSec VPNs
Chng ny s ni v mng ring o VPN s dng giao thc psec. Giao thc ny c a vo ASA
v c s dng kt ni an ton gia cc LAN xa v mt a l qua mt kt ni Internet (Site to
Site VPN) hay cho php cc user xa kt ni vi mng trung tm (Remote Access VPN). Trong
chng ny s tp trung chnh v hai loi VPN
Trc khi i vo chi tit cu hnh IPSec VPN, ta s i vo miu t ngn gn nguyn l ca
giao thc IPSec c ci hiu ng n v VPN
IPSec l g?
-
IP Security (IPSec) l mt chun m IETF, chun ny cho php m ha d liu khi giao tip.
N l mt giao thc ph hp cho vic cung cp tnh bo mt, nguyn vn, xc thc d liu.
Mt mng VPN l mt kt ni bo mt nh ng hm ring qua mt ng truyn khng
bo mt nh Internet. V l IPSec l mt giao thc l tng xy dng cc mng ring
o VPN qua internet.
IPSec lm vic tng mng, ng gi v chng thc cc packet gia ASA v cc thit b
khc tham gia vo mng VPN nh l Router Cisco, Firewall Cisco hay VPN Client
Nhng chun v giao thc PSec sau c s dng
o ESP (Encapsulation Security Payload): y l giao thc u tin trong hai giao
thc quan to nn chun IPSec. N cung cp tnh nguyn vn, xc thc, bo mt d
liu. ESP c s dng m ha payload ca gi tin IP
o AH (Authentication Header): y l giao thc th 2 trong hai giao thc quan trng
ca IPSec. N cung cp tnh nguyn vn, xc thc, v d tr. Giao thc ny khng
cung caaos m ha, nhng n hot ng nh mt ch k s in chc chn gi tin
khng b xm phm
o Internet Key Exchange (IKE): y l c ch c s dng bi ASA cho vic giao
i kha m ha mt cch b mt, xc thc cc IPSec peer v thng lng cc tham
s IPSec.
o DES,3DES,AES: Tt c nhng ci ny l c ch m ha c cung cp bi ASA
Firewall. DES l thut ton m ha yu nht (s dng key 56 bit) v AES l thut
ton m ha mnh nht (s dng 128,192,256 bit m ha). 3DES l s la chn m
ha tm trung s dng 168 bit m ha.
o DH (Diffie-Hellman Group): y l giao thc to public key v c s dng bi
IKE thit lp key phin kt ni
o MD5,SHA-1: y l c hai thut ton Hash c s dng chng thc gi tin.
SHA mnh hn MD5
o SA (Security Association): Mt SA l mt kt ni gia 2 IPSec peer. Mi IPSec peer
duy tr mt CSDL SA trong b nh ca n, ni cha cc tham s SA. SA c xc
nh duy nht nh vo a ch IP ca peer y, giao thc bo mt, v ch s bo mt
(SPI)
C 5 bc chnh sau :
o Interesting Traffic : Thit b IPSec nhn bit lung d liu cn bo v
o Phase 1(ISAKMP) : Thit b IPSec thng lng cc chnh sch bo mt IKE v thit
lp mt knh bo mt cho lin lc gia cc IPSec Peer
o Phase 2(IPSec) : Cc thit b IPSec thng lng chnh sch bo mt IPSec bo v
d liu
o Data Tranfer : Data c truyn bo mt gi cc IPSec peer da vo cc tham s
IPSec v cc key c thng lng trong cc Phase trc
o IPSec Tunnel Terminated : IPSec Sas ngt kt ni khi timeout
Cc loi kt ni:
-
Loi IPSec VPN thc 2 m chng ni l Remote Access VPN. Remote User truy cp vo
mng ca LAN s phi s dng Cisco VPN Client. Loi VPN ny cho php remote User thit
lp kt ni bo mt IPSec VPN qua Internet n LAN ca cng ty. Remote User phi c phn
mm Cisco VPN Client ci t trn my tnh c nhn ca user. Phn mm ny cho php bn
thit lp kt ni n LAN ca cng ty. Sau khi VPN c thit lp gia remote user v ASA
firewall, user s c ch nh a ch private IP t mt pool c nh ngha trc, v sau
cho php remote user truy cp vo LAN
Topo mng trn ASA firewall bo v mng Corporate LAN v remote User vi VPN client
thit lp kt ni bo mt n ASA. IP vi di 192.168.20.0/24 s c cp pht cho VPN
Client lin lc vi Internal Corporate Network 192.168.1.0/24. Mt khi Remote Access
VPN c thit lp, remote user mc nh s khng c kh nng truy cp bt c ci g ngoi
internet ngoi tr mng Corporate LAN. X l iu ny bng cch cu hnh chc nng Split
tunneling trn ASA
Hng dn cu hnh
-
Cu hnh:
Transform
Esp-des
Esp-3des
Esp-aes
Esp-aes-192
Esp-aes-256
Esp-md5-hmac
Esp-sha-hmac
Esp-none
Esp-null
M t
ESP transform s dng DES 56 bits
ESP transform s dng 3DES 168
bits
Esp transform s dng AES-128
Esp transform s dng AES-192
Esp transform s dng AES-256
Esp transform s dng HMAC-MD5
cho chng thc
Esp transform s dng HMAC-SHA
cho chng thc
ESP khng chng thc
Esp khng m ha
Nhiu cu lnh cu hnh tng t nh cu hnh Site-to-Site VPN, c bit l IKE Phase 1 v
Phase 2. Tng t a ch IP Pool phi c cu hnh trn firewall cho vic cp pht ng a
ch cho remote user
Bc 1: Cu hnh IP Pool
nh dng cu lnh nh sau:
V d cu hnh:
Ga s rng tt c cc remote user s cng mt group policy c tn gi l company-cpnpolicy nh c cu hnh nh trn. Policy ny ch nh a ch DNS v WINS server phn gii tn
min trong internal domain v hostname. N c thit lp thi gian timeout l 30 pht.
-
V d cu hnh:
-
Group name l rt quan trng bi v chng ta s phi ch nh chnh xc cng tn khi cu hnh
VPN client Software
V d cu hnh:
Sau khi khi to kt ni VPN, remote user s c yu cu nhp thng tin username/password
trn mn hnh ng nhp chng thc vi firewall
V d cu hnh:
Ch rng s khc nhau duy nht gia hai firewall l Secondary. Mc du chng ta ang
cu hnh Standby Firewall, vic cu hnh a ch IP phi ging nh IP trn Active Firewall
-
ASA Firewall s dng Externa AAA Server. Nh ni trn, AAA Server l Cisco Secure
ACS Server (Access Control Server). Server ny cung cp hai giao thc chng thc l
RADIUS v TACACS. Mt AAA Server cung cp gii php tp trung bng vic a ra dch
v chng thc n tt c cc thit b trong mng (Firewall, Router, Switch ). Li ch ln
nht ca AAA Server l bn c th lu tr CSDL tp trung Username/Password v th bn
khng cn phi cu hnh Local Username/Password trn mi thit b mng, v vy gip gim
thiu ti a chi ph qun tr v gia tng chnh sch bo mt, chng thc trn ton h thng
Theo m hnh trn, my trm ca ngi qun tr c th truy cp firewall bng cable console
hay thng qua vic s dng SSH, TELNET, HTTP. Trc khi cho php truy cp, ASA s yu
cu user admin chng thc quyn hn ca mnh. Username/Password c Admin cung cp
v ASA gi thng tin ny n AAA Server cho vic chng thc. Nu vic chng thc l hp
l, AAA Server s tr li Access Accept ASA cho php Admin User truy cp
Ch : Trc khi ASA Firewall c th chng thc TELNET, SSH hay HTTP, u tin bn
cn phi cu hnh ASA cho php cc giao thc qun l s dng telnet,ssh,http
V d cu hnh:
V d :
T m hnh trn, Webserver (10.0.0.1) trong DMZ c NAT tnh thnh 50.1.1.1 trn
Outside. Tng t nh vy FTP Server (10.0.0.2) c NAT thnh 50.1.1.2 trn Outside. Khi
mt user bn ngoi Internet c gng truy cp vo Webserver hay FTP Server, ASA s to ra
mt mn hnh chng thc cho User. Sau khi User nhp thng tin chng thc ca mnh, ASA
s truy vn AAA Server cho vic chng thc. Nu chng thc thnh cng, phin lm vic ca
User s c ASA chuyn tip n Server ch
Khi s dng Cut-through-Proxy bn hy chc chn rng Inbound ACL u tin phi cho php
kt ni. Nu Inbound ACL cm cc kt ni t ngoi vo, th Cut-through-Proxy s khng thc
hin
Cu hnh Cut-Through-Proxy chng thc s dng External AAA Server
u tin ch nh nhm AAA Server
V d:
Cu hnh nh tuyn tnh trn ASA ging nhu l ni cho Firewall bit cch gi gi tin n
ch theo mt con ng no cho trc
S dng cu lnh route to nh tuyn tnh hay nh tuyn mc nh. nh dng cu lnh
nh sau:
Khi bn cu hnh nh tuyn tnh trn ASA, tuyn ng vn trong sut trong bng nh
tuyn. Cch duy nht cho nh tuyn tnh xa khi bng nh tuyn l khi mt Interface vt l
b li. Trong tt c cc trng hp khc, nh l remote default gateway b down, ASA s vn
tip tc gi gi tin n gateway m khng bit rng n down ri
Bt u t ASA phin bn 7.2 v v sau, chc nng Static Route Tracking c a vo.
ASA kim sot sn sng ca cc static route bng cch gi cc gi tin ICMP Echo qua
ng nh tuyn tnh v i tr li. Nu tuyn ng chnh b li th tuyn ng th hai s
c s dng. Chc nng ny hu ch khi bn mun khi to d phng ng truyn ISP
Trong h thng mng trn Eth0/0 (outside) c kt ni n Primary ISP v Eth0/1 (backup)
c kt ni n Secondary ISP. Hai nh tuyn mc nh (default route) s c cu hnh
(mi ci cho mt ISP) v ng thi s dng tnh nng Tracking. Tuyn ng cho Primary
ISP s c kim tra bng vic s dng gi ICMP Echo Request. Nu gi tin echo reply
khng c nhn trong mt khong thi gian nh sn th tuyn ng tnh th 2 s c s
dng l Secondary ISP. Tuy nhin ch rng m hnh mng trn ch ph hp cho giao tip
outbound (T mng cc b LAN ra Internet)
Cu hnh Static Route Tracking
S dng cu lnh sla monitor ch nh giao thc gim st (v d nh ICMP), a
ch cn kim sot (v d nh Gateway Router ca nh cung cp dch v) v thi gian
ti a cho vic kim sot tracking
S dng cu lnh sla monitor schedule lit k qua trnh gim st (thng qu
trnh gim st ny c thit lp l mi mi (forever) nhng qung thi gian v thi
im bt u c th ty chnh c)
nh ngha tuyn ng tnh chnh (primary static route) kim sot bng cch s
dng cu lnh route theo sau vi ty chn track
nh ngha backup static route v thit lp metric cao hn primary static route
V d cu hnh:
Ga s ASA gia mng Campus v mng Data Center. Tt c cc Router lng ging trong mng
Inside chy RIP
nh tuyn OSPF
OSPF l giao thc nh tuyn ng da trn trng thi ng lin kt hn l vc t khong cch cho
vic ti u chn ng. iu ny tt hn v c kh nng m rng hn nh tuyn RIP. y l l do
ti sao OSPF c s dng rng ri trong mng doanh nghip. OSPF c th rt phc tp. Trong phn
ny chng ta tip tc tho lun nhng thnh phn c p dng ch yu vo thc t v s tho lun
nhng chc nng v nhng trng hp s dng nhiu nht trong h thng mng thc t (Ch Ipv6
hin ti khng c h tr bi ASA khi chy OSPF)
Cu hnh OSPF
OSPF cu hnh da trn cc vng (Area). cu hnh OSPF chng ta cn to process chy nh tuyn
OSPF (c th cu hnh 2 process CHO asa), ch nh a ch IP ha hp vi process nh tuyn v sau
ch nh ID Area vi mi a ch mng. Tng t RIPv2, chng ta cng cn cu hnh chng thc
MD5 cho nhng cp nht nh tuyn OSPF
cu hnh chng thc MD5 OSPF, bn cn phi cho php chng thc trn mi Area (trong process
nh tuyn) v cng cu hnh chng thc MD5 di cu hnh Interface
Trong v d trn, Firewall ASA gia Datacenter v Campus. Tt c cc router trong Data Center
chy OSPF vng 0. Tri li tt c cc Router trong mng Campus chy OSPF vng 1. ASA lm vic
nh l Router bin. Chng ta gi s rng khng c NAT trn ASA (no nat-control). Chnh sch
Firewall c th c gia tng nh vic s dng ACL trn c Inside v Outside Interface
Trong v d trn, ASA c default route ra ngoi mng Campus v qung b default route ny vo
trong mng ni b (Data Center). iu ny c ngha rng tt c cc Router trong mng ni b (chy
OSPF vng 0) s yu cu default route y lu lng ra ngoi Internet qua Router gn n nht n
ASA
nh tuyn ng EIGRP
EIGRP l phin bn nng cao ca IGRP. EIGRP l giao thc c quyn ca Cisco v n ch hot
ng trn cc thit b ca Cisco. ASA h tr EIGRP t phin bn 8.0 v v sau. Mc du EIGRP rt
d dng s dng v tnh linh ng. Nhng nh qun tr mng v nhng ngi thit k mng thng
do d khi s dng EIGRP v s ph thuc vo thit b.
Cu hnh EIGRP
Vic cu hnh EIGRP trn ASA l rt ging vi trn Cisco Router. n gin bn ch cn phi bt qu
trnh EIGRP ln bng cch ch nh h s t qun AS v sau cu hnh di a ch mng m ASA s
qung b bng giao thc nh tuyn n cc Router chy EIGRP hng xm
Chng thc MD5 cho vic Update cc Route cng c h tr di cu hnh Interface
Ch rng: Tt c cc Router phi thuc v cng mt h t qun v c cng key MD5. [key ID] l t
0-255
V d cu hnh:
ASA phin bn 7.0 n 7.2, WebVPN Client c gi l SVC (SSL VPN Client). T phin bn 8.0
v sau, Client c gi l AnyConnect WebVPN client. Mc du chng ta s ch tp trung vo
AnyConnect client, nhng vic cu hnh cho c 2 phin bn client (SVC v AnyConnect ) l nh nhau
trn ASA.
-
T m hnh trn, ASA Firewall c cu hnh lm AnyConnect WebVPN Server. Ngi dng truy cp
t xa thng qua Internet v a ch IP ca my ngi dng l 10.1.1.1. Ngi dng ng sau Router c
chy NAT/PAT v c a ch IP private c NAT thnh IP Public bi NAT Router. Khi ngi dng
t xa truy cp v chng thc thnh cng ti ASA bng AnyConnect Client, ASA s ch nh a ch IP
t di IP c nh ngha trc (nh v d trn l di 192.168.5.1-192.168.5.20). T m hnh trn,
ASA ch nh a ch IP 192.168.5.1 cho ngi dng t xa. iu ny c ngha rng ngi dng c
kt ni o vo mng ni b LAN ng sau Firewall ASA
Tng quan hot ng c miu t trn gi s rng AnyConnect c ci t trn my tnh
c nhn ca ngi dng. Chng ta hy nhn nhng ty chn bn di c th ci t AnyConnect
Client
C hai cch thc ci t AnyConnect cho Client
S dng Clientless WebVPN portal
Ci t bng tay bi ngi dng
Vic s dng Clientless Web Portal, u tin ngi dng phi kt ni v chng thc ti
ASA bng chng trnh duyt Web bo mt v chng trnh Java AnyConnect Client t ng
c ti v v ci t trn my tnh (Ngi dng c th click vo tab AnyConnect trn
WebVPN Portal download phn mm client). lm c iu ny th chng trnh java
(.pkg extension) c lu tr trn b nh Flash bi Administrator
Vi phng thc ci t bng tay, ngi qun tr mng phi ti chng trnh Java Client ph
hp (Microsoft MSI package installer hay mt trong nhng phin bn OS khc) t Website
ca Cisco v cung cp file ti ngi dng cho vic ci t bng tay. Vi phng thc ny
ngi dng khng cn phi ng nhp vo ch Clientless khi to SSL VPN tunnel.
-
Bc 1:
Lu tr file PKG vo b nh flash trn ASA. u tin bn cn phi ti v mt trong nhng file .pkg t
Cisco Website. V d nh file client Windows c nh dng nh sau: anyconnect-win-x.x.xxxxk9.pkg.
copy file PKG vo b nh flash:
Bc 2:
ng nht file PKG trn flash bng cch ni cho ASA ni m file c lu tr, cho php dch v
WebVPN AnyConnect trn Outside ASA Interface
Bc 4:
Bc ny l ty chn nhng thc s hu ch. Tt c cc kt ni SSL VPN gia remote user v ASA
chy HTTPs (cng 443). iu ny c ngha rng ngi dng phi s dng https://[a ch IP public
ca ASA trn trnh duyt. Bi v hu ht ngi dng qun https bn c th cu hnh chuyn cng. iu
ny c ngha rng nu ngi dng kt ni ti cng 80 ASA s t ng chuyn sang cng 443
Bc 5:
To mt di a ch mng ASA ch nh a ch ngi dng bn ngoi. T m hnh trn chng ta
thy rng sau khi ngi dng bn ngoi c chng thc, ASA ch nh a ch IP n ngi dng bn
ngoi t di a ch nh ngha trc : 192.168.5.1 -192.168.5.20
Bc 6:
Khi to NAT loi b, khng cho NAT cc lu lng VPN . Chng ta lm iu ny bi v cc lu
lng c ng gi s khng c i qua NAT
Bc 7:
To Group Policy cho ngi dng dng AnyConnect WebVPN. Group Policy ny cho php bn to
ring r ngi dng vo cc nhm khc nhau vi cc thuc tnh khc nhau. Cc thuc tnh ny c th
c cu hnh nh DNS server, split-tunnel, cch chng trnh Client Anyconnect WebVPN c ti
v (t ng hay sau khi chng thc)
Lm r mt vi thng s
Svc keep-installer {installed | none} : installed ngha l chng trnh Client vn c ci t trong
sut trn my tnh ngi dng thm ch ngt kt ni. Mc nh chng trnh Client s b xa sau khi
ngi dng ngt kt ni khi AnyConnect
Svc ask {none | enable [default {webvpn |svc} timeout value]} : Cu lnh ny ni cho ASA cch m
chng trnh khch AnyConnect s c ti v my ngi dng nh th no
Svc ask none default webvpn: ASA hin th ngay lp tc WebPortal. y l cu hnh mc
nh
Svc ask none default svc: Ti chng trnh khch AnyConnect mt cch t ng
Svc asl enable default svc timeout 20: Ngi dng s c mt yu cu ci t chng trnh
khch AnyConnect Client. Nu khng lm g trong khong 20 giy th chng trnh khch
AnyConnect c ti v v ci t t ng
Bc 8: To Tunnel Group. Tunnel Group phi tng tc vi Group Policy c cu hnh trn. N
kt hp Group Policy vi di a ch IP m chng ta cu hnh sn cho ngi dng t xa
nh dng nh sau:
V d:
2.
3.
4.