ASA VPN with Dual Router & Dual ISP Load balancing: ASA VPN с резервированием маршрутизаторов и провайдеров

Rendering Error in layout Widget/Social: Call to a member function exists() on null. Please enable debug mode for more information.

В начало
Назад
1
Вперёд
В конец

TOLLIFi
Автор темы
Не в сети
Moderator
TOLLIFi Inc.

Больше

4 года 3 мес. назад - 4 года 2 мес. назад #213 от TOLLIFi

COM_KUNENA_MESSAGE_CREATED_NEW

В этой теме на примере ASA AnyConnect VPN рассмотрим схему полного резервирования и балансировки нагрузки в сети для ASA VPN: два провайдера, два маршрутизатора с NAT (PAT) и ASA Failover с AnyConnect VPN. В предыдущей статье ASA AnyConnect VPN & ISP load balance: Настройка подключения с резервирование провайдеров приведена упрощенная схема резервирования и балансировки только с одним маршрутизатором и двумя провайдерами.

Перед тем как продолжить, предлагаю вспомнить порядок обработки трафика, проходящего через NAT (в частности, Inside-to-Outside): NAT Order of Operation , либо см.пояснения в предыдущей теме .

Схема сети:

--- МАРШРУТЫ ДВИЖЕНИЯ VPN-ТРАФИКА В РАЗЛИЧНЫХ СЦЕНАРИЯХ ПОДКЛЮЧЕНИЯ >>>

ВНИМАНИЕ: Спойлер! [ Нажмите, чтобы развернуть ]

--- ПРИМЕР КОНФИГУРАЦИИ CISCO 2851 >>>

ВНИМАНИЕ: Спойлер! [ Нажмите, чтобы развернуть ]

Конфигурация CE1:

!
hostname CE1
!
boot-start-marker
boot system flash:c2800nm-adventerprisek9-mz.151-4.M10.bin
boot-end-marker
!
object-group service OBJSRV-ICMP
 icmp echo-reply
 icmp time-exceeded
 icmp traceroute
 icmp unreachable
!
interface Loopback1000
 description *** Static NAT Services ***
 ip address 192.168.0.1 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 ip policy route-map RMAP-LOOP0
!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.10
 description *** ASA ***
 encapsulation dot1Q 10
 ip address 172.18.253.210 255.255.255.248
 ip nat inside
 ip virtual-reassembly in
 standby 1 ip 172.18.253.209
 standby 1 priority 105
 standby 1 preempt
 standby 1 name ASA
 ip policy route-map RMAP-LAN
!
interface GigabitEthernet0/1.11
 description *** CE2 ***
 encapsulation dot1Q 11
 ip address 172.18.253.17 255.255.255.252
 ip nat inside
 ip virtual-reassembly in
 ip policy route-map RMAP-LAN
!
interface FastEthernet0/2/0.101
 description *** ISP1 ***
 encapsulation dot1Q 101
 ip address 1.1.1.2 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
!
interface FastEthernet0/2/0.102
 description *** ISP2 ***
 encapsulation dot1Q 102
 ip address 2.2.2.2 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
!
ip local policy route-map RMAP-SELF
!
ip nat inside source static tcp 172.18.253.214 443 1.1.1.2 443 route-map RMAP-ISP1 extendable
ip nat inside source static tcp 172.18.253.214 443 2.2.2.2 443 route-map RMAP-ISP2 extendable
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 0.0.0.0 0.0.0.0 2.2.2.1
!
ip access-list extended ACL-SELF-ISP1
 permit object-group OBJSRV-ICMP host 1.1.1.2 any
ip access-list extended ACL-SELF-ISP2
 permit object-group OBJSRV-ICMP host 2.2.2.2 any
ip access-list extended STATIC-NAT-ISP1
 permit ip host 1.1.1.2 any
ip access-list extended STATIC-NAT-ISP2
 permit ip host 2.2.2.2 any
ip access-list extended STATIC-NAT-SERVICES
 permit ip host 172.18.253.214 any
!
route-map RMAP-LOOP0 permit 10
 match ip address STATIC-NAT-ISP1
 set ip next-hop 1.1.1.1
!
route-map RMAP-LOOP0 permit 20
 match ip address STATIC-NAT-ISP2
 set ip next-hop 2.2.2.1
!
route-map RMAP-LOOP0 permit 30
 set ip next-hop 172.18.253.18
!
route-map RMAP-SELF permit 10
 match ip address ACL-SELF-ISP1
 set ip next-hop 1.1.1.1
!
route-map RMAP-SELF permit 20
 match ip address ACL-SELF-ISP2
 set ip next-hop 2.2.2.1
!
route-map RMAP-ISP1 permit 10
 match interface FastEthernet0/2/0.101
!
route-map RMAP-ISP2 permit 10
 match interface FastEthernet0/2/0.102
!
route-map RMAP-LAN permit 10
 match ip address STATIC-NAT-SERVICES
 set interface Loopback1000
!

Конфигурация CE2:

!
hostname CE2
!
boot-start-marker
boot system flash:c2800nm-adventerprisek9-mz.151-4.M10.bin
boot-end-marker
!
object-group service OBJSRV-ICMP
 icmp echo-reply
 icmp time-exceeded
 icmp traceroute
 icmp unreachable
!
interface Loopback1000
 description *** Static NAT Services ***
 ip address 192.168.0.1 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 ip policy route-map RMAP-LOOP0
!
interface GigabitEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.10
 description *** ASA ***
 encapsulation dot1Q 10
 ip address 172.18.253.211 255.255.255.248
 ip nat inside
 ip virtual-reassembly in
 standby 1 ip 172.18.253.209
 standby 1 preempt
 standby 1 name ASA
 ip policy route-map RMAP-LAN
!
interface GigabitEthernet0/1.11
 description *** CE1 ***
 encapsulation dot1Q 11
 ip address 172.18.253.18 255.255.255.252
 ip nat inside
 ip virtual-reassembly in
 ip policy route-map RMAP-LAN
!
interface FastEthernet0/2/0.101
 description *** ISP1 ***
 encapsulation dot1Q 101
 ip address 1.1.1.3 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
!
interface FastEthernet0/2/0.102
 description *** ISP2 ***
 encapsulation dot1Q 102
 ip address 2.2.2.3 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
!
ip local policy route-map RMAP-SELF
!
ip nat inside source static tcp 172.18.253.214 443 1.1.1.3 443 route-map RMAP-ISP1 extendable
ip nat inside source static tcp 172.18.253.214 443 2.2.2.3 443 route-map RMAP-ISP2 extendable
!
ip route 0.0.0.0 0.0.0.0 1.1.1.1
ip route 0.0.0.0 0.0.0.0 2.2.2.1
!
ip access-list extended ACL-SELF-ISP1
 permit object-group OBJSRV-ICMP host 1.1.1.3 any
ip access-list extended ACL-SELF-ISP2
 permit object-group OBJSRV-ICMP host 2.2.2.3 any
ip access-list extended STATIC-NAT-ISP1
 permit ip host 1.1.1.3 any
ip access-list extended STATIC-NAT-ISP2
 permit ip host 2.2.2.3 any
ip access-list extended STATIC-NAT-SERVICES
 permit ip host 172.18.253.214 any
!
route-map RMAP-LOOP0 permit 10
 match ip address STATIC-NAT-ISP1
 set ip next-hop 1.1.1.1
!
route-map RMAP-LOOP0 permit 20
 match ip address STATIC-NAT-ISP2
 set ip next-hop 2.2.2.1
!
route-map RMAP-LOOP0 permit 30
 set ip next-hop 172.18.253.17
!
route-map RMAP-SELF permit 10
 match ip address ACL-SELF-ISP1
 set ip next-hop 1.1.1.1
!
route-map RMAP-SELF permit 20
 match ip address ACL-SELF-ISP2
 set ip next-hop 2.2.2.1
!
route-map RMAP-ISP1 permit 10
 match interface FastEthernet0/2/0.101
!
route-map RMAP-ISP2 permit 10
 match interface FastEthernet0/2/0.102
!
route-map RMAP-LAN permit 10
 match ip address STATIC-NAT-SERVICES
 set interface Loopback1000
!

Примечания:

--- ПРИМЕР КОНФИГУРАЦИИ ASA >>>

ВНИМАНИЕ: Спойлер! [ Нажмите, чтобы развернуть ]

Конфигурация ASA:

!
hostname ASA
!
names
name 10.0.10.32 RADIUS.GL.RUS
name 10.0.20.32 RADIUS.GC.RUS
name 10.0.30.32 RADIUS.CL.RUS
!
interface Ethernet0/0
 no nameif
 security-level 0
 no ip address
!
interface Ethernet0/0.23
 description *** LAN ***
 vlan 23
 nameif INSIDE
 security-level 100
 ip address 172.18.253.217 255.255.255.248
!
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3.10
 description *** CE's ***
 vlan 10
 nameif OUTSIDE
 security-level 0
 ip address 172.18.253.214 255.255.255.248
!
boot system disk0:/ios/asa915-k8.bin
!
access-list ACL-GL standard permit 10.0.10.0 255.255.254.0
access-list ACL-GC standard permit 10.0.20.0 255.255.254.0
access-list ACL-CL standard permit 10.0.30.0 255.255.254.0
!
logging enable
logging timestamp
logging buffer-size 65536
logging buffered notifications
logging asdm informational
logging class auth buffered debugging history debugging trap debugging
logging class webvpn buffered debugging history debugging trap debugging
logging class svc buffered debugging history debugging trap debugging
logging class ssl buffered debugging
!
mtu INSIDE 1500
mtu OUTSIDE 1500
!
route OUTSIDE 0.0.0.0 0.0.0.0 172.18.253.209 1
route INSIDE 10.0.0.0 255.0.0.0 172.18.253.222 1
!
aaa-server RADIUS-GL protocol radius
aaa-server RADIUS-GL (INSIDE) host RADIUS.GL.RUS
 key *****
aaa-server RADIUS-GC protocol radius
aaa-server RADIUS-GC (INSIDE) host RADIUS.GC.RUS
 key *****
aaa-server RADIUS-CL protocol radius
aaa-server RADIUS-CL (INSIDE) host RADIUS.CL.RUS
 key *****
!
crypto ca trustpoint TRUSTPOINT-GL
 enrollment terminal
 crl configure
crypto ca trustpoint TRUSTPOINT-GC
 enrollment terminal
 crl configure
crypto ca trustpoint TRUSTPOINT-CL
 enrollment terminal
 crl configure
crypto ca trustpoint TRUSTPOINT-SSL
 enrollment terminal
 keypair TRUSTPOINT-SSL
 crl configure
crypto ca trustpool policy
crypto ca certificate map CMAP-DC 1
 subject-name co cn = ivan ivanov
crypto ca certificate map CMAP-DC 100
 subject-name co dc = gl, dc = rus
crypto ca certificate map CMAP-DC 110
 alt-subject-name co gl.rus
crypto ca certificate map CMAP-DC 200
 subject-name co dc = gc, dc = rus
crypto ca certificate map CMAP-DC 210
 alt-subject-name co gc.rus
crypto ca certificate map CMAP-DC 300
 subject-name co dc = cl, dc = rus
crypto ca certificate map CMAP-DC 310
 alt-subject-name co cl.rus
!
no vpn-addr-assign aaa
!
ssl encryption rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl trust-point TRUSTPOINT-SSL OUTSIDE
!
webvpn
 enable OUTSIDE
 anyconnect image disk0:/anyconnect/anyconnect-win-3.1.07021-k9.pkg 1
 anyconnect image disk0:/anyconnect/anyconnect-macosx-i386-3.1.07021-k9.pkg 2
 anyconnect profiles AC-PROFILE-DEFAULT disk0:/profiles/ac-profile-default.xml
 anyconnect profiles AC-PROFILE-GP-AAA disk0:/profiles/ac-profile-gp-aaa.xml
 anyconnect profiles AC-PROFILE-GP-GL disk0:/profiles/ac-profile-gp-gl.xml
 anyconnect profiles AC-PROFILE-GP-GC disk0:/profiles/ac-profile-gp-gc.xml
 anyconnect profiles AC-PROFILE-GP-CL disk0:/profiles/ac-profile-gp-cl.xml
 anyconnect enable
 tunnel-group-list enable
 default-language ru
 certificate-group-map CMAP-DC 1 TG-CERT-BANNED
 certificate-group-map CMAP-DC 100 TG-CERT-GL
 certificate-group-map CMAP-DC 110 TG-CERT-GL
 certificate-group-map CMAP-DC 200 TG-CERT-GC
 certificate-group-map CMAP-DC 210 TG-CERT-GC
 certificate-group-map CMAP-DC 300 TG-CERT-CL
 certificate-group-map CMAP-DC 310 TG-CERT-CL
!
group-policy DfltGrpPolicy attributes
 vpn-simultaneous-logins 2
group-policy GP-AAA internal
group-policy GP-AAA attributes
 dns-server value 10.0.10.50 10.0.10.51
 dhcp-network-scope 10.0.11.0
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ACL-GL
 default-domain value GL.RUS
 webvpn
  anyconnect keep-installer installed
  anyconnect ssl rekey time 30
  anyconnect ssl rekey method ssl
  anyconnect modules value vpngina
  anyconnect profiles value AC-PROFILE-GP-AAA type user
  anyconnect ask enable default anyconnect timeout 10
group-policy GP-CERT-GL internal
group-policy GP-CERT-GL attributes
 dns-server value 10.0.10.50 10.0.10.51
 dhcp-network-scope 10.0.11.0
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ACL-GL
 default-domain value GL.RUS
 webvpn
  anyconnect keep-installer installed
  anyconnect ssl rekey time 30
  anyconnect ssl rekey method ssl
  anyconnect modules value vpngina
  anyconnect profiles value AC-PROFILE-GP-GL type user
  anyconnect ask enable default anyconnect timeout 10
group-policy GP-CERT-GC internal
group-policy GP-CERT-GC attributes
 dns-server value 10.0.20.50 10.0.20.51
 dhcp-network-scope 10.0.21.0
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ACL-GC
 default-domain value GC.RUS
 webvpn
  anyconnect keep-installer installed
  anyconnect ssl rekey time 30
  anyconnect ssl rekey method ssl
  anyconnect modules value vpngina
  anyconnect profiles value AC-PROFILE-GP-GC type user
  anyconnect ask enable default anyconnect timeout 10
group-policy GP-CERT-CL internal
group-policy GP-CERT-CL attributes
 dns-server value 10.0.30.50 10.0.30.51
 dhcp-network-scope 10.0.31.0
 vpn-idle-timeout 60
 vpn-idle-timeout alert-interval 5
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value ACL-CL
 default-domain value CL.RUS
 webvpn
  anyconnect keep-installer installed
  anyconnect ssl rekey time 30
  anyconnect ssl rekey method ssl
  anyconnect modules value vpngina
  anyconnect profiles value AC-PROFILE-GP-CL type user
  anyconnect ask enable default anyconnect timeout 10
!
tunnel-group TG-AAA type remote-access
tunnel-group TG-AAA general-attributes
 authentication-server-group RADIUS-GL LOCAL
 default-group-policy GP-AAA
 dhcp-server 10.0.10.50
tunnel-group TG-AAA webvpn-attributes
 group-alias login enable
 group-url https://vpn1.mydomain.com/login enable
 group-url https://vpn2.mydomain.com/login enable
 group-url https://vpn3.mydomain.com/login enable
 group-url https://vpn4.mydomain.com/login enable
tunnel-group TG-CERT-GL type remote-access
tunnel-group TG-CERT-GL general-attributes
 default-group-policy GP-CERT-GL
 dhcp-server 10.0.10.50
tunnel-group TG-CERT-GL webvpn-attributes
 authentication certificate
tunnel-group TG-CERT-GC type remote-access
tunnel-group TG-CERT-GC general-attributes
 default-group-policy GP-CERT-GC
 dhcp-server 10.0.20.50
tunnel-group TG-CERT-GC webvpn-attributes
 authentication certificate
tunnel-group TG-CERT-CL type remote-access
tunnel-group TG-CERT-CL general-attributes
 default-group-policy GP-CERT-CL
 dhcp-server 10.0.30.50
tunnel-group TG-CERT-CL webvpn-attributes
 authentication certificate
tunnel-group TG-CERT-BANNED type remote-access
!

Примечания:

IT и Телеком: IP-телефония, интернет-технологии, программирование, web-сервисы.

Last edit: 4 года 2 мес. назад by TOLLIFi.

Пожалуйста Войти или Регистрация, чтобы присоединиться к беседе.

В начало
Назад
1
Вперёд
В конец

Joomla Templates Best Joomla Templates Premium Joomla Templates Free Joomla Templates

Forum Login

Работает на Kunena форум

ASA VPN with Dual Router & Dual ISP Load balancing: ASA VPN с резервированием маршрутизаторов и провайдеров

Вложения: