|
Amaliy matematika fakulteti
|
bet | 2/2 | Sana | 01.12.2023 | Hajmi | 481,23 Kb. | | #109301 |
Bog'liq Tarmoq 2-amaliyVPN xavfsizlik shlyuzi. (Security gateway) ikkita tarmoqqa ulanuvchi tarmoq qurilmasi bo’lib, o’zidan keyin joylashgan ko’p sonli xostlar uchun shifrlash va autentifikatsiyalash vazifalarini bajaradi. VPN xavfsizligi shlyuzi shunday joylashtiriladiki, ichki korporativ tarmoqqa atalgan barcha trafik u orqali o’tadi.
1-rasm. Virtual himoyalangan tarmoq strukturasi
3. Vazifa
3.1 Tarmoqni qurib olamiz:
2-rasm.Biz foydalanadigan tarmoqning umumiy ko’rinishi
Ushbu tarmoqda biz kompyuter, swtch, router qurilmalaridan foydalandik.
ROUTER_1 ga kiritiladigan buyruqlar ketma-ketligi.
Router>enable
Router#conf t
Router(config)#int fa 0/0
Router(config-if)#no shut
Router(config-if)#ip nat inside
Router(config-if)#ip address 192.168.1.1 255.255.255.0
Router(config)#int fa 0/1
Router(config-if)#no shut
Router(config-if)#ip address 1.1.1.1 255.255.255.252
Router(config-if)#ip nat outside
Router(config-if)#exit
Router(config)#ip access-list extended for-nat
Router(config-ext-nacl)#deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
Router(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 any
Router(config-ext-nacl)#exit
Router(config)#ip nat inside source list for-nat int fa 0/1 overload
Router(config)#ip route 0.0.0.0 0.0.0.0 1.1.1.2
Router(config)#ip dhcp pool vl2
Router(dhcp-config)#network 192.168.2.0 255.255.255.0
Router(dhcp-config)#default-router 192.168.2.1
Router(dhcp-config)#dns-server 8.8.8.8
Router(dhcp-config)#exit
Router(config)#crypto isakmp policy 1
Router(config-isakmp)#encryption aes
Router(config-isakmp)#hash md5
Router(config-isakmp)#authentication pre-share
Router(config-isakmp)#group 2
Router(config)#crypto isakmp key 123 address 2.2.2.1
Router(config)#crypto ipsec transform-set ts esp-aes esp-md5-hmac
Router(config)#ip access-list extended for-vpn
Router(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
Router(config-ext-nacl)#exit
Router(config)#crypto map kriptokarta 10 ipsec-isakmp
Router(config-crypto-map)#match address for-vpn
Router(config-crypto-map)#set peer 2.2.2.1
Router(config-crypto-map)#set transform-set ts
Router(config-crypto-map)#exit
Router(config)#int fa 0/1
Router(config-if)#crypto map kriptokarta
*Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Router(config-if)#exit (VPN qurish jarayoni)
ROUTER_2 kiritiladigan buyruqlar ketma-ketligi.
Router>enable
Router#conf t
Router(config)#int fa 0/0
Router(config-if)#no shut
Router(config-if)#ip nat inside
Router(config-if)#ip address 192.168.3.1 255.255.255.0
Router(config-if)#exit
Router(config)#int fa 0/1
Router(config-if)#no shut
Router(config-if)#ip address 2.2.2.1 255.255.255.0
Router(config-if)#ip nat outside
Router(config-if)#exit
Router(config)#ip access-list extended for-nat
Router(config-ext-nacl)#deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
Router(config-ext-nacl)#permit ip 192.168.3.0 0.0.0.255 any
Router(config-ext-nacl)#exit
Router(config)#ip nat inside source list for-nat int fa 0/1 overload
Router(config)#ip route 0.0.0.0 0.0.0.0 2.2.2.2
Router(config)#ip dhcp pool vl3
Router(dhcp-config)#network 192.168.3.0 255.255.255.0
Router(dhcp-config)#default-router 192.168.3.1
Router(dhcp-config)#dns-server 8.8.8.8
Router(dhcp-config)#exit
Router(config)#crypto isakmp policy 1
Router(config-isakmp)#encryption aes
Router(config-isakmp)#hash md5
Router(config-isakmp)#authentication pre-share
Router(config-isakmp)#group 2
Router(config-isakmp)#exit
Router(config)#crypto isakmp key 123 address 1.1.1.1
Router(config)#crypto ipsec transform-set ts esp-aes esp-md5-hmac
Router(config)#ip access-list extended for-vpn
Router(config-ext-nacl)#permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
Router(config-ext-nacl)#exit
Router(config)#crypto map kriptokarta 10 ipsec-isakmp
Router(config-crypto-map)#match address for-vpn
Router(config-crypto-map)#set peer 1.1.1.1
Router(config-crypto-map)#set transform-set ts
Router(config-crypto-map)#exit
Router(config)#int fa 0/1
Router(config-if)#crypto map kriptokarta
*Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
Router(config-if)#exit
ROUTER_3 ga kiritiladigan buyruqlar ketma-ketligi:
Router>enable
Router#conf t
Router(config)#int fa 0/0
Router(config-if)#no shut
Router(config-if)#ip address 1.1.1.2 255.255.255.252
Router(config)#int fa 0/1
Router(config-if)#no shut
Router(config-if)#ip address 2.2.2.2 255.255.255.0
Router(config-if)#exit
3-rasm. Routrlarni sozlanmasi.
Bajarilgan laboratoriya ishi testlab ko`rildi, ya`ni PC0 dan PC2 icmp protokoli orqali aloqa tekshirib ko`riladi.
4-rasm. PC0 va PC2 kompyuterlarning manzillari
5-rasm. Topologiyani testlash natijalari
VPN kanal orqali yuborilgan ma`lumotlar statistikasini ko`rish uchun quyidagi buyruq kiritiladi:
Show crypto ipsec sa
15.5-rasm VPN kanal orqali yuborilgan ma`lumotlar statistikasi
15.6-rasm. Topologiyani orqali yuborilgan xabarning harakati
|
| |