• 3. Vazifa 3.1
  • Show crypto ipsec sa
  • Amaliy matematika fakulteti




    Download 481,23 Kb.
    bet2/2
    Sana01.12.2023
    Hajmi481,23 Kb.
    #109301
    1   2
    Bog'liq
    Tarmoq 2-amaliy

    VPN xavfsizlik shlyuzi. (Security gateway) ikkita tarmoqqa ulanuvchi tarmoq qurilmasi bo’lib, o’zidan keyin joylashgan ko’p sonli xostlar uchun shifrlash va autentifikatsiyalash vazifalarini bajaradi. VPN xavfsizligi shlyuzi shunday joylashtiriladiki, ichki korporativ tarmoqqa atalgan barcha trafik u orqali o’tadi.

    1-rasm. Virtual himoyalangan tarmoq strukturasi
    3. Vazifa
    3.1 Tarmoqni qurib olamiz:

    2-rasm.Biz foydalanadigan tarmoqning umumiy ko’rinishi

    Ushbu tarmoqda biz kompyuter, swtch, router qurilmalaridan foydalandik.


    ROUTER_1 ga kiritiladigan buyruqlar ketma-ketligi.
    Router>enable
    Router#conf t
    Router(config)#int fa 0/0
    Router(config-if)#no shut
    Router(config-if)#ip nat inside
    Router(config-if)#ip address 192.168.1.1 255.255.255.0
    Router(config)#int fa 0/1
    Router(config-if)#no shut
    Router(config-if)#ip address 1.1.1.1 255.255.255.252
    Router(config-if)#ip nat outside
    Router(config-if)#exit
    Router(config)#ip access-list extended for-nat
    Router(config-ext-nacl)#deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
    Router(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 any
    Router(config-ext-nacl)#exit
    Router(config)#ip nat inside source list for-nat int fa 0/1 overload
    Router(config)#ip route 0.0.0.0 0.0.0.0 1.1.1.2
    Router(config)#ip dhcp pool vl2
    Router(dhcp-config)#network 192.168.2.0 255.255.255.0
    Router(dhcp-config)#default-router 192.168.2.1
    Router(dhcp-config)#dns-server 8.8.8.8
    Router(dhcp-config)#exit
    Router(config)#crypto isakmp policy 1
    Router(config-isakmp)#encryption aes
    Router(config-isakmp)#hash md5
    Router(config-isakmp)#authentication pre-share
    Router(config-isakmp)#group 2
    Router(config)#crypto isakmp key 123 address 2.2.2.1
    Router(config)#crypto ipsec transform-set ts esp-aes esp-md5-hmac
    Router(config)#ip access-list extended for-vpn
    Router(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
    Router(config-ext-nacl)#exit
    Router(config)#crypto map kriptokarta 10 ipsec-isakmp
    Router(config-crypto-map)#match address for-vpn
    Router(config-crypto-map)#set peer 2.2.2.1
    Router(config-crypto-map)#set transform-set ts
    Router(config-crypto-map)#exit
    Router(config)#int fa 0/1
    Router(config-if)#crypto map kriptokarta
    *Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
    Router(config-if)#exit (VPN qurish jarayoni)

    ROUTER_2 kiritiladigan buyruqlar ketma-ketligi.


    Router>enable
    Router#conf t
    Router(config)#int fa 0/0
    Router(config-if)#no shut
    Router(config-if)#ip nat inside
    Router(config-if)#ip address 192.168.3.1 255.255.255.0
    Router(config-if)#exit
    Router(config)#int fa 0/1
    Router(config-if)#no shut
    Router(config-if)#ip address 2.2.2.1 255.255.255.0
    Router(config-if)#ip nat outside
    Router(config-if)#exit
    Router(config)#ip access-list extended for-nat
    Router(config-ext-nacl)#deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
    Router(config-ext-nacl)#permit ip 192.168.3.0 0.0.0.255 any
    Router(config-ext-nacl)#exit
    Router(config)#ip nat inside source list for-nat int fa 0/1 overload
    Router(config)#ip route 0.0.0.0 0.0.0.0 2.2.2.2
    Router(config)#ip dhcp pool vl3
    Router(dhcp-config)#network 192.168.3.0 255.255.255.0
    Router(dhcp-config)#default-router 192.168.3.1
    Router(dhcp-config)#dns-server 8.8.8.8
    Router(dhcp-config)#exit
    Router(config)#crypto isakmp policy 1
    Router(config-isakmp)#encryption aes
    Router(config-isakmp)#hash md5
    Router(config-isakmp)#authentication pre-share
    Router(config-isakmp)#group 2
    Router(config-isakmp)#exit
    Router(config)#crypto isakmp key 123 address 1.1.1.1
    Router(config)#crypto ipsec transform-set ts esp-aes esp-md5-hmac
    Router(config)#ip access-list extended for-vpn
    Router(config-ext-nacl)#permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
    Router(config-ext-nacl)#exit
    Router(config)#crypto map kriptokarta 10 ipsec-isakmp
    Router(config-crypto-map)#match address for-vpn
    Router(config-crypto-map)#set peer 1.1.1.1
    Router(config-crypto-map)#set transform-set ts
    Router(config-crypto-map)#exit
    Router(config)#int fa 0/1
    Router(config-if)#crypto map kriptokarta
    *Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
    Router(config-if)#exit

    ROUTER_3 ga kiritiladigan buyruqlar ketma-ketligi:


    Router>enable
    Router#conf t
    Router(config)#int fa 0/0
    Router(config-if)#no shut
    Router(config-if)#ip address 1.1.1.2 255.255.255.252
    Router(config)#int fa 0/1
    Router(config-if)#no shut
    Router(config-if)#ip address 2.2.2.2 255.255.255.0
    Router(config-if)#exit

    3-rasm. Routrlarni sozlanmasi.
    Bajarilgan laboratoriya ishi testlab ko`rildi, ya`ni PC0 dan PC2 icmp protokoli orqali aloqa tekshirib ko`riladi.


    4-rasm. PC0 va PC2 kompyuterlarning manzillari


    5-rasm. Topologiyani testlash natijalari
    VPN kanal orqali yuborilgan ma`lumotlar statistikasini ko`rish uchun quyidagi buyruq kiritiladi:
    Show crypto ipsec sa


    15.5-rasm VPN kanal orqali yuborilgan ma`lumotlar statistikasi




    15.6-rasm. Topologiyani orqali yuborilgan xabarning harakati

    Download 481,23 Kb.
    1   2




    Download 481,23 Kb.