178
2. Laboratoriya ishi uchun cisco 2960 kommutatori, 2911
marshruzatori, ASA0 5505 firewalli,
server va kompyuterlar
tanlanadi.
3. 15.2-rasmda keltirilgan tarmoq topologiyasi tuziladi.
15.2-rasm. ASA 5505 ishlash prinsipini oʻrganish uchun qurilgan tarmoq
topologiyasi
4.
Marshrutizatorning dastlabki sozlanmalarini sozlash.
continue with configuration dialog? [yes/no]: no
Router>enable
Router#conf t
Router(config)#interface gigabitEthernet 0/0
Router(config-if)#no shutdown
Router(config-if)#exit
Router(config)#hostname IP
IP(config)#interface gigabitEthernet 0/0
IP(config-if)#ip address 195.158.0.1 255.255.255.252
IP(config-if)#ex
IP(config)#interface gigabitEthernet 0/1
IP(config-if)#no shutdown
IP(config-if)#ip address 8.8.8.1 255.255.255.0
Router(config-if)#do wr
Router(config-if)#exit
179
5. Cisco ASA tarmoqlararo ekranida
xavfsizlik maqsadida
ishlatilganligi sababli, barcha portlar odatda yopilgan holatda boʻladi.
Sozlanmalarni amalga oshirishda foydalanish kerak boʻlgan portlarni
asta-sekin ochish kerak.
ASA
5505ni
sozlash
uchun
quyidagi
buyruqlardan
foydalanladi:
ciscoasa>en
ciscoasa#conf t
ciscoasa(config)#interface vlan 1 (vlan 1 sozlash)
ciscoasa(config-if)#no
ip address
ciscoasa(config-if)#ip
address
192.168.100.1
255.255.255.0
(IP
addresslarni berish)
ciscoasa(config-if)#exit
ciscoasa(config)#dhcpd address 192.168.100.22-192.168.100.50 inside
(DHCPni sozlash)
ciscoasa(config)#dhcpd dns 8.8.8.8
ciscoasa(config)#enable password salom
ciscoasa(config)#username admin password admin (foydalanuvchi
yaratish)
ciscoasa(config)#ssh 192.168.100.22 255.255.255.255 inside
ciscoasa(config)#ssh timeout 1
ciscoasa(config)#aaa authentication ssh console LOCAL (ssh protokolini
yoqish)
ciscoasa(config)#interface vlan 2 (vlan 2 sozlash)
ciscoasa(config-if)# no ip address
ciscoasa(config-if)#ip
address
195.158.0.2
255.255.255.252
(IP
addresslarni berish)
ciscoasa(config-if)#exit
ciscoasa(config)#route
outside
0.0.0.0
0.0.0.0
195.158.0.1
(marshrutizatsiyani sozlash)
ciscoasa(config)#object network NET
ciscoasa(config-network-object)#subnet 192.168.100.0 255.255.255.0
ciscoasa(config-network-object)#nat (inside,outside) dynamic interface
ciscoasa(config-network-object)#ex
ciscoasa#conf t
ciscoasa(config)#access-list NAT extended permit icmp any any (access-
listni sozlash)
ciscoasa(config)#access-group NAT
in interface outside
180
Tegishli buyruqlarni yozgandan soʻng, tarmoqqa ulangan
kompyuterlar manzillarni qabul qilishadi(15.3-rasm).
15.3-rasm. Hostning ASA tarmoqlararo ekrani orqali IP-manzilni olishi
Shuni
yodda tutish kerakki, Server manzilni statik ravishda
qabul
qilishi
kerak
(15.4-rasm),
chunki
u
oʻz
manzilini
oʻzgartirmasligi kerak.
17.4-rasm. Serverga IP address berish
Barcha sozlamalar amalga oshirilgandan soʻng,
portni tashqi
tarmoqqa uzatish uchun portning ochiq yoki yoʻqligini tekshirish
kerak (17.5-rasm).
181
17.5-rasm. Qurilgan topologiyani testlash
Testlash natijasidan soʻng SSH protokoli koʻrsatilgan manzilda
toʻgʻri ishlashini tekshirib koʻrish mumkin (17.6-rasm).
17.6-rasm. SSH protokoli orqali tarmoqlararo ekranga ulanish