Oʻzbеkiston rеspublikasi axborot tеxnologiyalari va kommunikatsiyalarini rivojlantirish vazirligi

Download 7,38 Mb. Pdf ko'rish
bet	68/90
Sana	15.12.2023
Hajmi	7,38 Mb.
	#119638

1 ... 64 65 66 67 68 69 70 71 ... 90

Bog'liq
Тармоқ хавфсизлиги 16 шрифт

Amaliy qism
Amaliy
qismda
Cisco
packet
tracer
simulyatorida
demilitarizatsiya qilingan zonani qanday tashkil etish va uning
imkoniyatlarini keltirilgan.
DMZ yaratish uchun ASA 5505 tarmoqlararo ekrani, cisco
2960 kommutatorlari va cisco 2911 marshruzatori, kompyuterlar va
server ishlatiladi.
DMZ qanday ishlashini bilish uchun quyidagi koʻrsatmalarni
bajarish lozim:
1. 16.3-rasmda koʻrsatilgan tarmoq topologiyasini yarating.

187
16.3-rasm. Tadqiq qilinayotgan tarmoq topologiyasi
2. Marshruzator va tarmoqlararo ekrandagi asosiy sozlamalarni
sozlang. Asosiy sozlamalar uchun quyidagi buyruqlardan foydalaning.
Marshruzatorga quyida buyruqlar ketma ketligi kiritiladi.
continue with configuration dialog? [yes/no]: no
Router>enable
Router#conf t
Router(config)#interface gigabitEthernet 0/1
Router(config-if)#no shutdown
Router(config-if)#ip address 195.158.18.1 255.255.255.0
Router(config-if)#exit
Router(config)#interface gigabitEthernet 0/0
Router(config-if)#no shutdown
Router(config-if)#ip address 8.8.8.1 255.255.255.0
Router(config-if)#do wr
Tarmoqlararo ekrandagi asosiy sozlamalarni sozlash uchun
quyidagi buyruqlar kiritiladi:
ciscoasa>en
ciscoasa#conf t

188
ciscoasa#no dhcpd enable inside
ciscoasa#no dhcpd address 192.168.1.5-192.168.1.36 inside
ciscoasa(config)#interface vlan 1
ciscoasa(config-if)#ip address 192.168.100.1 255.255.255.0
ciscoasa(config-if)#exit
ciscoasa(config)#dhcpd enable inside
ciscoasa(config)#dhcpd address 192.168.100.22-192.168.100.50 inside
ciscoasa(config)#dhcpd dns 8.8.8.8
ciscoasa(config)#interface vlan 2
ciscoasa(config-if)#ip address 195.158.18.18 255.255.255.0
ciscoasa(config-if)#exit
ciscoasa(config)#route outside 0.0.0.0 0.0.0.0 195.158.18.1
ciscoasa(config)#object network NAT
ciscoasa(config-network-object)#subnet 192.168.100.0 255.255.255.0
ciscoasa(config-network-object)#nat (inside,outside) dynamic outside
ciscoasa(config-network-object)#exit
ciscoasa(config)#class-map qoida
ciscoasa(config-if)#match default-inspection-traffic
ciscoasa(config-if)#exit
ciscoasa(config)#policy-map toplam
ciscoasa(config)#class qoida
ciscoasa(config)#inspect http
ciscoasa(config)#inspect icmp
ciscoasa(config)#exit
ciscoasa(config)#service-policy toplam global
ciscoasa(config)#exit
ciscoasa(config)#enable salom
ciscoasa(config)#username admin password tatu123
3. Asosiy sozlamalarni kiritgandan soʻng, DMZni tarmoqlararo
ekran
yordamida sozlanadi. Buyruqning satriga quyidagi buyruqlar
kiritiladi:
ciscoasa(config)#hostname ASA
ASA(config)#domain-name tatu.uz
ASA(config)#ssh 192.168.100.0 255.255.255.0 inside
ASA(config)#aaa authentication ssh console LOCAL
ASA(config)#aaa authentication telnet console LOCAL
ASA(config)#ssh 8.8.8.8 255.255.255.255 outside
ASA(config)#interface vlan 3
ASA(config-if)#no forward interface vlan 1
ASA(config-if)#nameif DMZ

189
ASA(config-if)#ip address 192.168.70.1 255.255.255.0
ASA(config-if)#exit
ASA(config)#interface vlan 3
ASA(config-if)#security-level 70
ASA(config-if)#exit
ASA(config)#object network DMZ
ASA(config-network-object)#nat (DMZ,outside) static 195.158.18.88
ASA(config-network-object)#exit
ASA#
ASA#conf t
ASA(config)#access-list DMZ permit icmp any host 195.158.18.88
ASA(config)#access-group DMZ in interface outside
ASA(config)#access-list DMZ permit tcp any host 195.158.10.88 eq www
ASA(config)#end
Tegishli buyruqlarni kiritgandan soʻng, tarmoqning ishlashini
tekshirishingiz kerak.

Download 7,38 Mb.

1 ... 64 65 66 67 68 69 70 71 ... 90

Download 7,38 Mb.

Pdf ko'rish