17-Laboratoriya ishi Mavzu: Korxona va tashkilot axborot komunikatsiya tizimlarida vpn tarmoq qurish. Ishdan maqsad. Routerlarda site-to-site texnologiyasi asosida virtual himoyalangan tarmoq qurish ko`nikmalarini hosil qilish.
Nazariy ma’lumot VPN (Virtual Private Network - virtual xususiy tarmoq) -mantiqiy tarmoq bo‘lib, o‘zidan yuqoridagi boshqa tarmoq, masalan, Internet asosida quriladi. Bu tarmoqda kommunikatsiyalarda umumiy xavfsiz bo‘lmagan tarmoq protokollaridan foydalanilishiga qaramay, shifrlashdan foydalangan holda, axborot almashinishda bеgonalarga bеrk bo‘lgan kanallar tashkil qilinadi. VPN tashkilotning bir nеcha ofislarini ular o‘rtasida nazorat qilinmaydigan kanallardan foydalangan holda yagona tarmoqqa birlashtirish imkonini bеradi.
O‘z navbatida, VPN alohida tarmoq xususiyatlarini qamrab olgan, lеkin bu tarmoq umumiy foydalanish tarmog‘i, masalan, Intеrnеt orqali amalga oshiriladi. Tunnеllashtirish mеtodi yordamida ma’lumotlar pakеti umumiy foydalanish tarmog‘i orqali xuddi oddiy ikki nuqtali bog‘lanishdagi kabi translyatsiya qilinadi. Har qaysi «ma’lumot jo‘natuvchi-qabul qiluvchi» juftligi o‘rtasida ma’lumotlarni bir protokoldan ikkinchi protokolga inkapsulyatsiya qilish imkonini bеruvchi o‘ziga xos tunnеl — xavfsiz mantiqiy bog‘lanish o‘rnatiladi.
17.1-rasm. Virtual himoyalangan tarmoq strukturasi
Ishni bajarish tartibi Cisco packet tracer dasturi ishga tushiriladi.
Quyida keltirilgan topologiya quriladi.
Qurilgan topologiya testlab ko`riladi.
17.2-rasm. Tadqiq qilinayotgan tarmoq topologiyasi
ROUTER_1 ga kiritiladigan buyruqlar ketma-ketligi.
Router>enable Router#conf t Router(config)#int fa 0/0 Router(config-if)#no shut Router(config-if)#ip nat inside Router(config-if)#ip address 192.168.1.1 255.255.255.0 Router(config)#int fa 0/1 Router(config-if)#no shut Router(config-if)#ip address 1.1.1.1 255.255.255.252 Router(config-if)#ip nat outside Router(config-if)#exit Router(config)#ip access-list extended for-nat Router(config-ext-nacl)#deny ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255 Router(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 any Router(config-ext-nacl)#exit Router(config)#ip nat inside source list for-nat int fa 0/1 overload Router(config)#ip route 0.0.0.0 0.0.0.0 1.1.1.2 Router(config)#ip dhcp pool vl2 Router(dhcp-config)#network 192.168.2.0 255.255.255.0 Router(dhcp-config)#default-router 192.168.2.1 Router(dhcp-config)#dns-server 8.8.8.8 Router(dhcp-config)#exit Router(config)#crypto isakmp policy 1 Router(config-isakmp)#encryption aes Router(config-isakmp)#hash md5 Router(config-isakmp)#authentication pre-share Router(config-isakmp)#group 2 Router(config)#crypto isakmp key 123 address 2.2.2.1 Router(config)#crypto ipsec transform-set ts esp-aes esp-md5-hmac Router(config)#ip access-list extended for-vpn Router(config-ext-nacl)#permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255 Router(config-ext-nacl)#exit Router(config)#crypto map kriptokarta 10 ipsec-isakmp Router(config-crypto-map)#match address for-vpn Router(config-crypto-map)#set peer 2.2.2.1 Router(config-crypto-map)#set transform-set ts Router(config-crypto-map)#exit Router(config)#int fa 0/1 Router(config-if)#crypto map kriptokarta *Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON Router(config-if)#exit (VPN qurish jarayoni)
ROUTER_2 kiritiladigan buyruqlar ketma-ketligi.
Router>enable Router#conf t Router(config)#int fa 0/0 Router(config-if)#no shut Router(config-if)#ip nat inside Router(config-if)#ip address 192.168.3.1 255.255.255.0 Router(config-if)#exit Router(config)#int fa 0/1 Router(config-if)#no shut Router(config-if)#ip address 2.2.2.1 255.255.255.0 Router(config-if)#ip nat outside Router(config-if)#exit Router(config)#ip access-list extended for-nat Router(config-ext-nacl)#deny ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 Router(config-ext-nacl)#permit ip 192.168.3.0 0.0.0.255 any Router(config-ext-nacl)#exit Router(config)#ip nat inside source list for-nat int fa 0/1 overload Router(config)#ip route 0.0.0.0 0.0.0.0 2.2.2.2 Router(config)#ip dhcp pool vl3 Router(dhcp-config)#network 192.168.3.0 255.255.255.0 Router(dhcp-config)#default-router 192.168.3.1 Router(dhcp-config)#dns-server 8.8.8.8 Router(dhcp-config)#exit Router(config)#crypto isakmp policy 1 Router(config-isakmp)#encryption aes Router(config-isakmp)#hash md5 Router(config-isakmp)#authentication pre-share Router(config-isakmp)#group 2 Router(config-isakmp)#exit Router(config)#crypto isakmp key 123 address 1.1.1.1 Router(config)#crypto ipsec transform-set ts esp-aes esp-md5-hmac Router(config)#ip access-list extended for-vpn Router(config-ext-nacl)#permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 Router(config-ext-nacl)#exit Router(config)#crypto map kriptokarta 10 ipsec-isakmp Router(config-crypto-map)#match address for-vpn Router(config-crypto-map)#set peer 1.1.1.1 Router(config-crypto-map)#set transform-set ts Router(config-crypto-map)#exit Router(config)#int fa 0/1 Router(config-if)#crypto map kriptokarta *Jan 3 07:16:26.785: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON Router(config-if)#exit
ROUTER_3 ga kiritiladigan buyruqlar ketma-ketligi:
Router>enable Router#conf t Router(config)#int fa 0/0 Router(config-if)#no shut Router(config-if)#ip address 1.1.1.2 255.255.255.252 Router(config)#int fa 0/1 Router(config-if)#no shut Router(config-if)#ip address 2.2.2.2 255.255.255.0 Router(config-if)#exit
17.2-rasm. ROUTER_1 ni sozlanmasi.
Bajarilgan laboratoriya ishi testlab ko`riladi, ya`ni PC0 dan PC2 icmp protokoli orqali aloqa tekshirib ko`riladi.
17.3-rasm. PC0 va PC2 kompyuterlarning manzillari
17.4-rasm. Topologiyani testlash natijalari
VPN kanal orqali yuborilgan ma`lumotlar statistikasini ko`rish uchun quyidagi buyruq kiritiladi: