穿越两次PIX8.0防火墙并两次静态NAT的FTP测试
一.测试拓扑
二.测试思路
客户端和Server端不能直接通讯,都作了一对一的静态NAT
当客户端采用被动模式的FTP连接FTP服务器端时,FTP的控制通讯和数据通讯,发起端都在客户端:
----对于客户端侧防火墙来说,都是从高安全区到低安全区的访问,无需放通策略;
----对于服务端防火墙来说,控制通讯是从低安全区到高安全区的访问,因此,需要开放针对TCP21的策略;数据通讯也是从低安全区到高安全区的访问,端口随机,因此需要配置ftp审查。
当客户端采用主动模式的FTP连接FTP服务器端时,FTP的控制通讯发起端在客户端,FTP的数据通讯发起端在服务器端,此时的客户端防火墙必须配置FTP审查;经过验证,此时服务器端防火墙可以不用配置FTP审查
何为FTP主动模式和被动模式,FTP数据通讯如果主动发起端在Server,就是主动模式;FTP数据通讯如果主动发起端在Client,就是被动模式;
三.基本配置
ftp服务器:
IP:10.113.9.12/24
GW:10.113.9.1
FW1防火墙:
interface Ethernet0
nameif Inside
security-level 100
ip address 10.113.9.1 255.255.255.0
!
interface Ethernet1
nameif Outside
security-level 0
ip address 10.20.0.1 255.255.255.0
access-list Outside extended permit icmp any any
access-group Outside in interface Outside-----为了测试方便,直接把所有的ICMP都开开,实际不建议
static (Inside,Outside) 10.20.0.12 10.113.9.12 netmask 255.255.255.255
FW2防火墙:
interface Ethernet0
nameif Inside
security-level 100
ip address 10.10.1.1 255.255.255.0
!
interface Ethernet1
nameif Outside
security-level 0
ip address 10.20.0.2 255.255.255.0access-list Outside extended permit icmp any any
access-group Outside in interface Outsidestatic (Inside,Outside) 10.20.0.5 10.10.1.5 netmask 255.255.255.255
FTP客户端R1:
interface Ethernet0/0
ip address 10.10.1.5 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.10.1.1ip ftp username xll
ip ftp password 1234qwer
四.FTP访问配置
1.客户端采用被动模式的FTP
A.FW2无需配置
B.FW1配置
----放策略
access-list Outside extended permit tcp host 10.20.0.5 host 10.20.0.12 eq ftp
----配置FTP审查
access-list ftp extended permit tcp host 10.20.0.5 host 10.113.9.12 eq ftp
class-map myftp
match access-list ftp
policy-map myftppolicy
class myftp
inspect ftp
service-policy myftppolicy interface Inside
C.测试:
R1#copy ftp: flash:
Address or name of remote host []? 10.20.0.12
Source filename []? test
Destination filename [test]?
Accessing ftp://10.20.0.12/test...
Erase flash: before copying? [confirm]
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased
Erase of flash: complete
Loading test
[OK - 4/4096 bytes]
Verifying checksum... OK (0x8248)
4 bytes copied in 7.368 secs (1 bytes/sec)
R1#dir flash:
Directory of flash:/
1 -rw- 4 <no date> test
7864316 bytes total (7864248 bytes free)
-----路由器默认FTP客户端采用的是FTP被动模式
2.客户端采用主动模式的FTP
A.FW2不配置FTP审查测试
R1(config)#no ip ftp passive
R1(config)#exit
R1#
*Mar 1 00:35:29.871: %SYS-5-CONFIG_I: Configured from console by console
R1#copy ftp: flash:
Address or name of remote host [10.20.0.12]?
Source filename [test]?
Destination filename [test]?
%Warning:There is a file already existing with this name
Do you want to over write? [confirm]
Accessing ftp://10.20.0.12/test...
----可以看到这时无法拷贝文件
B.FW2配置FTP审查并测试
----配置FTP审查
access-list ftp extended permit tcp 10.10.1.0 255.255.255.0 host 10.20.0.12 eq ftp
class-map myftp
match access-list ftp
policy-map myftppolicy
class myftp
inspect ftp
service-policy myftppolicy interface Inside
----测试,可以看到现在能正常拷贝文件
R1(config)#no ip ftp passive
R1(config)#exit
R1#copy ftp: flash:
Address or name of remote host [10.20.0.12]?
Source filename [test]?
Destination filename [test]?
%Warning:There is a file already existing with this name
Do you want to over write? [confirm]
Accessing ftp://10.20.0.12/test...
Erase flash: before copying? [confirm]
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased
Erase of flash: complete
Loading test
[OK - 4/4096 bytes]
Verifying checksum... OK (0x8248)
4 bytes copied in 7.856 secs (1 bytes/sec)
R1#
C.FW1取消FTP审查并测试
-----FW1取消FTP审查
FW1(config)# no service-policy myftppolicy interface Inside
-----测试,可以看到如果客户端采用主动模式的FTP模式,FW1可以不配置FTP审查
R1(config)#no ip ftp passive
R1(config)#exit
R1#
R1#copy ftp: flash:
Address or name of remote host [10.20.0.12]?
Source filename [test]?
Destination filename [test]?
%Warning:There is a file already existing with this name
Do you want to over write? [confirm]
Accessing ftp://10.20.0.12/test...
Erase flash: before copying? [confirm]
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased
Erase of flash: complete
Loading test
[OK - 4/4096 bytes]
Verifying checksum... OK (0x8248)
4 bytes copied in 7.892 secs (1 bytes/sec)
R1#
- 穿越两次PIX8.0防火墙并两次静态NAT的FTP测试
- 当两次NAT碰到FTP ALG
- WebRTC中如何处理NAT和防火墙穿越?
- FTP穿越NAT
- CCSP实验:PIX 8.0(2)防火墙实现从低安全区域到高安全区域访问配置实验
- 今天重写了防火墙 iptables保护nat主机,www主机,ftp主机
- 通过路由器静态PAT访问FTP服务器测试
- 穿越防火墙的FTP主动被动模式
- CCSP实验:PIX 8.0(2)防火墙实现从低安全区域到高安全区域访问配置实验
- VoIP穿越NAT和防火墙的四种方法
- 如何穿越防火墙NAT
- 【辅助远程连接,可穿防火墙、NAT】一次 TeamViewer 的安装与测试
- LoadRunner穿越防火墙测试
- ASA/PIX同一接口中转同区域流量测试(pix8.0)
- SIP穿越NAT SIP穿越防火墙
- NAT连接虚拟机和主机的通信(静态IP配置完整图解,测试通过可用)附vmware tools的安装(未完待续)--第一篇
- NAT连接虚拟机和主机的通信(静态IP配置完整图解,测试通过可用)--结束篇