穿越两次PIX8.0防火墙并两次静态NAT的FTP测试

一.测试拓扑

二.测试思路

1. 客户端和Server端不能直接通讯，都作了一对一的静态NAT

2. 当客户端采用被动模式的FTP连接FTP服务器端时，FTP的控制通讯和数据通讯，发起端都在客户端：

   ----对于客户端侧防火墙来说，都是从高安全区到低安全区的访问，无需放通策略;

   ----对于服务端防火墙来说，控制通讯是从低安全区到高安全区的访问，因此，需要开放针对TCP21的策略;数据通讯也是从低安全区到高安全区的访问，端口随机，因此需要配置ftp审查。

3. 当客户端采用主动模式的FTP连接FTP服务器端时，FTP的控制通讯发起端在客户端，FTP的数据通讯发起端在服务器端，此时的客户端防火墙必须配置FTP审查;经过验证，此时服务器端防火墙可以不用配置FTP审查

4. 何为FTP主动模式和被动模式，FTP数据通讯如果主动发起端在Server，就是主动模式;FTP数据通讯如果主动发起端在Client，就是被动模式;
   

   
   

三.基本配置

1. ftp服务器：

   IP：10.113.9.12/24

   GW：10.113.9.1
   

2. FW1防火墙：

   interface Ethernet0
    nameif Inside
    security-level 100
    ip address 10.113.9.1 255.255.255.0
   !
   interface Ethernet1
    nameif Outside
    security-level 0
    ip address 10.20.0.1 255.255.255.0

   
   access-list Outside extended permit icmp any any
   access-group Outside in interface Outside

   -----为了测试方便，直接把所有的ICMP都开开，实际不建议

   
   

   static (Inside,Outside) 10.20.0.12 10.113.9.12 netmask 255.255.255.255
   

3. FW2防火墙：

   interface Ethernet0
    nameif Inside
    security-level 100
    ip address 10.10.1.1 255.255.255.0
   !
   interface Ethernet1
    nameif Outside
    security-level 0
    ip address 10.20.0.2 255.255.255.0
   

   
   

   access-list Outside extended permit icmp any any
   access-group Outside in interface Outside

   
   

   
   

   static (Inside,Outside) 10.20.0.5 10.10.1.5 netmask 255.255.255.255

   
   

4. FTP客户端R1：

   interface Ethernet0/0
    ip address 10.10.1.5 255.255.255.0
    no shut
   
   ip route 0.0.0.0 0.0.0.0 10.10.1.1

   
   

   ip ftp username xll
   ip ftp password 1234qwer

四.FTP访问配置

1.客户端采用被动模式的FTP

A.FW2无需配置

B.FW1配置

   ----放策略

     access-list Outside extended permit tcp host 10.20.0.5 host 10.20.0.12 eq ftp

   ----配置FTP审查

     access-list ftp extended permit tcp host 10.20.0.5 host 10.113.9.12 eq ftp

     class-map myftp
         match access-list ftp
     policy-map myftppolicy
         class myftp
          inspect ftp
     service-policy myftppolicy interface Inside

C.测试：

R1#copy ftp: flash:
Address or name of remote host []? 10.20.0.12
Source filename []? test
Destination filename [test]?
Accessing ftp://10.20.0.12/test...
Erase flash: before copying? [confirm]
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased
Erase of flash: complete
Loading test
[OK - 4/4096 bytes]

Verifying checksum...  OK (0x8248)
4 bytes copied in 7.368 secs (1 bytes/sec)
R1#dir flash:
Directory of flash:/

    1  -rw-           4                    <no date>  test

7864316 bytes total (7864248 bytes free)

-----路由器默认FTP客户端采用的是FTP被动模式

2.客户端采用主动模式的FTP

A.FW2不配置FTP审查测试

R1(config)#no ip ftp passive
R1(config)#exit
R1#
*Mar  1 00:35:29.871: %SYS-5-CONFIG_I: Configured from console by console
R1#copy ftp: flash:
Address or name of remote host [10.20.0.12]?
Source filename [test]?
Destination filename [test]?
%Warning:There is a file already existing with this name
Do you want to over write? [confirm]
Accessing ftp://10.20.0.12/test...

----可以看到这时无法拷贝文件

B.FW2配置FTP审查并测试

----配置FTP审查

access-list ftp extended permit tcp 10.10.1.0 255.255.255.0 host 10.20.0.12 eq ftp
class-map myftp
 match access-list ftp
policy-map myftppolicy
 class myftp
  inspect ftp          
service-policy myftppolicy interface Inside

----测试，可以看到现在能正常拷贝文件

R1(config)#no ip ftp passive
R1(config)#exit
R1#copy ftp: flash:
Address or name of remote host [10.20.0.12]?
Source filename [test]?
Destination filename [test]?
%Warning:There is a file already existing with this name
Do you want to over write? [confirm]
Accessing ftp://10.20.0.12/test...
Erase flash: before copying? [confirm]
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased
Erase of flash: complete
Loading test
[OK - 4/4096 bytes]

Verifying checksum...  OK (0x8248)
4 bytes copied in 7.856 secs (1 bytes/sec)
R1#

C.FW1取消FTP审查并测试

-----FW1取消FTP审查

FW1(config)#  no service-policy myftppolicy interface Inside

-----测试，可以看到如果客户端采用主动模式的FTP模式，FW1可以不配置FTP审查

R1(config)#no ip ftp passive
R1(config)#exit
R1#

R1#copy ftp: flash:    
Address or name of remote host [10.20.0.12]?
Source filename [test]?
Destination filename [test]?
%Warning:There is a file already existing with this name
Do you want to over write? [confirm]
Accessing ftp://10.20.0.12/test...
Erase flash: before copying? [confirm]
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased
Erase of flash: complete
Loading test
[OK - 4/4096 bytes]

Verifying checksum...  OK (0x8248)
4 bytes copied in 7.892 secs (1 bytes/sec)
R1#