码迷,mamicode.com
首页 > 其他好文 > 详细

穿越两次PIX8.0防火墙并两次静态NAT的FTP测试

时间:2015-09-13 20:12:42      阅读:203      评论:0      收藏:0      [点我收藏+]

标签:asa   ftp审查   

一.测试拓扑

技术分享

二.测试思路

  1. 客户端和Server端不能直接通讯,都作了一对一的静态NAT

  2. 当客户端采用被动模式的FTP连接FTP服务器端时,FTP的控制通讯和数据通讯,发起端都在客户端:

    ----对于客户端侧防火墙来说,都是从高安全区到低安全区的访问,无需放通策略;

    ----对于服务端防火墙来说,控制通讯是从低安全区到高安全区的访问,因此,需要开放针对TCP21的策略;数据通讯也是从低安全区到高安全区的访问,端口随机,因此需要配置ftp审查。

  3. 当客户端采用主动模式的FTP连接FTP服务器端时,FTP的控制通讯发起端在客户端,FTP的数据通讯发起端在服务器端,此时的客户端防火墙必须配置FTP审查;经过验证,此时服务器端防火墙可以不用配置FTP审查

  4. 何为FTP主动模式和被动模式,FTP数据通讯如果主动发起端在Server,就是主动模式;FTP数据通讯如果主动发起端在Client,就是被动模式;


三.基本配置

  1. ftp服务器:

    IP:10.113.9.12/24

    GW:10.113.9.1

  2. FW1防火墙:

    interface Ethernet0
     nameif Inside
     security-level 100
     ip address 10.113.9.1 255.255.255.0
    !
    interface Ethernet1
     nameif Outside
     security-level 0
     ip address 10.20.0.1 255.255.255.0


    access-list Outside extended permit icmp any any
    access-group Outside in interface Outside

    -----为了测试方便,直接把所有的ICMP都开开,实际不建议


    static (Inside,Outside) 10.20.0.12 10.113.9.12 netmask 255.255.255.255

  3. FW2防火墙:

    interface Ethernet0
     nameif Inside
     security-level 100
     ip address 10.10.1.1 255.255.255.0
    !
    interface Ethernet1
     nameif Outside
     security-level 0
     ip address 10.20.0.2 255.255.255.0


    access-list Outside extended permit icmp any any
    access-group Outside in interface Outside



    static (Inside,Outside) 10.20.0.5 10.10.1.5 netmask 255.255.255.255


  4. FTP客户端R1:

    interface Ethernet0/0
     ip address 10.10.1.5 255.255.255.0
     no shut

    ip route 0.0.0.0 0.0.0.0 10.10.1.1


    ip ftp username xll
    ip ftp password 1234qwer

四.FTP访问配置

1.客户端采用被动模式的FTP

A.FW2无需配置

B.FW1配置

   ----放策略

     access-list Outside extended permit tcp host 10.20.0.5 host 10.20.0.12 eq ftp

   ----配置FTP审查

     access-list ftp extended permit tcp host 10.20.0.5 host 10.113.9.12 eq ftp

     class-map myftp
         match access-list ftp
     policy-map myftppolicy
         class myftp
          inspect ftp
     service-policy myftppolicy interface Inside

C.测试:

R1#copy ftp: flash:
Address or name of remote host []? 10.20.0.12
Source filename []? test
Destination filename [test]?
Accessing ftp://10.20.0.12/test...
Erase flash: before copying? [confirm]
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased
Erase of flash: complete
Loading test
[OK - 4/4096 bytes]

Verifying checksum...  OK (0x8248)
4 bytes copied in 7.368 secs (1 bytes/sec)
R1#dir flash:
Directory of flash:/

    1  -rw-           4                    <no date>  test

7864316 bytes total (7864248 bytes free)

-----路由器默认FTP客户端采用的是FTP被动模式

2.客户端采用主动模式的FTP

A.FW2不配置FTP审查测试

R1(config)#no ip ftp passive
R1(config)#exit
R1#
*Mar  1 00:35:29.871: %SYS-5-CONFIG_I: Configured from console by console
R1#copy ftp: flash:
Address or name of remote host [10.20.0.12]?
Source filename [test]?
Destination filename [test]?
%Warning:There is a file already existing with this name
Do you want to over write? [confirm]
Accessing
ftp://10.20.0.12/test...

----可以看到这时无法拷贝文件

B.FW2配置FTP审查并测试

----配置FTP审查

access-list ftp extended permit tcp 10.10.1.0 255.255.255.0 host 10.20.0.12 eq ftp
class-map myftp
 match access-list ftp
policy-map myftppolicy
 class myftp
  inspect ftp          
service-policy myftppolicy interface Inside

----测试,可以看到现在能正常拷贝文件

R1(config)#no ip ftp passive
R1(config)#exit
R1#copy ftp: flash:
Address or name of remote host [10.20.0.12]?
Source filename [test]?
Destination filename [test]?
%Warning:There is a file already existing with this name
Do you want to over write? [confirm]
Accessing ftp://10.20.0.12/test...
Erase flash: before copying? [confirm]
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased
Erase of flash: complete
Loading test
[OK - 4/4096 bytes]

Verifying checksum...  OK (0x8248)
4 bytes copied in 7.856 secs (1 bytes/sec)
R1#

C.FW1取消FTP审查并测试

-----FW1取消FTP审查

FW1(config)#  no service-policy myftppolicy interface Inside

-----测试,可以看到如果客户端采用主动模式的FTP模式,FW1可以不配置FTP审查

R1(config)#no ip ftp passive
R1(config)#exit
R1#

R1#copy ftp: flash:    
Address or name of remote host [10.20.0.12]?
Source filename [test]?
Destination filename [test]?
%Warning:There is a file already existing with this name
Do you want to over write? [confirm]
Accessing ftp://10.20.0.12/test...
Erase flash: before copying? [confirm]
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased
Erase of flash: complete
Loading test
[OK - 4/4096 bytes]

Verifying checksum...  OK (0x8248)
4 bytes copied in 7.892 secs (1 bytes/sec)
R1#


本文出自 “httpyuntianjxxll.spac..” 博客,请务必保留此出处http://333234.blog.51cto.com/323234/1694238

穿越两次PIX8.0防火墙并两次静态NAT的FTP测试

标签:asa   ftp审查   

原文地址:http://333234.blog.51cto.com/323234/1694238

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!