一.測試拓撲
<a href="http://s3.51cto.com/wyfs02/M02/73/17/wKioL1X0-syze3ntAADfSrYJAKc050.jpg" target="_blank"></a>
二.測試思路
用戶端和Server端不能直接通訊,都作了一對一的靜态NAT
當用戶端采用被動模式的FTP連接配接FTP伺服器端時,FTP的控制通訊和資料通訊,發起端都在用戶端:
----對于用戶端側防火牆來說,都是從高安全區到低安全區的通路,無需放通政策;
----對于服務端防火牆來說,控制通訊是從低安全區到高安全區的通路,是以,需要開放針對TCP21的政策;資料通訊也是從低安全區到高安全區的通路,端口随機,是以需要配置ftp審查。
當用戶端采用主動模式的FTP連接配接FTP伺服器端時,FTP的控制通訊發起端在用戶端,FTP的資料通訊發起端在伺服器端,此時的用戶端防火牆必須配置FTP審查;經過驗證,此時伺服器端防火牆可以不用配置FTP審查
何為FTP主動模式和被動模式,FTP資料通訊如果主動發起端在Server,就是主動模式;FTP資料通訊如果主動發起端在Client,就是被動模式;
三.基本配置
ftp伺服器:
IP:10.113.9.12/24
GW:10.113.9.1
FW1防火牆:
interface Ethernet0
nameif Inside
security-level 100
ip address 10.113.9.1 255.255.255.0
!
interface Ethernet1
nameif Outside
security-level 0
ip address 10.20.0.1 255.255.255.0
access-list Outside extended permit icmp any any
access-group Outside in interface Outside
-----為了測試友善,直接把所有的ICMP都開開,實際不建議
static (Inside,Outside) 10.20.0.12 10.113.9.12 netmask 255.255.255.255
FW2防火牆:
ip address 10.10.1.1 255.255.255.0
ip address 10.20.0.2 255.255.255.0
static (Inside,Outside) 10.20.0.5 10.10.1.5 netmask 255.255.255.255
FTP用戶端R1:
interface Ethernet0/0
ip address 10.10.1.5 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.10.1.1
ip ftp username xll
ip ftp password 1234qwer
四.FTP通路配置
1.用戶端采用被動模式的FTP
A.FW2無需配置
B.FW1配置
----放政策
access-list Outside extended permit tcp host 10.20.0.5 host 10.20.0.12 eq ftp
----配置FTP審查
access-list ftp extended permit tcp host 10.20.0.5 host 10.113.9.12 eq ftp
class-map myftp
match access-list ftp
policy-map myftppolicy
class myftp
inspect ftp
service-policy myftppolicy interface Inside
C.測試:
R1#copy ftp: flash:
Address or name of remote host []? 10.20.0.12
Source filename []? test
Destination filename [test]?
Accessing ftp://10.20.0.12/test...
Erase flash: before copying? [confirm]
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased
Erase of flash: complete
Loading test
[OK - 4/4096 bytes]
Verifying checksum... OK (0x8248)
4 bytes copied in 7.368 secs (1 bytes/sec)
R1#dir flash:
Directory of flash:/
1 -rw- 4 <no date> test
7864316 bytes total (7864248 bytes free)
-----路由器預設FTP用戶端采用的是FTP被動模式
2.用戶端采用主動模式的FTP
A.FW2不配置FTP審查測試
R1(config)#no ip ftp passive
R1(config)#exit
R1#
*Mar 1 00:35:29.871: %SYS-5-CONFIG_I: Configured from console by console
Address or name of remote host [10.20.0.12]?
Source filename [test]?
%Warning:There is a file already existing with this name
Do you want to over write? [confirm]
----可以看到這時無法拷貝檔案
B.FW2配置FTP審查并測試
----配置FTP審查
access-list ftp extended permit tcp 10.10.1.0 255.255.255.0 host 10.20.0.12 eq ftp
class-map myftp
match access-list ftp
policy-map myftppolicy
class myftp
inspect ftp
service-policy myftppolicy interface Inside
----測試,可以看到現在能正常拷貝檔案
4 bytes copied in 7.856 secs (1 bytes/sec)
C.FW1取消FTP審查并測試
-----FW1取消FTP審查
FW1(config)# no service-policy myftppolicy interface Inside
-----測試,可以看到如果用戶端采用主動模式的FTP模式,FW1可以不配置FTP審查
R1#copy ftp: flash:
4 bytes copied in 7.892 secs (1 bytes/sec)
本文轉自 碧雲天 51CTO部落格,原文連結:http://blog.51cto.com/333234/1694238,如需轉載請自行聯系原作者
![高防伺服器、高防IP與高防CDN的差別[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)