一.測試拓撲
二.測試思路
客戶端和Server端不能直接通訊,都作了一對一的靜態NAT
當客戶端採用被動模式的FTP連接FTP服務器端時,FTP的控制通訊和數據通訊,發起端都在客戶端:
----對於客戶端側防火牆來說,都是從高安全區到低安全區的訪問,無需放通策略;
----對於服務端防火牆來說,控制通訊是從低安全區到高安全區的訪問,因此,需要開放針對TCP21的策略;數據通訊也是從低安全區到高安全區的訪問,端口隨機,因此需要配置ftp審查。
當客戶端採用主動模式的FTP連接FTP服務器端時,FTP的控制通訊發起端在客戶端,FTP的數據通訊發起端在服務器端,此時的客戶端防火牆必須配置FTP審查;經過驗證,此時服務器端防火牆可以不用配置FTP審查
何爲FTP主動模式和被動模式,FTP數據通訊如果主動發起端在Server,就是主動模式;FTP數據通訊如果主動發起端在Client,就是被動模式;
三.基本配置
ftp服務器:
IP:10.113.9.12/24
GW:10.113.9.1
FW1防火牆:
interface Ethernet0
nameif Inside
security-level 100
ip address 10.113.9.1 255.255.255.0
!
interface Ethernet1
nameif Outside
security-level 0
ip address 10.20.0.1 255.255.255.0
access-list Outside extended permit icmp any any
access-group Outside in interface Outside-----爲了測試方便,直接把所有的ICMP都開開,實際不建議
static (Inside,Outside) 10.20.0.12 10.113.9.12 netmask 255.255.255.255
FW2防火牆:
interface Ethernet0
nameif Inside
security-level 100
ip address 10.10.1.1 255.255.255.0
!
interface Ethernet1
nameif Outside
security-level 0
ip address 10.20.0.2 255.255.255.0access-list Outside extended permit icmp any any
access-group Outside in interface Outsidestatic (Inside,Outside) 10.20.0.5 10.10.1.5 netmask 255.255.255.255
FTP客戶端R1:
interface Ethernet0/0
ip address 10.10.1.5 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.10.1.1ip ftp username xll
ip ftp password 1234qwer
四.FTP訪問配置
1.客戶端採用被動模式的FTP
A.FW2無需配置
B.FW1配置
----放策略
access-list Outside extended permit tcp host 10.20.0.5 host 10.20.0.12 eq ftp
----配置FTP審查
access-list ftp extended permit tcp host 10.20.0.5 host 10.113.9.12 eq ftp
class-map myftp
match access-list ftp
policy-map myftppolicy
class myftp
inspect ftp
service-policy myftppolicy interface Inside
C.測試:
R1#copy ftp: flash:
Address or name of remote host []? 10.20.0.12
Source filename []? test
Destination filename [test]?
Accessing ftp://10.20.0.12/test...
Erase flash: before copying? [confirm]
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased
Erase of flash: complete
Loading test
[OK - 4/4096 bytes]
Verifying checksum... OK (0x8248)
4 bytes copied in 7.368 secs (1 bytes/sec)
R1#dir flash:
Directory of flash:/
1 -rw- 4 <no date> test
7864316 bytes total (7864248 bytes free)
-----路由器默認FTP客戶端採用的是FTP被動模式
2.客戶端採用主動模式的FTP
A.FW2不配置FTP審查測試
R1(config)#no ip ftp passive
R1(config)#exit
R1#
*Mar 1 00:35:29.871: %SYS-5-CONFIG_I: Configured from console by console
R1#copy ftp: flash:
Address or name of remote host [10.20.0.12]?
Source filename [test]?
Destination filename [test]?
%Warning:There is a file already existing with this name
Do you want to over write? [confirm]
Accessing ftp://10.20.0.12/test...
----可以看到這時無法拷貝文件
B.FW2配置FTP審查並測試
----配置FTP審查
access-list ftp extended permit tcp 10.10.1.0 255.255.255.0 host 10.20.0.12 eq ftp
class-map myftp
match access-list ftp
policy-map myftppolicy
class myftp
inspect ftp
service-policy myftppolicy interface Inside
----測試,可以看到現在能正常拷貝文件
R1(config)#no ip ftp passive
R1(config)#exit
R1#copy ftp: flash:
Address or name of remote host [10.20.0.12]?
Source filename [test]?
Destination filename [test]?
%Warning:There is a file already existing with this name
Do you want to over write? [confirm]
Accessing ftp://10.20.0.12/test...
Erase flash: before copying? [confirm]
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased
Erase of flash: complete
Loading test
[OK - 4/4096 bytes]
Verifying checksum... OK (0x8248)
4 bytes copied in 7.856 secs (1 bytes/sec)
R1#
C.FW1取消FTP審查並測試
-----FW1取消FTP審查
FW1(config)# no service-policy myftppolicy interface Inside
-----測試,可以看到如果客戶端採用主動模式的FTP模式,FW1可以不配置FTP審查
R1(config)#no ip ftp passive
R1(config)#exit
R1#
R1#copy ftp: flash:
Address or name of remote host [10.20.0.12]?
Source filename [test]?
Destination filename [test]?
%Warning:There is a file already existing with this name
Do you want to over write? [confirm]
Accessing ftp://10.20.0.12/test...
Erase flash: before copying? [confirm]
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased
Erase of flash: complete
Loading test
[OK - 4/4096 bytes]
Verifying checksum... OK (0x8248)
4 bytes copied in 7.892 secs (1 bytes/sec)
R1#