一.测试拓扑
二.测试思路
客户端和Server端不能直接通讯,都作了一对一的静态NAT
当客户端采用被动模式的FTP连接FTP服务器端时,FTP的控制通讯和数据通讯,发起端都在客户端:
----对于客户端侧防火墙来说,都是从高安全区到低安全区的访问,无需放通策略;
----对于服务端防火墙来说,控制通讯是从低安全区到高安全区的访问,因此,需要开放针对TCP21的策略;数据通讯也是从低安全区到高安全区的访问,端口随机,因此需要配置ftp审查。
当客户端采用主动模式的FTP连接FTP服务器端时,FTP的控制通讯发起端在客户端,FTP的数据通讯发起端在服务器端,此时的客户端防火墙必须配置FTP审查;经过验证,此时服务器端防火墙可以不用配置FTP审查
何为FTP主动模式和被动模式,FTP数据通讯如果主动发起端在Server,就是主动模式;FTP数据通讯如果主动发起端在Client,就是被动模式;
三.基本配置
ftp服务器:
IP:10.113.9.12/24
GW:10.113.9.1
FW1防火墙:
interface Ethernet0
nameif Inside
security-level 100
ip address 10.113.9.1 255.255.255.0
!
interface Ethernet1
nameif Outside
security-level 0
ip address 10.20.0.1 255.255.255.0
access-list Outside extended permit icmp any any
access-group Outside in interface Outside-----为了测试方便,直接把所有的ICMP都开开,实际不建议
static (Inside,Outside) 10.20.0.12 10.113.9.12 netmask 255.255.255.255
FW2防火墙:
interface Ethernet0
nameif Inside
security-level 100
ip address 10.10.1.1 255.255.255.0
!
interface Ethernet1
nameif Outside
security-level 0
ip address 10.20.0.2 255.255.255.0
access-list Outside extended permit icmp any any
access-group Outside in interface Outsidestatic (Inside,Outside) 10.20.0.5 10.10.1.5 netmask 255.255.255.255
FTP客户端R1:
interface Ethernet0/0
ip address 10.10.1.5 255.255.255.0
no shut
ip route 0.0.0.0 0.0.0.0 10.10.1.1ip ftp username xll
ip ftp password 1234qwer
四.FTP访问配置
1.客户端采用被动模式的FTP
A.FW2无需配置
B.FW1配置
----放策略
access-list Outside extended permit tcp host 10.20.0.5 host 10.20.0.12 eq ftp
----配置FTP审查
access-list ftp extended permit tcp host 10.20.0.5 host 10.113.9.12 eq ftp
class-map myftp
match access-list ftp
policy-map myftppolicy
class myftp
inspect ftp
service-policy myftppolicy interface Inside
C.测试:
R1#copy ftp: flash:
Address or name of remote host []? 10.20.0.12
Source filename []? test
Destination filename [test]?
Accessing ftp://10.20.0.12/test...
Erase flash: before copying? [confirm]
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased
Erase of flash: complete
Loading test
[OK - 4/4096 bytes]
Verifying checksum... OK (0x8248)
4 bytes copied in 7.368 secs (1 bytes/sec)
R1#dir flash:
Directory of flash:/
1 -rw- 4 <no date> test
7864316 bytes total (7864248 bytes free)
-----路由器默认FTP客户端采用的是FTP被动模式
2.客户端采用主动模式的FTP
A.FW2不配置FTP审查测试
R1(config)#no ip ftp passive
R1(config)#exit
R1#
*Mar 1 00:35:29.871: %SYS-5-CONFIG_I: Configured from console by console
R1#copy ftp: flash:
Address or name of remote host [10.20.0.12]?
Source filename [test]?
Destination filename [test]?
%Warning:There is a file already existing with this name
Do you want to over write? [confirm]
Accessing ftp://10.20.0.12/test...
----可以看到这时无法拷贝文件
B.FW2配置FTP审查并测试
----配置FTP审查
access-list ftp extended permit tcp 10.10.1.0 255.255.255.0 host 10.20.0.12 eq ftp
class-map myftp
match access-list ftp
policy-map myftppolicy
class myftp
inspect ftp
service-policy myftppolicy interface Inside
----测试,可以看到现在能正常拷贝文件
R1(config)#no ip ftp passive
R1(config)#exit
R1#copy ftp: flash:
Address or name of remote host [10.20.0.12]?
Source filename [test]?
Destination filename [test]?
%Warning:There is a file already existing with this name
Do you want to over write? [confirm]
Accessing ftp://10.20.0.12/test...
Erase flash: before copying? [confirm]
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased
Erase of flash: complete
Loading test
[OK - 4/4096 bytes]
Verifying checksum... OK (0x8248)
4 bytes copied in 7.856 secs (1 bytes/sec)
R1#
C.FW1取消FTP审查并测试
-----FW1取消FTP审查
FW1(config)# no service-policy myftppolicy interface Inside
-----测试,可以看到如果客户端采用主动模式的FTP模式,FW1可以不配置FTP审查
R1(config)#no ip ftp passive
R1(config)#exit
R1#
R1#copy ftp: flash:
Address or name of remote host [10.20.0.12]?
Source filename [test]?
Destination filename [test]?
%Warning:There is a file already existing with this name
Do you want to over write? [confirm]
Accessing ftp://10.20.0.12/test...
Erase flash: before copying? [confirm]
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased
Erase of flash: complete
Loading test
[OK - 4/4096 bytes]
Verifying checksum... OK (0x8248)
4 bytes copied in 7.892 secs (1 bytes/sec)
R1#
本文转自 碧云天 51CTO博客,原文链接:http://blog.51cto.com/333234/1694238,如需转载请自行联系原作者