1.测试拓扑:
R2 (FTP Client 202.100.1.2/24)-------------------(202.100.1.2/24) R1 (10.1.1.1/24)---------------------(10.1.1.18/24)FTP Server
参考链接: http://www.zhangdaqian.net/blog/atpat中对于ftp的处理,以及pat后的非标准21-ftp端口设置.htm
2.测试目标:
通过测试,理解FTP的两种模式:被动模式,主动模式
A.被动模式:
command :Client (源端口>tcp 1024) ------>FTP Server (目标端口tcp 21)
data:Client (目标端口>tcp 1024) ------ > FTP Server (源端口>tcp 1024)
B.主动模式:
command :Client (源端口>tcp 1024) ------>FTP Server (目标端口tcp 21)
data:Client (目标端口>tcp 1024) <------ FTP Server (源端口tcp 20)
3.基本配置:
A.R1:
config t
interface Ethernet0/0
ip address 202.100.1.1 255.255.255.0
no shutdown
interface Ethernet0/1
ip address 10.1.1.1 255.255.255.0
no shutdown
B.R2:
config t
interface Ethernet0/0
ip address 202.100.1.2 255.255.255.0
no shutdown
C.FTP服务器:
IP:10.1.1.18/25
GW:10.1.1.1
4.R1路由器PAT配置:
A.先只配置静态PAT
config t
interface Ethernet0/0
ip nat outside
interface Ethernet0/1
ip nat inside
ip nat inside source static tcp 10.1.1.18 21 interface e0/0 21
B.查看静态PAT设置
R1#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 202.100.1.1:21 10.1.1.18:21 --- ---
5.FTP访问测试:
①FTP被动模式测试
A.R2作为FTP客户端配置FTP客户端为被动模式:
config t
ip ftp passive
----备注:思科路由器默认采用的是被动模式,可以不用敲
B.R2作为FTP客户端配置FTP用户名密码:
config t
ip ftp username xll
ip ftp password 1234qwer
B.R2作为客户端可以成功拷贝文件:
R2#copy ftp://202.100.1.1 flash:
Address or name of remote host [202.100.1.1]?
Source filename [watch.sh]?
Destination filename [watch.sh]?
%Warning:There is a file already existing with this name
Do you want to over write? [confirm]
Accessing ftp://202.100.1.1/watch.sh...
Erase flash: before copying? [confirm]
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased
Erase of flash: complete
Loading watch.sh !
[OK - 986/4096 bytes]
Verifying checksum... OK (0xE972)
986 bytes copied in 7.492 secs (132 bytes/sec)
C.在文件拷贝过程中,在R1查看NAT转换:
R1#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 202.100.1.1:21 10.1.1.18:21 202.100.1.2:30662 202.100.1.2:30662
tcp 202.100.1.1:21 10.1.1.18:21 202.100.1.2:35984 202.100.1.2:35984
tcp 202.100.1.1:21 10.1.1.18:21 202.100.1.2:46087 202.100.1.2:46087
tcp 202.100.1.1:21 10.1.1.18:21 202.100.1.2:48529 202.100.1.2:48529
tcp 202.100.1.1:21 10.1.1.18:21 --- ---
tcp 202.100.1.1:1576 10.1.1.18:1576 202.100.1.2:28656 202.100.1.2:28656
tcp 202.100.1.1:1577 10.1.1.18:1577 202.100.1.2:30584 202.100.1.2:30584
tcp 202.100.1.1:1578 10.1.1.18:1578 202.100.1.2:48461 202.100.1.2:48461
-----可出看出:在对外映射的时侯采用了21端口,IOS会自动识别这个端口是FTP控制口,
从而去检查里面FTP数据控制数据发现服务器告诉客户端的这个用于传送数据的端口,然后自动的添加映射。
②FTP主动模式测试
A.R2作为FTP客户端配置FTP客户端为主动模式:
config t
no ip ftp passive
B.R2作为FTP客户端配置FTP用户名密码:
--同上步
C.R2作为客户端可以成功拷贝文件,
R2#debug ip ftp
*Mar 1 01:00:05.831: %SYS-5-CONFIG_I: Configured from console by console
R2#copy ftp://202.100.1.1 flash:
Address or name of remote host [202.100.1.1]?
Source filename [watch.sh]?
Destination filename [watch.sh]?
%Warning:There is a file already existing with this name
Do you want to over write? [confirm]
Accessing ftp://202.100.1.1/watch.sh...
*Mar 1 01:00:14.627: FTP: 220 3Com 3CDaemon FTP Server Version 2.0
*Mar 1 01:00:14.627: FTP: ---> USER xll
*Mar 1 01:00:15.211: FTP: 331 User name ok, need password
*Mar 1 01:00:15.215: FTP: ---> PASS 1234qwer
*Mar 1 01:00:15.759: FTP: 230 User logged in
*Mar 1 01:00:15.759: FTP: ---> TYPE I
*Mar 1 01:00:16.211: FTP: 200 Type set to I.
*Mar 1 01:00:16.211: FTP: ---> PORT 202,100,1,2,68,45
*Mar 1 01:00:16.759: FTP: 200 PORT command successful.
*Mar 1 01:00:16.763: FTP: ---> RETR watch.sh
*Mar 1 01:00:17.183: FTP: 150 File status OK ; about to open data connection
----可以看出停在了数据连接状态,如果这时配合用wireshark抓包的话,可以看到源地址为10.1.1.18,源端口为tcp 20的包到达了R2,
因为R2无法连接10.1.1.18(没有路由),所有数据通讯端口无法建立
---下面是在R2上提前开启debug的抓包情况
R2#debug ip tcp packet port 20
R2#
*Mar 1 00:25:18.959: %SYS-5-CONFIG_I: Configured from console by vty1 (202.100.1.1)
R2#
*Mar 1 00:25:39.103: tcp0: I LISTEN 10.1.1.18:20 202.100.1.2:25901 seq 1802999574
OPTS 24 SYN WIN 65535
R2#
*Mar 1 00:25:42.131: tcp0: I LISTEN 10.1.1.18:20 202.100.1.2:25901 seq 1802999574
OPTS 24 SYN WIN 65535
R2#
*Mar 1 00:25:48.151: tcp0: I LISTEN 10.1.1.18:20 202.100.1.2:25901 seq 1802999574
OPTS 24 SYN WIN 65535
---这时console口已经死掉,只能重启路由器
C.R1配置动态PAT
configure t
access-list 10 permit 10.1.1.0 0.0.0.255
ip nat inside source list 10 interface ethernet 0/0 overload
D.再次拷贝文件,可以成功
R2#copy ftp://202.100.1.1 flash:
Source filename []? watch.sh
Destination filename [watch.sh]?
%Warning:There is a file already existing with this name
Do you want to over write? [confirm]
Accessing ftp://202.100.1.1/watch.sh...
Erase flash: before copying? [confirm]
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased
Erase of flash: complete
Loading watch.sh !
[OK - 986/4096 bytes]
Verifying checksum... OK (0xE972)
986 bytes copied in 7.704 secs (128 bytes/sec)
R2#
----从R2上tcp 20的抓包来看,tcp三次握手是由FTP服务器发起的:
R2#debug ip tcp packet port 20
TCP Packet debugging is on for port number 20
*Mar 1 00:57:00.967: tcp0: I LISTEN 202.100.1.1:20 202.100.1.2:21993 seq 84304373
OPTS 24 SYN WIN 65535
*Mar 1 00:57:00.971: tcp0: O SYNRCVD 202.100.1.1:20 202.100.1.2:21993 seq 2180803741
OPTS 4 ACK 84304374 SYN WIN 8192
*Mar 1 00:57:01.035: tcp0: I SYNRCVD 202.100.1.1:20 202.100.1.2:21993 seq 84304374
ACK 2180803742 WIN 65535
*Mar 1 00:57:01.039: tcp0: I ESTAB 202.100.1.1:20 202.100.1.2:21993 seq 84304374
DATA 986 ACK 2180803742 PSH WIN 65535
*Mar 1 00:57:01.043: tcp0: I ESTAB 202.100.1.1:20 202.100.1.2:21993 seq 84305360
ACK 2180803742 FIN WIN 65535
---在路由器上通debug ip ftp查看完整的FTP过程,可以看到客户端是否采用主动模式取决于客户端是否会发出PASV命令
6.修改FTP端口:
如果修改FTP服务器的端口为2121,在路由器配置静态NAT如下:
ip nat inside source static tcp 10.1.1.18 2121 interface Ethernet0/0 21
此时如果FTP客户端采用FTP主动模式与FTP服务器连接是没有问题的,
但是如果采用FTP被动模式,因为R1作为NAT设备没有临时设置静态PAT,导致客户端连接服务器的数据端口失败,因此需要在R1上配置告诉R1路由器FTP服务器的端口。
access-list 20 permit 10.1.1.18
R2 (FTP Client 202.100.1.2/24)-------------------(202.100.1.2/24) R1 (10.1.1.1/24)---------------------(10.1.1.18/24)FTP Server
参考链接: http://www.zhangdaqian.net/blog/atpat中对于ftp的处理,以及pat后的非标准21-ftp端口设置.htm
2.测试目标:
通过测试,理解FTP的两种模式:被动模式,主动模式
A.被动模式:
command :Client (源端口>tcp 1024) ------>FTP Server (目标端口tcp 21)
data:Client (目标端口>tcp 1024) ------ > FTP Server (源端口>tcp 1024)
B.主动模式:
command :Client (源端口>tcp 1024) ------>FTP Server (目标端口tcp 21)
data:Client (目标端口>tcp 1024) <------ FTP Server (源端口tcp 20)
3.基本配置:
A.R1:
config t
interface Ethernet0/0
ip address 202.100.1.1 255.255.255.0
no shutdown
interface Ethernet0/1
ip address 10.1.1.1 255.255.255.0
no shutdown
B.R2:
config t
interface Ethernet0/0
ip address 202.100.1.2 255.255.255.0
no shutdown
C.FTP服务器:
IP:10.1.1.18/25
GW:10.1.1.1
4.R1路由器PAT配置:
A.先只配置静态PAT
config t
interface Ethernet0/0
ip nat outside
interface Ethernet0/1
ip nat inside
ip nat inside source static tcp 10.1.1.18 21 interface e0/0 21
B.查看静态PAT设置
R1#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 202.100.1.1:21 10.1.1.18:21 --- ---
5.FTP访问测试:
①FTP被动模式测试
A.R2作为FTP客户端配置FTP客户端为被动模式:
config t
ip ftp passive
----备注:思科路由器默认采用的是被动模式,可以不用敲
B.R2作为FTP客户端配置FTP用户名密码:
config t
ip ftp username xll
ip ftp password 1234qwer
B.R2作为客户端可以成功拷贝文件:
R2#copy ftp://202.100.1.1 flash:
Address or name of remote host [202.100.1.1]?
Source filename [watch.sh]?
Destination filename [watch.sh]?
%Warning:There is a file already existing with this name
Do you want to over write? [confirm]
Accessing ftp://202.100.1.1/watch.sh...
Erase flash: before copying? [confirm]
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased
Erase of flash: complete
Loading watch.sh !
[OK - 986/4096 bytes]
Verifying checksum... OK (0xE972)
986 bytes copied in 7.492 secs (132 bytes/sec)
C.在文件拷贝过程中,在R1查看NAT转换:
R1#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 202.100.1.1:21 10.1.1.18:21 202.100.1.2:30662 202.100.1.2:30662
tcp 202.100.1.1:21 10.1.1.18:21 202.100.1.2:35984 202.100.1.2:35984
tcp 202.100.1.1:21 10.1.1.18:21 202.100.1.2:46087 202.100.1.2:46087
tcp 202.100.1.1:21 10.1.1.18:21 202.100.1.2:48529 202.100.1.2:48529
tcp 202.100.1.1:21 10.1.1.18:21 --- ---
tcp 202.100.1.1:1576 10.1.1.18:1576 202.100.1.2:28656 202.100.1.2:28656
tcp 202.100.1.1:1577 10.1.1.18:1577 202.100.1.2:30584 202.100.1.2:30584
tcp 202.100.1.1:1578 10.1.1.18:1578 202.100.1.2:48461 202.100.1.2:48461
-----可出看出:在对外映射的时侯采用了21端口,IOS会自动识别这个端口是FTP控制口,
从而去检查里面FTP数据控制数据发现服务器告诉客户端的这个用于传送数据的端口,然后自动的添加映射。
②FTP主动模式测试
A.R2作为FTP客户端配置FTP客户端为主动模式:
config t
no ip ftp passive
B.R2作为FTP客户端配置FTP用户名密码:
--同上步
C.R2作为客户端可以成功拷贝文件,
R2#debug ip ftp
*Mar 1 01:00:05.831: %SYS-5-CONFIG_I: Configured from console by console
R2#copy ftp://202.100.1.1 flash:
Address or name of remote host [202.100.1.1]?
Source filename [watch.sh]?
Destination filename [watch.sh]?
%Warning:There is a file already existing with this name
Do you want to over write? [confirm]
Accessing ftp://202.100.1.1/watch.sh...
*Mar 1 01:00:14.627: FTP: 220 3Com 3CDaemon FTP Server Version 2.0
*Mar 1 01:00:14.627: FTP: ---> USER xll
*Mar 1 01:00:15.211: FTP: 331 User name ok, need password
*Mar 1 01:00:15.215: FTP: ---> PASS 1234qwer
*Mar 1 01:00:15.759: FTP: 230 User logged in
*Mar 1 01:00:15.759: FTP: ---> TYPE I
*Mar 1 01:00:16.211: FTP: 200 Type set to I.
*Mar 1 01:00:16.211: FTP: ---> PORT 202,100,1,2,68,45
*Mar 1 01:00:16.759: FTP: 200 PORT command successful.
*Mar 1 01:00:16.763: FTP: ---> RETR watch.sh
*Mar 1 01:00:17.183: FTP: 150 File status OK ; about to open data connection
----可以看出停在了数据连接状态,如果这时配合用wireshark抓包的话,可以看到源地址为10.1.1.18,源端口为tcp 20的包到达了R2,
因为R2无法连接10.1.1.18(没有路由),所有数据通讯端口无法建立
---下面是在R2上提前开启debug的抓包情况
R2#debug ip tcp packet port 20
R2#
*Mar 1 00:25:18.959: %SYS-5-CONFIG_I: Configured from console by vty1 (202.100.1.1)
R2#
*Mar 1 00:25:39.103: tcp0: I LISTEN 10.1.1.18:20 202.100.1.2:25901 seq 1802999574
OPTS 24 SYN WIN 65535
R2#
*Mar 1 00:25:42.131: tcp0: I LISTEN 10.1.1.18:20 202.100.1.2:25901 seq 1802999574
OPTS 24 SYN WIN 65535
R2#
*Mar 1 00:25:48.151: tcp0: I LISTEN 10.1.1.18:20 202.100.1.2:25901 seq 1802999574
OPTS 24 SYN WIN 65535
---这时console口已经死掉,只能重启路由器
C.R1配置动态PAT
configure t
access-list 10 permit 10.1.1.0 0.0.0.255
ip nat inside source list 10 interface ethernet 0/0 overload
D.再次拷贝文件,可以成功
R2#copy ftp://202.100.1.1 flash:
Source filename []? watch.sh
Destination filename [watch.sh]?
%Warning:There is a file already existing with this name
Do you want to over write? [confirm]
Accessing ftp://202.100.1.1/watch.sh...
Erase flash: before copying? [confirm]
Erasing the flash filesystem will remove all files! Continue? [confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ...erased
Erase of flash: complete
Loading watch.sh !
[OK - 986/4096 bytes]
Verifying checksum... OK (0xE972)
986 bytes copied in 7.704 secs (128 bytes/sec)
R2#
----从R2上tcp 20的抓包来看,tcp三次握手是由FTP服务器发起的:
R2#debug ip tcp packet port 20
TCP Packet debugging is on for port number 20
*Mar 1 00:57:00.967: tcp0: I LISTEN 202.100.1.1:20 202.100.1.2:21993 seq 84304373
OPTS 24 SYN WIN 65535
*Mar 1 00:57:00.971: tcp0: O SYNRCVD 202.100.1.1:20 202.100.1.2:21993 seq 2180803741
OPTS 4 ACK 84304374 SYN WIN 8192
*Mar 1 00:57:01.035: tcp0: I SYNRCVD 202.100.1.1:20 202.100.1.2:21993 seq 84304374
ACK 2180803742 WIN 65535
*Mar 1 00:57:01.039: tcp0: I ESTAB 202.100.1.1:20 202.100.1.2:21993 seq 84304374
DATA 986 ACK 2180803742 PSH WIN 65535
*Mar 1 00:57:01.043: tcp0: I ESTAB 202.100.1.1:20 202.100.1.2:21993 seq 84305360
ACK 2180803742 FIN WIN 65535
---在路由器上通debug ip ftp查看完整的FTP过程,可以看到客户端是否采用主动模式取决于客户端是否会发出PASV命令
6.修改FTP端口:
如果修改FTP服务器的端口为2121,在路由器配置静态NAT如下:
ip nat inside source static tcp 10.1.1.18 2121 interface Ethernet0/0 21
此时如果FTP客户端采用FTP主动模式与FTP服务器连接是没有问题的,
但是如果采用FTP被动模式,因为R1作为NAT设备没有临时设置静态PAT,导致客户端连接服务器的数据端口失败,因此需要在R1上配置告诉R1路由器FTP服务器的端口。
access-list 20 permit 10.1.1.18
ip nat service list 20 ftp tcp port 2121
本文转自 碧云天 51CTO博客,原文链接:http://blog.51cto.com/333234/1059340,如需转载请自行联系原作者
