ASA's FTP review packet capture Test

I. Overview:After listening to the ASA video from yeslab's instructor QIN Ke, the FTP server is on the Outside and the FTP client is on the Inside. In this case, the active FTP server works normally because: ftp review can enable FTP to normally Modify FTP application layer data when traversing PAT), and enable FTP to actively initiate packets from Outside to Inside in active mode to pass the firewall smoothly. Because the configuration of PAT on the vro and FTP work normally, we plan to test whether the FTP review enables PAT to work normally or whether the PAT of the ASA itself can work properly.
Ii. test ideas and conclusions:A. disable the FTP Review of the ASA and check whether the FTP passive mode works normally. The FTP passive mode is actively initiated by the Inside FTP client, the firewall can work normally without the FTP Review of the release policy. B. disable the FTP Review of the ASA, set the Inside router as the FTP client to active mode, and check whether the FTP active mode works normally-it cannot work normally. You can find that through packet capture, the IP address of the FTP application layer data sent by the FTP client received by the FTP server on the Outside interface is not changed. The FTP server actively connects to the address before PAT, resulting in connection failure-further confirmed that what the instructor said was correctIii. Test topology:650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/09261S200-0.jpg "title =" topu. JPG "alt =" 192528766.jpg"/>4. Basic Configuration:A. FTP ServerIp: 202.100.1.1/24 enable 3 CDamon and configure the FTP serverB. ASA842 Firewall:① Interface ConfigurationInterface GigabitEthernet0
Nameif Outside
Security-level 0
Ip address 202.100.1.10 255.255.255.0
No shut
Interface GigabitEthernet1
Nameif Inside
Security-level 100
Ip address 10.1.1.10 255.255.255.0
No shut,② Modify the global policy map:---- Disable FTP review and Enable icmp ReviewPolicy-map global_policy class inspection_default no inspect ftp inspect icmp③ PAT Configuration:Object network Inside_net subnet 10.1.1.0 255.255.255.0 nat (inside, outside) dynamic interfaceC. Inside router:① Interface Configuration:Interface Ethernet0/0 ip address 10.1.1.1 255.255.255.0
No shut② Default route Configuration:Ip route 0.0.0.0 0.0.0.0 10.1.1.10③ FTP user name and password configuration:Ip ftp username xll
Ip ftp password 1234 qwer,5. Test procedure:A. Passive FTP works properly after FTP review is disabled① Passive FTP transfers files normallyInside # copy ftp: flash:
Address or name of remote host [202.100.1.1]?
Source filename [202.100.1.1]? Xx.txt
Destination filename extension xx.txt]?
% Warning: There is a file already existing with this name
Do you want to over write? [Confirm]
Accessing ftp: // 202.100.1.1/xx.txt...
Erase flash: before copying? [Confirm]
Erasing the flash filesystem will remove all files! Continue? [Confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee... erased
Erase of flash: complete
Loading xx.txt
[OK-24/4096 bytes]

Verifying checksum... OK (0x8A8A)
24 bytes copied in 6.820 secs (4 bytes/sec)
Inside #② Inside router interface packet capture:650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/09261W304-1.jpg "title =" passive-inside.JPG "alt =" 191757853.jpg"/>
③ Outside interface:650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/09261Ra7-2.jpg "title =" passive-outside.JPG "alt =" 1918797.jpg"/>
B. After the FTP review is disabled, active FTP cannot work properly:① The Inside router sets the FTP client to active mode:(Config) # no ip ftp passive② Active FTP cannot work properly:Inside # copy ftp: flash:
Address or name of remote host [202.100.1.1]?
Source filename [202.100.1.1]? Xx.txt
Destination filename extension xx.txt]?
% Warning: There is a file already existing with this name
Do you want to over write? [Confirm]
Accessingftp: // 202.100.1.1/xx.txt...③ Inside router interface packet capture:650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/09261SZ8-3.jpg "title =" active-inside.JPG "alt =" 191841250.jpg"/>
④ Outside FTP server packet capture:650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/09261U626-4.jpg "title =" active-outside.JPG "alt =" 191857237.jpg"/> --- From packet capture, you can see that if FTP review is not enabled, the ASA does not modify the IP address of the FTP application layer. Because the FTP server receives the address that the FTP client tells it before the Intranet PAT, the FTP server cannot be connected.C. After FTP review is enabled, Passive FTP can work normally:① Enable FTP review on the ASA firewall:Policy-map global_policy
Class inspection_default inspect ftp ② Passive FTP can work normally: Inside # copy ftp: flash:
Address or name of remote host []? 202.100.1.1
Source filename []? Xx.txt
Destination filename extension xx.txt]?
% Warning: There is a file already existing with this name
Do you want to over write? [Confirm]
Accessing ftp: // 202.100.1.1/xx.txt...
Erase flash: before copying? [Confirm]
Erasing the flash filesystem will remove all files! Continue? [Confirm]
Erasing device... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee... erased
Erase of flash: complete
Loading xx.txt
[OK-24/4096 bytes]

Verifying checksum... OK (0x8A8A)
24 bytes copied in 1.788 secs (13 bytes/sec) ③ Inside router interface packet capture: 650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/09261U2C-5.jpg "title =" active-inside-ftpinspect.JPG "alt =" 191920267.jpg"/>
④ Outside FTP server packet capture: 650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131227/09261V139-6.jpg "title =" active-outside-ftpinspect.JPG "alt =" 191944258.jpg"/>
---- From the packet capture interface, because FTP audit is enabled, the ASA modifies the data on the FTP application layer and the IP address and port.

This article is from the "httpyuntianjxxll. spac..." blog, please be sure to keep this source http://333234.blog.51cto.com/323234/1304633