Two-time PIX8.0 firewall and two static NAT FTP test

I. Testing the topology

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/73/17/wKioL1X0-syze3ntAADfSrYJAKc050.jpg "title=" Tupu. JPG "alt=" Wkiol1x0-syze3ntaadfsryjakc050.jpg "/>

Two. Test ideas

1. The client and server cannot communicate directly, and both do a one-to-one static NAT

2. When the client uses the passive mode FTP connection FTP server side, the FTP control communication and the data communication, the initiator is on the client side:

   ----For the client side firewall, from the High security zone to the Low security zone access, no need to put the strategy;

   ----for server-side firewalls, control traffic is accessed from a low-security zone to a high-security zone, so a policy for TCP21 is required, and data traffic is accessed from a low-security zone to a high-security zone , with Port randomization, so you need to configure FTP auditing.

3. When the client uses the active mode FTP connection FTP server side, the FTP control communication initiator in the client, the FTP data communication initiator side in the server side, at this time the client firewall must configure the FTP review; authenticated, the server-side firewall can not configure the FTP audit

4. What is the FTP active mode and passive mode, FTP data communication if the active initiator in the server, is the active mode; FTP data communication If the active initiator in the client, is the passive mode;
   

   
   

Three. Basic Configuration

2. FTP server:

   Ip:10.113.9.12/24

   gw:10.113.9.1
   

4. FW1 Firewall:

   Interface Ethernet0
   Nameif Inside
   Security-level 100
   IP address 10.113.9.1 255.255.255.0
   !
   Interface Ethernet1
   Nameif Outside
   Security-level 0
   IP address 10.20.0.1 255.255.255.0

   
   Access-list Outside Extended permit ICMP any any
   Access-group Outside in Interface Outside

   -----for the convenience of testing, direct all the ICMP open, actually does not recommend

   
   

   Static (Inside,outside) 10.20.0.12 10.113.9.12 netmask 255.255.255.255
   

6. FW2 firewall:

   access-list Outside Extended Permit ICMP any all
   Access-group Outside in interface Outside

   
   

   
   

8. FTP client R1:

   Interface ethernet0/0
   IP address 10.10.1.5 255.255.255.0
   No shut
   
   IP Route 0.0.0.0 0.0.0.0 10.10.1.1

   
   

   IP FTP username XLL
   IP ftp Password 1234qwer

Four. FTP Access configuration

1. The client uses passive mode FTP

A.FW2 No Configuration required

B.FW1 Configuration

----release strategy

Access-list Outside Extended Permit TCP host 10.20.0.5 host 10.20.0.12 eq FTP

----Configuring FTP Review

Access-list FTP Extended Permit TCP host 10.20.0.5 host 10.113.9.12 eq FTP

Class-map myftp
Match Access-list FTP
Policy-map Myftppolicy
Class Myftp
Inspect FTP
Service-policy Myftppolicy Interface Inside

C. Testing:

R1#copy Ftp:flash:
Address or name of remote host []? 10.20.0.12
Source filename []? Test
Destination filename [test]?
Accessing Ftp://10.20.0.12/test ...
Erase flash:before copying? [Confirm]
Erasing the flash filesystem would remove all files! Continue? [Confirm]
Erasing device ... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee erased
Erase of Flash:complete
Loading Test
[ok-4/4096 bytes]

Verifying checksum ... OK (0x8248)
4 bytes copied in 7.368 secs (1 bytes/sec)
R1#dir Flash:
Directory of flash:/

1-rw-4 <no date> Test

7864316 Bytes Total (7864248 bytes free)

FTP passive mode is used by the default FTP client-----router

2. The client uses active mode FTP

A.FW2 Do not configure FTP review tests

R1 (config) #no IP ftp passive
R1 (config) #exit
r1#
*mar 1 00:35:29.871:%sys-5-config_i:configured from the console by console
R1#copy Ftp:flash:
Address or name of remote host [10.20.0.12]?
Source filename [test]?
Destination filename [test]?
%warning:there is a file already existing with this name
Do you want to over write? [Confirm]
accessing ftp://10.20.0.12/test ...

----can see that the file cannot be copied at this time

B.FW2 Configuring FTP Review and Testing

----Configuring FTP Review

Access-list FTP Extended Permit TCP 10.10.1.0 255.255.255.0 host 10.20.0.12 eq FTP
Class-map myftp
Match Access-list FTP
Policy-map Myftppolicy
Class Myftp
Inspect FTP
Service-policy Myftppolicy Interface Inside

----test, you can see that you can now copy files normally

R1 (config) #no IP ftp passive
R1 (config) #exit
R1#copy Ftp:flash:
Address or name of remote host [10.20.0.12]?
Source filename [test]?
Destination filename [test]?
%warning:there is a file already existing with this name
Do you want to over write? [Confirm]
Accessing Ftp://10.20.0.12/test ...
Erase flash:before copying? [Confirm]
Erasing the flash filesystem would remove all files! Continue? [Confirm]
Erasing device ... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee erased
Erase of Flash:complete
Loading Test
[ok-4/4096 bytes]

Verifying checksum ... OK (0x8248)
4 bytes copied in 7.856 secs (1 bytes/sec)
r1#

C.FW1 Cancel FTP review and test

-----FW1 Cancel FTP Review

FW1 (config) # no service-policy Myftppolicy interface Inside

-----test, you can see that if the client takes active mode FTP mode, FW1 can not configure the FTP review

R1 (config) #no IP ftp passive
R1 (config) #exit
r1#

R1#copy Ftp:flash:
Address or name of remote host [10.20.0.12]?
Source filename [test]?
Destination filename [test]?
%warning:there is a file already existing with this name
Do you want to over write? [Confirm]
Accessing Ftp://10.20.0.12/test ...
Erase flash:before copying? [Confirm]
Erasing the flash filesystem would remove all files! Continue? [Confirm]
Erasing device ... eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee erased
Erase of Flash:complete
Loading Test
[ok-4/4096 bytes]

Verifying checksum ... OK (0x8248)
4 bytes copied in 7.892 secs (1 bytes/sec)
r1#

This article is from the "Httpyuntianjxxll.spac.." Blog, make sure to keep this source http://333234.blog.51cto.com/323234/1694238

Two-time PIX8.0 firewall and two static NAT FTP test