请选择 进入手机版 | 继续访问电脑版

设为首页 收藏本站
思科社区 关注
思科社区

  思科 CCO 登录 推荐
 找回密码
 立即注册

搜索
热搜: 邮件服务器
查看: 282|回复: 1

ASA 配置FTP

[复制链接]
发表于 2018-11-30 22:32:56 | 显示全部楼层 |阅读模式
本帖最后由 vsop5207 于 2018-11-30 22:35 编辑

ASA 现在用得越来越多,那么ASA 作为出口网关也是非常常见的情况,作为出口网关常见功能之一就是NAT服务器映射,那么针对FTP 、TFTP 这些协议有一些配置需要注意的地方,我们举例说明一下不同环境的配置方式:

1. FTP 服务器在外网情况ASA 配置


配置示例:
ASA Version 9.1(5) !hostname ASAdomain-name corp.comenable password WwXYvtKrnjXqGbu1 encryptednames!interface GigabitEthernet0/0
  nameif Outside
  security-level 0
  ip address 192.168.1.2 255.255.255.0
!
interface GigabitEthernet0/1
  nameif Inside
  security-level 50
  ip address 172.16.1.12 255.255.255.0
!
interface GigabitEthernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
!
interface GigabitEthernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
!
interface Management0/0
  management-only
  shutdown
  no nameif
  no security-level
  no ip address
  !--- Output is suppressed.    !--- Object groups is created to define the host.   
object network obj-172.16.1.5
subnet 172.16.1.0 255.255.255.0


!--- Object NAT is created to map Inside Client to Outside subnet IP.

object network obj-172.16.1.5
nat (Inside,Outside) dynamic 192.168.1.5
class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters  message-length maximum 512policy-map global_policy class inspection_default  inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect netbios   inspect rsh   inspect rtsp   inspect skinny   inspect esmtp   inspect sqlnet   inspect sunrpc   inspect tftp   inspect sip   inspect xdmcp ! !--- This command tells the device to !--- use the "global_policy" policy-map on all interfaces.   service-policy global_policy globalprompt hostname context Cryptochecksum:4b2f54134e685d11b274ee159e5ed009: endASA(config)#                                                            
Verify
连接
Client in Inside Network running ACTIVE FTP:   

Ciscoasa(config)# sh conn
3 in use, 3 most used

TCP Outside 192.168.1.15:20 inside 172.16.1.5:61855, idle 0:00:00, bytes 145096704, flags UIB <--- Dynamic Connection Opened

TCP Outside 192.168.1.15:21 inside 172.16.1.5:61854, idle 0:00:00, bytes 434, flags UIO        


2.FTP服务器在内网DMZ 区



配置:
ASA(config)#show running-config  ASA Version 9.1(5) !hostname ASAdomain-name corp.comenable password WwXYvtKrnjXqGbu1 encryptednames!interface GigabitEthernet0/0
  nameif Outside
  security-level 0
  ip address 192.168.1.2 255.255.255.0
!
interface GigabitEthernet0/1
  nameif DMZ
  security-level 50
  ip address 172.16.1.12 255.255.255.0
!
interface GigabitEthernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
!
interface GigabitEthernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
!
interface Management0/0
  management-only
  shutdown
  no nameif
  no security-level
  no ip address
  !--- Output is suppressed.   
!--- Permit inbound FTP control traffic.  

access-list 100 extended permit tcp any host 192.168.1.5 eq ftp
!--- Object groups are created to define the hosts.   
object network obj-172.16.1.5
host 172.16.1.5

!--- Object NAT is created to map FTP server with IP of Outside Subnet.

object network obj-172.16.1.5
nat (DMZ,Outside) static 192.168.1.5

access-group 100 in interface outside
class-map inspection_default match default-inspection-traffic!!policy-map type inspect dns preset_dns_map parameters  message-length maximum 512policy-map global_policy class inspection_default  inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect netbios   inspect rsh   inspect rtsp   inspect skinny   inspect esmtp   inspect sqlnet   inspect sunrpc   inspect tftp   inspect sip   inspect xdmcp ! !--- This command tells the device to !--- use the "global_policy" policy-map on all interfaces.   service-policy global_policy globalprompt hostname context Cryptochecksum:4b2f54134e685d11b274ee159e5ed009: endASA(config)#                                                               
Verify
连接:
Client in Outside Network running in Active Mode FTP:

ciscoasa(config)# sh conn
3 in use, 3 most used

TCP outside 192.168.1.15:55836 DMZ 172.16.1.5:21,    idle 0:00:00, bytes 470, flags UIOB

TCP outside 192.168.1.15:55837 DMZ 172.16.1.5:20, idle 0:00:00, bytes 225595694, flags UI <--- Dynamic Port channel

3.在非标准 TCP 端口上配置 FTP 协议检查
access-list ftp-list extended permit tcp any any eq XXXX
class-map ftp-class  

  match access-list ftp-list


policy-map global_policy  

   class ftp-class   

    inspect ftp   

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?立即注册

x
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分5 (2 评价)
发表于 2018-12-3 11:46:02 | 显示全部楼层
感谢版主分享
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Archiver | 思科社区  

GMT+8, 2018-12-12 18:37 , Processed in 0.082117 second(s), 31 queries .

京ICP备09041801号-187

版权所有 :copyright:1992-2019 思科系统  重要声明 | 保密声明 | 隐私权政策 | 商标 |

快速回复 返回顶部 返回列表