aspf(防火墙双通道)
主要用于ftp主动模式,当ftp处于主动模式时,来回的端口号是不同的,由双方服务器协商产生,这时候就需要双通道将协商的端口号告知防火墙。
QQ的文字流量与语音流量有不同的传输通道,这时也需要双通道。
配置:
r1:trust
r2:untrust
首先在r2上开启ftp服务
aaa
local-user 123 password cipher 123
local-user 123 privilege level 15
local-user 123 ftp-directory flash:
local-user 123 service-type ftp
local-user admin password cipher 123
local-user admin service-type http
在防火墙上设置策略:
security-policy
rule name 1
source-zone trust
destination-zone local
destination-zone untrust
service ftp
service icmp
action permit
在防火墙上将区域划入接口:
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/0
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
设置静态路由后就可以开始ftp:
r1:
ftp 100.1.1.2
passive //开启主动模式
cd dhcp
get dhcp-duid.txt
[USG6000V1]dis firewall session table
2022-04-01 07:04:01.510
Current Total Sessions : 3
ftp-data VPN: public --> public 10.1.1.2:51159 --> 100.1.1.2:50735
netbios-datagram VPN: public --> public 10.1.1.100:138 --> 10.1.1.255:138
ftp VPN: public --> public 10.1.1.2:49474 +-> 100.1.1.2:21
成功!
自定义aspf
上述aspf遇到未定义的应用就无法使用,也容易被黑客利用
通过修改端口可以保证服务的可用性,安全性
配置:
[USG6000V1]ip service-set port2121 type object
[USG6000V1-object-service-set-port2121]service protocol tcp source-port 0 to 655
35 destination-port 2121 // 设置源目端口
[USG6000V1]security-policy
[USG6000V1-policy-security-rule-1]service port2121 //将手动配置的端口加入到安全策略中
r1:
<trust>ftp 100.1.1.2 2121
Trying 100.1.1.2 ...
Press CTRL+K to abort
Connected to 100.1.1.2.
220 FTP service ready.
User(100.1.1.2:(none)):123
331 Password required for 123.
Enter password:
230 User logged in.
[trust-ftp]dir
但发现并不成功
原因:Aspf并没有监听2121端口,不能为2121端口建立通道
acl number 3000
rule 1 permit tcp destination 100.1.1.2 0 destination-port eq 2121
USG6000V1]firewall interzone trust untrust
detect ftp
detect user-defined 3000 inbound
detect user-defined 3000 outbound //修改Aspf的监听端口
但还是不行
[trust-ftp]dir
227 Entering Passive Mode (100,1,1,2,195,91).
端口识别
端口识别是把非标准协议端口映射成可识别的应用协议端口
配置:
[USG6000V1]acl 2000
[USG6000V1-acl-basic-2000]rule permit source 100.1.1.2 0
[USG6000V1]port-mapping ftp port 2121 acl 2000
在r1上:
<trust>ftp 100.1.1.2 2121
Trying 100.1.1.2 ...
Press CTRL+K to abort
Connected to 100.1.1.2.
220 FTP service ready.
User(100.1.1.2:(none)):123
331 Password required for 123.
Enter password:
230 User logged in.
[trust-ftp]dir
200 Port command okay.
150 Opening ASCII mode data connection for *.
drwxrwxrwx 1 noone nogroup 0 Apr 01 09:59 dhcp
-rwxrwxrwx 1 noone nogroup 121802 May 26 2014 portalpage.zip
-rwxrwxrwx 1 noone nogroup 2263 Apr 01 09:59 statemach.efs
-rwxrwxrwx 1 noone nogroup 828482 May 26 2014 sslvpn.zip
drwxrwxrwx 1 noone nogroup 0 Apr 01 09:59 .
-rwxrwxrwx 1 noone nogroup 691 Apr 01 09:59 vrpcfg.zip
226 Transfer complete.
FTP: 394 byte(s) received in 0.200 second(s) 1.97Kbyte(s)/sec.
初步成功了
接下来在主动模式下get一个文件试试
[trust-ftp]cd dhcp
[trust-ftp]get dhcp-duid.txt
在防火墙上看看通道是否建立
[USG6000V1]dis firewall session table
2022-04-01 10:09:05.300
Current Total Sessions : 2
FTP VPN: public --> public 10.1.1.2:50628 +-> 100.1.1.2:2121
ftp-data VPN: public --> public 10.1.1.2:50911 --> 100.1.1.2:50004
成功了