2、修改访问规则
为了更好的进行演示,我们需要进行修改。双击无限制的Internet访问,将其源网络和目的网络均修改为所有网络(和本地主机),然后删除第二条规则VPN客户端到内部网络的访问,修改后的规则如下图所示:
点击应用以保存修改和更新防火墙策略。
3、测试各个网络间的连通性
现在我们来测试一下各网络间的连通性,首先在内部网络的Client1上进行测试:
/* 在Client1上进行测试*/
C:/Documents and Settings/Administrator>ipconfig/all
Windows IP Configuration
Host Name . . . . . . . . . . . . : mine
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Loopback:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Loopback Adapter
Physical Address. . . . . . . . . : 02-00-4C-4F-4F-50
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.8
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
/* Ping自己的网关(ISA防火墙的内部接口)*/
C:/Documents and Settings/Administrator>ping 192.168.0.1 -n 2
Pinging 192.168.0.1 with 32 bytes of data:
Reply from 192.168.0.1: bytes=32 time=4ms TTL=128
Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 4ms, Average = 2ms
/* Ping ISA防火墙的外部接口*/
C:/Documents and Settings/Administrator>ping 61.139.0.12 -n 2
Pinging 61.139.0.12 with 32 bytes of data:
Reply from 61.139.0.12: bytes=32 time<1ms TTL=128
Reply from 61.139.0.12: bytes=32 time=10ms TTL=128
Ping statistics for 61.139.0.12:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 10ms, Average = 5ms
/* Ping ISA防火墙的DMZ网络接口*/
C:/Documents and Settings/Administrator>ping 61.139.0.9 -n 2
Pinging 61.139.0.9 with 32 bytes of data:
Reply from 61.139.0.9: bytes=32 time=2ms TTL=128
Reply from 61.139.0.9: bytes=32 time<1ms TTL=128
Ping statistics for 61.139.0.9:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 2ms, Average = 1ms
/* Ping DMZ网络中的主机Ftp1*/
C:/Documents and Settings/Administrator>ping 61.139.0.10 -n 2
Pinging 61.139.0.10 with 32 bytes of data:
Reply from 61.139.0.10: bytes=32 time=1ms TTL=127
Reply from 61.139.0.10: bytes=32 time=2ms TTL=127
Ping statistics for 61.139.0.10:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 2ms, Average = 1ms
/* Ping 外部网络中的主机External1*/
C:/Documents and Settings/Administrator>ping 61.139.0.1 -n 2
Pinging 61.139.0.1 with 32 bytes of data:
Reply from 61.139.0.1: bytes=32 time=2ms TTL=127
Reply from 61.139.0.1: bytes=32 time=2ms TTL=127
Ping statistics for 61.139.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 2ms, Average = 2ms
测试都是通过的。
现在我们在ISA防火墙上进行测试:
/* 在ISA防火墙上进行测试*/
C:/Documents and Settings/Administrator>ipconfig/all
Windows IP Configuration
Host Name . . . . . . . . . . . . : Florence
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter DMZ:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel 21140-Based PCI Fast Ethernet Adapter (Generic) #2
Physical Address. . . . . . . . . : 00-03-FF-7E-BC-3B
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 61.139.0.9
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . :
Ethernet adapter Internal:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel 21140-Based PCI Fast Ethernet Adapter (Generic)
Physical Address. . . . . . . . . : 00-03-FF-EE-45-8D
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Ethernet adapter External:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel 21140-Based PCI Fast Ethernet Adapter (Generic) #3
Physical Address. . . . . . . . . : 00-03-FF-FC-FF-FF
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 61.139.0.12
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 61.139.0.1
/* Ping 位于内部网络中的Client1*/
C:/Documents and Settings/Administrator>ping 192.168.0.8
Pinging 192.168.0.8 with 32 bytes of data:
Reply from 192.168.0.8: bytes=32 time<1ms TTL=128
Reply from 192.168.0.8: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.0.8:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
/* Ping 位于DMZ网络中的Ftp1*/
C:/Documents and Settings/Administrator>ping 61.139.0.10
Pinging 61.139.0.10 with 32 bytes of data:
Reply from 61.139.0.10: bytes=32 time=2ms TTL=128
Reply from 61.139.0.10: bytes=32 time=2ms TTL=128
Ping statistics for 61.139.0.10:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 2ms, Average = 2ms
/* Ping 位于外部网络中的External1*/
C:/Documents and Settings/Administrator>ping 61.139.0.1
Pinging 61.139.0.1 with 32 bytes of data:
Reply from 61.139.0.1: bytes=32 time=20ms TTL=128
Reply from 61.139.0.1: bytes=32 time=1ms TTL=128
Ping statistics for 61.139.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 20ms, Average = 10ms
测试也都是通过的。
现在我们在位于DMZ网络中的Ftp1上进行测试:
/* 在ISA防火墙上进行测试*/
C:/Documents and Settings/Administrator>ipconfig
Windows IP Configuration
Ethernet adapter DMZ:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 61.139.0.10
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . : 61.139.0.9
/* Ping ISA防火墙的DMZ接口*/
C:/Documents and Settings/Administrator>ping 61.139.0.9 -n 2
Pinging 61.139.0.9 with 32 bytes of data:
Reply from 61.139.0.9: bytes=32 time=3ms TTL=128
Ping statistics for 61.139.0.9:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 3ms, Maximum = 3ms, Average = 3ms
Control-C
^C
/* Ping ISA防火墙的外部网络接口*/
C:/Documents and Settings/Administrator>ping 61.139.0.12 -n 2
Pinging 61.139.0.12 with 32 bytes of data:
Reply from 61.139.0.12: bytes=32 time=2ms TTL=128
Ping statistics for 61.139.0.12:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 2ms, Average = 2ms
Control-C
^C
/* Ping 位于Internet的主机External1*/
C:/Documents and Settings/Administrator>ping 61.139.0.1 -n 2
Pinging 61.139.0.1 with 32 bytes of data:
Request timed out.
Ping statistics for 61.139.0.1:
Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
Control-C
^C
测试没有通过,Why?
最后,我们在Internet的主机External1上进行测试:
/* 在External上进行测试*/
C:/Documents and Settings/Administrator>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : Sydney
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel 21140-Based PCI Fast Ethernet Adapt
er (Generic)
Physical Address. . . . . . . . . : 00-03-FF-FF-36-DB
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 61.139.0.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 61.139.0.1
/* Ping ISA防火墙的外部网络接口*/
C:/Documents and Settings/Administrator>ping 61.139.0.12 -n 2
Pinging 61.139.0.12 with 32 bytes of data:
Reply from 61.139.0.12: bytes=32 time=4ms TTL=128
Ping statistics for 61.139.0.12:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 4ms, Maximum = 4ms, Average = 4ms
Control-C
^C
/* Ping ISA防火墙的DMZ网络接口*/
C:/Documents and Settings/Administrator>ping 61.139.0.9 -n 2
Pinging 61.139.0.9 with 32 bytes of data:
Request timed out.
Ping statistics for 61.139.0.9:
Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
Control-C
^C
/* Ping 位于DMZ网络的主机Ftp1*/
C:/Documents and Settings/Administrator>ping 61.139.0.10 -n 2
Pinging 61.139.0.10 with 32 bytes of data:
Request timed out.
Ping statistics for 61.139.0.10:
Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
Control-C
^C
也没有通过,Why?
答案是在External1上没有到DMZ网络的路由。
查看一下External1上的路由表:
C:/Documents and Settings/Administrator>route print
IPv4 Route Table
======================================================
Interface List
0x1 ……………………… MS TCP Loopback interface
0x10003 …00 03 ff ff 36 db …… Intel 21140-Based PCI Fast Ethernet Adapte
(Generic)
========================================================
========================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 61.139.0.1 61.139.0.1 20
61.139.0.0 255.255.255.0 61.139.0.1 61.139.0.1 20
61.139.0.1 255.255.255.255 127.0.0.1 127.0.0.1 20
61.255.255.255 255.255.255.255 61.139.0.1 61.139.0.1 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 61.139.0.1 61.139.0.1 20
255.255.255.255 255.255.255.255 61.139.0.1 61.139.0.1 1
Default Gateway: 61.139.0.1
=====================================================
Persistent Routes:
None
注意看,61.139.0.0网络是通过61.139.0.1这个接口访问的,External1会通过61.139.0.1对61.139.0.0/24网络的数据包进行广播,那么位于DMZ网络中的61.139.0.9、61.139.0.10自然不能获得External发送的数据包。
4、在外部主机上配置到DMZ网络的路由
现在我们在External1上配置到DMZ网络的路由:
C:/Documents and Settings/Administrator>route add 61.139.0.8 mask 255.255.255.252 61.139.0.12
C:/Documents and Settings/Administrator>route print
IPv4 Route Table
======================================================
Interface List
0x1 ……………………… MS TCP Loopback interface
0x10003 …00 03 ff ff 36 db …… Intel 21140-Based PCI Fast Ethernet Adapter
(Generic)
=====================================================
=====================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 61.139.0.1 61.139.0.1 20
61.139.0.0 255.255.255.0 61.139.0.1 61.139.0.1 20
61.139.0.1 255.255.255.255 127.0.0.1 127.0.0.1 20
61.139.0.8 255.255.255.252 61.139.0.12 61.139.0.1 1
61.255.255.255 255.255.255.255 61.139.0.1 61.139.0.1 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 61.139.0.1 61.139.0.1 20
255.255.255.255 255.255.255.255 61.139.0.1 61.139.0.1 1
Default Gateway: 61.139.0.1
======================================================
Persistent Routes:
None
5、测试各个网络间的连通性二
现在,我们再在External1上进行测试:
/* Ping ISA防火墙的DMZ网络接口*/
C:/Documents and Settings/Administrator>ping 61.139.0.9 -n 2
Pinging 61.139.0.9 with 32 bytes of data:
Reply from 61.139.0.9: bytes=32 time=2ms TTL=128
Ping statistics for 61.139.0.9:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 2ms, Average = 2ms
Control-C
^C
/* Ping 位于DMZ网络的主机Ftp1*/
C:/Documents and Settings/Administrator>ping 61.139.0.10 -n 2
Pinging 61.139.0.10 with 32 bytes of data:
Reply from 61.139.0.10: bytes=32 time=3ms TTL=127
Reply from 61.139.0.10: bytes=32 time=1ms TTL=127
Ping statistics for 61.139.0.10:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
/* 访问主机Ftp1上的Ftp服务*/
C:/Documents and Settings/Administrator>ftp 61.139.0.10
Connected to 61.139.0.10.
220 Serv-U FTP Server v6.0 for WinSock ready…
User (61.139.0.10:(none)): anonymous
331 User name okay, please send complete E-mail address as password.
Password:
230 User logged in, proceed.
ftp>
此时,在Ftp1上的ftp服务的管理控制台,你可以看到:
此次试验就成功完成了。
从以上试验可以看出,在DMZ网络中部署Internet IP地址,除了了三个IP地址的损耗外,还需要在ISP的路由器上进行路由配置。所以,一般情况下,不推荐你在DMZ网络中直接部署Internet的IP地址,推荐你采用ISA防火墙绑定多个外部IP,然后使用不同的地址进行DMZ网络中服务的发布。
我们一直都在努力坚持原创.......请不要一声不吭,就悄悄拿走。
我原创,你原创,我们的内容世界才会更加精彩!
【所有原创内容版权均属TechTarget,欢迎大家转发分享。但未经授权,严禁任何媒体(平面媒体、网络媒体、自媒体等)以及微信公众号复制、转载、摘编或以其他方式进行使用。】
微信公众号
TechTarget
官方微博
TechTarget中国
相关推荐
-
网络防火墙已走到尽头?
几年前参加TechEd会议时听到有专家谈论“DMZ的末日”,该话题吸引了很多人参与,并且激起了大家的很多争论。现在,防火墙真的会退出历史舞台吗?
-
安全的DMZ web服务器设置设备
我需要将web服务器放入DMZ中,服务器需要访问放在内网的网络附加存储(NAS)盒中的数据。为了建立一个安全的DMZ web服务器,有没有一些最佳实践?
-
如何设计安全的四级DMZ?
如果你的组织需要DMZ,这不再是一个麻烦的问题,但现在的问题是你应该如何设计一个安全的DMZ。
-
如何使用FreeBSD防火墙保护企业网络
在企业中,我们首先要设计好网络构架,在设计时还要考虑各个服务器以及内部网络放在什么位置,这样才能更有效的配合防火墙。本文主要介绍如何使用建好的FreeBSD防火墙……