内容概要:基于强大的多网络核心,重庆IT外包收费,ISA防火墙除了可以作为网络间的边缘防火墙外,还可以作为网络间的路由器使用。ISA防火墙强大的应用层过滤和状态识别功能,使得ISA防火墙的功能比真实的路由器有过之而无不及。在这篇文章中,你可以学习到如何配置ISA防火墙作为网络间的路由器。
基于强大的多网络核心,ISA防火墙除了可以作为网络间的边缘防火墙外,还可以作为网络间的路由器使用。ISA防火墙强大的应用层过滤和状态识别功能,使得ISA防火墙的功能比真实的路由器有过之而无不及。例如,重庆电脑外包公司,你可以答应某个Windows下的用户访问某个网络的某种协议,而真实的路由器则只能根据用户的IP地址和数据包的端口来限制;同时,基于ISA防火墙强大的状态识别,你可以阻止包含在HTTPS协议中的非正常数据,而路由器是根本没有办法做到这一点的。
有不少朋友在问如何将ISA防火墙配置为内部网络中的二级代理,其实二级代理只是ISA防火墙作为内部路由器的一种情况而已。在纯路由环境下,内部路由器就是一个二级代理,类似于背靠背防火墙模型中的背端防火墙;同时,利用ISA防火墙的Web代理服务和Web链设置,你也可以很方便的设置ISA防火墙只是作为HTTP代理。
在这篇文章中,我们以一个包含多个子网的内部网络环境为例,给大家介绍如何将ISA防火墙配置为内部路由器。这些内容都应该是作为ISA学习的进阶内容,在一些简单的环节,或许我会略过。
各计算机的TCP/IP设置如下,因为不涉及DNS解析,所有计算机的DNS服务器均设置为空:
Server1:
ISA 2004 Firewall:
LAN1接口:
LAN2接口:
Client1:
其实配置ISA防火墙作为内部路由器不需要什么额外的配置。在安装过程中选择好内部网络,然后建立访问规则就是了。只是在默认情况下,内部网络访问外部网络是通过NAT来的,在有些时候,可能你需要使用路由关系。在使用路由关系时,记得先确定在不同的子网间是否有到对应网络的路由。
在这篇文章中,我们将按照步骤来进行:
1、配置内部网络和内部到外部的网络规则(NAT)
我是新安装的ISA防火墙,在安装过程中选择内部网络时,我通过选择网卡来进行选择。假如你已经安装好了ISA防火墙,那么你直接在内部网络属性中进行修改即可。
安装好后,在ISA防火墙治理控制台的配置的网络节点,你可以在右边网络面板中看到内部网络的地址范围。
默认情况下,内部到外部网络使用NAT方式,在网络规则中很清楚的说明了这一点。
2、建立访问规则
现在网络基础元素已经定义好了,我们需要建立访问规则,答应内部(LAN2)到外部(LAN1和其他网络)的访问。
右击防火墙策略,指向新建,选择访问规则,规则中需要定义的元素如下:
规则名称:Allow Any to Any;
规则操作:答应;
协议:所有出站通信;
访问规则源:所有网络(和本地主机);
访问规则目的:所有网络(和本地主机);
用户集:所有用户;
点击应用保存修改和更新防火墙策略;
建立好后的规则如下图:
在这个试验中,我们只是为了更好的说明试验,所以才定义此Allow Any to Any use Any protocols的“3 Any”规则。在你的商用网络中,请严格限定访问规则中使用的每一元素。
3、测试LAN2到LAN1的连通性
我们在位于LAN2的Client1上进行测试,Ping位于LAN1的Server1,并访问运行在其之上的FTP服务。
/* 在Client1上进行测试*/
C:Documents and Settingsxx>ipconfig
Windows IP Configuration
Ethernet adapter Loopback:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.2.8
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.1
/* Ping自己的网关(ISA防火墙的LAN2接口)*/
C:Documents and Settingsxx>ping 192.168.2.1 -n 2
Pinging 192.168.2.1 with 32 bytes of data:
Reply from 192.168.2.1: bytes=32 time=6ms TTL=128
Reply from 192.168.2.1: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.2.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 6ms, Average = 3ms
/* Ping ISA防火墙的LAN1接口*/
C:Documents and Settingsxx>ping 192.168.0.254 -n 2
Pinging 192.168.0.254 with 32 bytes of data:
Reply from 192.168.0.254: bytes=32 time=1ms TTL=128
Reply from 192.168.0.254: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.0.254:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
/* Ping LAN1中的Server1*/
C:Documents and Settingsxx>ping 192.168.0.1 -n 2
Pinging 192.168.0.1 with 32 bytes of data:
Reply from 192.168.0.1: bytes=32 time=2ms TTL=127
Reply from 192.168.0.1: bytes=32 time<1ms TTL=127
Ping statistics for 192.168.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 2ms, Average = 1ms
/*访问Server1上的ftp服务*/
C:Documents and Settingsxx>ftp 192.168.0.1
Connected to 192.168.0.1.
220 External ftp server ready...
User (192.168.0.1:(none)): anonymous
331 User name okay, please send complete E-mail address as passWord.
Password:
230 User logged in, proceed.
ftp> dir
200 PORT Command sUCcessful.
150 Opening ASCII mode data connection for /bin/ls.
drw-rw-rw- 1 user group 0 Jul 29 17:58 .
drw-rw-rw- 1 user group 0 Jul 29 17:58 ..
drw-rw-rw- 1 user group 0 Jul 29 17:58 AdminScripts
drw-rw-rw- 1 user group 0 Jul 29 17:58 ftproot
drw-rw-rw- 1 user group 0 Jul 29 17:58 wwwroot
226 Transfer complete.
ftp: 收到 314 字节,用时 0.00Seconds 314000.00Kbytes/sec.
ftp>
此时,我们在Server1上的ftp治理控制台中看看,
注重看客户的IP地址,这是ISA防火墙的LAN1接口的IP。Why?不需要我回答吧。
Okay,这个测试就成功结束了。
4、配置内部到外部使用路由方式
现在我们来修改网络规则,配置内部到外部使用路由方式试试。
点开配置下的网络,在右边的网络规则中双击Internet访问,然后在弹出的属性对话框中,点击网络关系标签,修改为路由。修改后如下图所示:
然后点击应用保存修改和更新防火墙策略。
5、测试LAN2到LAN1的连通性二
/* 在Client1上进行测试*/
C:Documents and Settingsxx>ipconfig
Windows IP Configuration
Ethernet adapter Loopback:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.2.8
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.1
/* Ping自己的网关(ISA防火墙的LAN2接口)*/
C:Documents and Settingsxx>ping 192.168.2.1 -n 2
Pinging 192.168.2.1 with 32 bytes of data:
Reply from 192.168.2.1: bytes=32 time=6ms TTL=128
Reply from 192.168.2.1: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.2.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 6ms, Average = 3ms
/* Ping ISA防火墙的LAN1接口*/
C:Documents and Settingsxx>ping 192.168.0.254 -n 2
Pinging 192.168.0.254 with 32 bytes of data:
Reply from 192.168.0.254: bytes=32 time=1ms TTL=128
Reply from 192.168.0.254: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.0.254:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
/* Ping LAN1中的Server1*/
C:Documents and Settingsxx>ping 192.168.0.1 -n 2
Pinging 192.168.0.1 with 32 bytes of data:
Request timed out.
Request timed out.
Ping statistics for 192.168.0.1:
Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),
Ping不通了?Why?相信你应该可以从上面的TCP/IP配置说明中分析出这一点。
我们再在LAN1中的Server1上进行测试:
/* 在Server1上进行测试*/
C:Documents and SettingsAdministrator>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : Sydney
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel 21140-Based PCI Fast Ethernet Adapter (Generic)
Physical Address. . . . . . . . . : 00-03-FF-FF-36-DB
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
/* Ping ISA防火墙的LAN1接口*/
C:Documents and SettingsAdministrator>ping 192.168.0.254
Pinging 192.168.0.254 with 32 bytes of data:
Reply from 192.168.0.254: bytes=32 time<1ms TTL=128
Reply from 192.168.0.254: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.0.254:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Control-C
^C
/* Ping ISA防火墙的LAN2接口*/
C:Documents and SettingsAdministrator>ping 192.168.2.1
Pinging 192.168.2.1 with 32 bytes of data:
Request timed out.
Request timed out.
Ping statistics for 192.168.2.1:
Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),
Control-C
^C
/* Ping 位于LAN2的Client1*/
C:Documents and SettingsAdministrator>ping 192.168.2.8
Pinging 192.168.2.8 with 32 bytes of data:
Request timed out.
Ping statistics for 192.168.2.8:
Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
Control-C
^C
位于LAN2的接口都Ping不通,Why?很简单,在Server1上没有到LAN2的路由。我们看看Server1的路由表:
C:Documents and SettingsAdministrator>route print
IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 03 ff ff 36 db ...... Intel 21140-Based PCI Fast Ethernet Adapter
(Generic)
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.1 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.1 192.168.0.1 20
192.168.0.1 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.0.255 255.255.255.255 192.168.0.1 192.168.0.1 20
224.0.0.0 240.0.0.0 192.168.0.1 192.168.0.1 20
255.255.255.255 255.255.255.255 192.168.0.1 192.168.0.1 1
Default Gateway: 192.168.0.1
===========================================================================
Persistent Routes:
默认路由是192.168.0.1,没有到LAN2的路由。对于此情况,你需要添加到LAN2的路由,或者重新设置默认网关为ISA防火墙的LAN1接口。在具体采用哪种方式时,你需要根据网络的环境来决定。对于不能修改默认网关的情况,例如此主机是另外的网络出口的情况(如此计算机上还接有另外一个网卡,连接到Internet),你需要添加到LAN2的路由。
6、在LAN1的Server1上添加LAN2的路由
在Server1的cmd下运行route add 192.168.2.0 mask 255.255.255.0 192.168.0.254,然后看看路由表:
C:Documents and SettingsAdministrator>route add 192.168.2.0 mask 255.255.255.0 192.168.0.254 -p
C:Documents and SettingsAdministrator>route print
IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 03 ff ff 36 db ...... Intel 21140-Based PCI Fast Ethernet Adapter
(Generic)
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.1 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.1 192.168.0.1 20
192.168.0.1 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.0.255 255.255.255.255 192.168.0.1 192.168.0.1 20
192.168.2.0 255.255.255.0 192.168.0.254 192.168.0.1 1
224.0.0.0 240.0.0.0 192.168.0.1 192.168.0.1 20
255.255.255.255 255.255.255.255 192.168.0.1 192.168.0.1 1
Default Gateway: 192.168.0.1
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
192.168.2.0 255.255.255.0 192.168.0.254 1
7、测试LAN2到LAN1的连通性三
现在我们再来测试一下LAN1和LAN2间的连通性:
/* 在Server1上进行测试*/
/* Ping ISA防火墙的LAN2接口*/
C:Documents and SettingsAdministrator>ping 192.168.2.1 -n 8
Pinging 192.168.2.1 with 32 bytes of data:
Reply from 192.168.2.1: bytes=32 time=1ms TTL=128
Reply from 192.168.2.1: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.2.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
Control-C
^C
/* Ping 位于LAN2的Client1*/
C:Documents and SettingsAdministrator>ping 192.168.2.8 -n 2
Pinging 192.168.2.8 with 32 bytes of data:
Reply from 192.168.2.8: bytes=32 time=1ms TTL=127
Reply from 192.168.2.8: bytes=32 time=1ms TTL=127
Ping statistics for 192.168.2.8:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
然后,我们在Client1上进行一下测试:
/* 在Client1上进行测试*/
C:Documents and Settingsxx>ipconfig
Windows IP Configuration
Ethernet adapter Loopback:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.2.8
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.1
/* Ping 位于LAN1的Server1*/
C:Documents and Settingsxx>ping 192.168.0.1
Pinging 192.168.0.1 with 32 bytes of data:
Reply from 192.168.0.1: bytes=32 time=3ms TTL=127
Ping statistics for 192.168.0.1:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 3ms, Maximum = 3ms, Average = 3ms
Control-C
^C
/*访问Server1上的ftp服务*/
C:Documents and Settingsxx>ftp 192.168.0.1
Connected to 192.168.0.1.
220 External ftp server ready...
User (192.168.0.1:(none)): anonymous
331 User name okay, please send complete E-mail address as password.
Password:
230 User logged in, proceed.
现在我们再在Server1上的ftp治理控制台中看看,注重看客户的IP地址,这是Client1的IP地址。
此时,我们的试验就成功完成了。
假如此时LAN1中的Server1也同时连接到Internet,那么此时ISA防火墙就已经相当于是个二级代理了。假如Server1换成一个边缘ISA防火墙,那么该如何配置此边缘ISA防火墙呢?关于这个的配置,我已经在How to:在存在多条路由的内部网络中配置ISA Server 2004一文中进行了介绍,在此就不重复了。
