內容概要:基于強大的多網絡核心,ISA防火墻除了可以作為網絡間的邊緣防火墻外,還可以作為網絡間的路由器使用。ISA防火墻強大的應用層過濾和狀態識別功能,使得ISA防火墻的功能比真實的路由器有過之而無不及。在這篇文章中,你可以學習到如何配置ISA防火墻作為網絡間的路由器。
基于強大的多網絡核心,ISA防火墻除了可以作為網絡間的邊緣防火墻外,還可以作為網絡間的路由器使用。ISA防火墻強大的應用層過濾和狀態識別功能,使得ISA防火墻的功能比真實的路由器有過之而無不及。例如,你可以答應某個Windows下的用戶訪問某個網絡的某種協議,而真實的路由器則只能根據用戶的ip地址和數據包的端口來限制;同時,基于ISA防火墻強大的狀態識別,你可以阻止包含在HTTPS協議中的非正常數據,而路由器是根本沒有辦法做到這一點的。
有不少朋友在問如何將ISA防火墻配置為內部網絡中的二級代理,其實二級代理只是ISA防火墻作為內部路由器的一種情況而已。在純路由環境下,內部路由器就是一個二級代理,類似于背靠背防火墻模型中的背端防火墻;同時,利用ISA防火墻的Web代理服務和Web鏈設置,你也可以很方便的設置ISA防火墻只是作為HTTP代理。
在這篇文章中,我們以一個包含多個子網的內部網絡環境為例,給大家介紹如何將ISA防火墻配置為內部路由器。這些內容都應該是作為ISA學習的進階內容,在一些簡單的環節,或許我會略過。
各計算機的TCP/IP設置如下,因為不涉及DNS解析,所有計算機的DNS服務器均設置為空:
Server1:
ISA 2004 Firewall:
LAN1接口:
LAN2接口:
Client1:
其實配置ISA防火墻作為內部路由器不需要什么額外的配置。在安裝過程中選擇好內部網絡,然后建立訪問規則就是了。只是在默認情況下,內部網絡訪問外部網絡是通過NAT來的,在有些時候,可能你需要使用路由關系。在使用路由關系時,記得先確定在不同的子網間是否有到對應網絡的路由。
在這篇文章中,我們將按照步驟來進行:
1、配置內部網絡和內部到外部的網絡規則(NAT)
我是新安裝的ISA防火墻,在安裝過程中選擇內部網絡時,我通過選擇網卡來進行選擇。假如你已經安裝好了ISA防火墻,那么你直接在內部網絡屬性中進行修改即可。
安裝好后,在ISA防火墻治理控制臺的配置的網絡節點,你可以在右邊網絡面板中看到內部網絡的地址范圍。
默認情況下,內部到外部網絡使用NAT方式,在網絡規則中很清楚的說明了這一點。
2、建立訪問規則
現在網絡基礎元素已經定義好了,我們需要建立訪問規則,答應內部(LAN2)到外部(LAN1和其他網絡)的訪問。
右擊防火墻策略,指向新建,選擇訪問規則,規則中需要定義的元素如下:
規則名稱:Allow Any to Any;
規則操作:答應;
協議:所有出站通信;
訪問規則源:所有網絡(和本地主機);
訪問規則目的:所有網絡(和本地主機);
用戶集:所有用戶;
點擊應用保存修改和更新防火墻策略;
建立好后的規則如下圖:
在這個試驗中,我們只是為了更好的說明試驗,所以才定義此Allow Any to Any use Any PRotocols的“3 Any”規則。在你的商用網絡中,請嚴格限定訪問規則中使用的每一元素。
3、測試LAN2到LAN1的連通性
我們在位于LAN2的Client1上進行測試,Ping位于LAN1的Server1,并訪問運行在其之上的FTP服務。
/* 在Client1上進行測試*/
C:/Documents and Settings/xx>ipconfig
Windows IP Configuration
Ethernet adapter Loopback:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.2.8
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.1
/* Ping自己的網關(ISA防火墻的LAN2接口)*/
C:/Documents and Settings/xx>ping 192.168.2.1 -n 2
Pinging 192.168.2.1 with 32 bytes of data:
Reply from 192.168.2.1: bytes=32 time=6ms TTL=128
Reply from 192.168.2.1: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.2.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 6ms, Average = 3ms
/* Ping ISA防火墻的LAN1接口*/
C:/Documents and Settings/xx>ping 192.168.0.254 -n 2
Pinging 192.168.0.254 with 32 bytes of data:
Reply from 192.168.0.254: bytes=32 time=1ms TTL=128
Reply from 192.168.0.254: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.0.254:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
/* Ping LAN1中的Server1*/
C:/Documents and Settings/xx>ping 192.168.0.1 -n 2
Pinging 192.168.0.1 with 32 bytes of data:
Reply from 192.168.0.1: bytes=32 time=2ms TTL=127
Reply from 192.168.0.1: bytes=32 time<1ms TTL=127
Ping statistics for 192.168.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 2ms, Average = 1ms
/*訪問Server1上的ftp服務*/
C:/Documents and Settings/xx>ftp 192.168.0.1
Connected to 192.168.0.1.
220 External ftp server ready...
User (192.168.0.1:(none)): anonymous
331 User name okay, please send complete E-mail address as passWord.
Password:
230 User logged in, proceed.
ftp> dir
200 PORT Command sUCcessful.
150 Opening ASCII mode data connection for /bin/ls.
drw-rw-rw- 1 user group 0 Jul 29 17:58 .
drw-rw-rw- 1 user group 0 Jul 29 17:58 ..
drw-rw-rw- 1 user group 0 Jul 29 17:58 AdminScripts
drw-rw-rw- 1 user group 0 Jul 29 17:58 ftproot
drw-rw-rw- 1 user group 0 Jul 29 17:58 wwwroot
226 Transfer complete.
ftp: 收到 314 字節,用時 0.00Seconds 314000.00Kbytes/sec.
ftp>
此時,我們在Server1上的ftp治理控制臺中看看,
注重看客戶的IP地址,這是ISA防火墻的LAN1接口的IP。Why?不需要我回答吧。
Okay,這個測試就成功結束了。
4、配置內部到外部使用路由方式
現在我們來修改網絡規則,配置內部到外部使用路由方式試試。
點開配置下的網絡,在右邊的網絡規則中雙擊Internet訪問,然后在彈出的屬性對話框中,點擊網絡關系標簽,修改為路由。修改后如下圖所示:
然后點擊應用保存修改和更新防火墻策略。
5、測試LAN2到LAN1的連通性二
/* 在Client1上進行測試*/
C:/Documents and Settings/xx>ipconfig
Windows IP Configuration
Ethernet adapter Loopback:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.2.8
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.1
/* Ping自己的網關(ISA防火墻的LAN2接口)*/
C:/Documents and Settings/xx>ping 192.168.2.1 -n 2
Pinging 192.168.2.1 with 32 bytes of data:
Reply from 192.168.2.1: bytes=32 time=6ms TTL=128
Reply from 192.168.2.1: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.2.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 6ms, Average = 3ms
/* Ping ISA防火墻的LAN1接口*/
C:/Documents and Settings/xx>ping 192.168.0.254 -n 2
Pinging 192.168.0.254 with 32 bytes of data:
Reply from 192.168.0.254: bytes=32 time=1ms TTL=128
Reply from 192.168.0.254: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.0.254:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
/* Ping LAN1中的Server1*/
C:/Documents and Settings/xx>ping 192.168.0.1 -n 2
Pinging 192.168.0.1 with 32 bytes of data:
Request timed out.
Request timed out.
Ping statistics for 192.168.0.1:
Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),
Ping不通了?Why?相信你應該可以從上面的TCP/IP配置說明中分析出這一點。
我們再在LAN1中的Server1上進行測試:
/* 在Server1上進行測試*/
C:/Documents and Settings/Administrator>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : Sydney
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel 21140-Based PCI Fast Ethernet Adapter (Generic)
Physical Address. . . . . . . . . : 00-03-FF-FF-36-DB
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
/* Ping ISA防火墻的LAN1接口*/
C:/Documents and Settings/Administrator>ping 192.168.0.254
Pinging 192.168.0.254 with 32 bytes of data:
Reply from 192.168.0.254: bytes=32 time<1ms TTL=128
Reply from 192.168.0.254: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.0.254:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Control-C
^C
/* Ping ISA防火墻的LAN2接口*/
C:/Documents and Settings/Administrator>ping 192.168.2.1
Pinging 192.168.2.1 with 32 bytes of data:
Request timed out.
Request timed out.
Ping statistics for 192.168.2.1:
Packets: Sent = 2, Received = 0, Lost = 2 (100% loss),
Control-C
^C
/* Ping 位于LAN2的Client1*/
C:/Documents and Settings/Administrator>ping 192.168.2.8
Pinging 192.168.2.8 with 32 bytes of data:
Request timed out.
Ping statistics for 192.168.2.8:
Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
Control-C
^C
位于LAN2的接口都Ping不通,Why?很簡單,在Server1上沒有到LAN2的路由。我們看看Server1的路由表:
C:/Documents and Settings/Administrator>route print
IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 03 ff ff 36 db ...... Intel 21140-Based PCI Fast Ethernet Adapter
(Generic)
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.1 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.1 192.168.0.1 20
192.168.0.1 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.0.255 255.255.255.255 192.168.0.1 192.168.0.1 20
224.0.0.0 240.0.0.0 192.168.0.1 192.168.0.1 20
255.255.255.255 255.255.255.255 192.168.0.1 192.168.0.1 1
Default Gateway: 192.168.0.1
===========================================================================
Persistent Routes:
默認路由是192.168.0.1,沒有到LAN2的路由。對于此情況,你需要添加到LAN2的路由,或者重新設置默認網關為ISA防火墻的LAN1接口。在具體采用哪種方式時,你需要根據網絡的環境來決定。對于不能修改默認網關的情況,例如此主機是另外的網絡出口的情況(如此計算機上還接有另外一個網卡,連接到Internet),你需要添加到LAN2的路由。
6、在LAN1的Server1上添加LAN2的路由
在Server1的cmd下運行route add 192.168.2.0 mask 255.255.255.0 192.168.0.254,然后看看路由表:
C:/Documents and Settings/Administrator>route add 192.168.2.0 mask 255.255.255.0 192.168.0.254 -p
C:/Documents and Settings/Administrator>route print
IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 03 ff ff 36 db ...... Intel 21140-Based PCI Fast Ethernet Adapter
(Generic)
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.1 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.1 192.168.0.1 20
192.168.0.1 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.0.255 255.255.255.255 192.168.0.1 192.168.0.1 20
192.168.2.0 255.255.255.0 192.168.0.254 192.168.0.1 1
224.0.0.0 240.0.0.0 192.168.0.1 192.168.0.1 20
255.255.255.255 255.255.255.255 192.168.0.1 192.168.0.1 1
Default Gateway: 192.168.0.1
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
192.168.2.0 255.255.255.0 192.168.0.254 1
7、測試LAN2到LAN1的連通性三
現在我們再來測試一下LAN1和LAN2間的連通性:
/* 在Server1上進行測試*/
/* Ping ISA防火墻的LAN2接口*/
C:/Documents and Settings/Administrator>ping 192.168.2.1 -n 8
Pinging 192.168.2.1 with 32 bytes of data:
Reply from 192.168.2.1: bytes=32 time=1ms TTL=128
Reply from 192.168.2.1: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.2.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms
Control-C
^C
/* Ping 位于LAN2的Client1*/
C:/Documents and Settings/Administrator>ping 192.168.2.8 -n 2
Pinging 192.168.2.8 with 32 bytes of data:
Reply from 192.168.2.8: bytes=32 time=1ms TTL=127
Reply from 192.168.2.8: bytes=32 time=1ms TTL=127
Ping statistics for 192.168.2.8:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
然后,我們在Client1上進行一下測試:
/* 在Client1上進行測試*/
C:/Documents and Settings/xx>ipconfig
Windows IP Configuration
Ethernet adapter Loopback:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.2.8
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.1
/* Ping 位于LAN1的Server1*/
C:/Documents and Settings/xx>ping 192.168.0.1
Pinging 192.168.0.1 with 32 bytes of data:
Reply from 192.168.0.1: bytes=32 time=3ms TTL=127
Ping statistics for 192.168.0.1:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 3ms, Maximum = 3ms, Average = 3ms
Control-C
^C
/*訪問Server1上的ftp服務*/
C:/Documents and Settings/xx>ftp 192.168.0.1
Connected to 192.168.0.1.
220 External ftp server ready...
User (192.168.0.1:(none)): anonymous
331 User name okay, please send complete E-mail address as password.
Password:
230 User logged in, proceed.
現在我們再在Server1上的ftp治理控制臺中看看,注重看客戶的IP地址,這是Client1的IP地址。
此時,我們的試驗就成功完成了。
假如此時LAN1中的Server1也同時連接到Internet,那么此時ISA防火墻就已經相當于是個二級代理了。假如Server1換成一個邊緣ISA防火墻,那么該如何配置此邊緣ISA防火墻呢?關于這個的配置,我已經在How to:在存在多條路由的內部網絡中配置ISA Server 2004一文中進行了介紹,在此就不重復了。
新聞熱點
疑難解答
