邪恶八进制信息安全团队技术讨论组's Archiver

金州 2006-2-4 09:40

[转载]在ISA Server 2004中同时使用多条路由

<P>信息来源:windows 中文站</P>
<P><SPAN class=postbody>内容概要:对于具有多条外部路由的ISA防火墙,难道只能同时使用一个外部出口吗?答案是否定的。通过这篇文章,你可以学习到如何同时使用多条路由。 <BR><BR>有许多朋友问我如何在ISA防火墙上同时使用多条外部路由。ISA防火墙是基于Windows的路由的,众所周知,Windows系列的计算机都不支持同时使用多个默认网关,但是请你注意,仅仅是不支持同时使用多个默认网关,不是不支持多个默认网关,也不是不支持同时使用多条路由。你可以配置多个默认网关(配置多个默认网关时必须注意所配置的默认网关都必须属于互联的网络中,否则会出现路由问题),但是Windows只会同时使用一个,如果当前的默认网关出现故障,则使用下一个默认网关(注:Windows会通过一种“死网关”检测算法来自动进行检测,不过我没有找到更为详细的信息:()。Windows是可以根据路由表中的定义,对于不同的目的地使用不同的路由的。 <BR><BR>对于具有多个外部出口的网络,首先推荐你使用多台服务器安装ISA Server 2004企业版做网络负载平衡,如果你只能在一台服务器上部署多个外部出口,那么除了设置多个默认网关外,还可以建立多条匹配路由来同时使用多个外部出口。 <BR><BR>这篇文章中所使用的网络环境如下图所示: <BR><BR><IMG onmouseover="changeImageDimensions(this, 'over')" onmouseout="changeImageDimensions(this, 'out')" src="http://www.isacn.org/pic/routeusage/routeusage.jpg" onload=setImageDimensions(this) border=0> <BR><BR>ISA防火墙作为边缘防火墙,连接内部网络和Internet,已经允许了本地主机访问外部网络的所有协议,TCP/IP设置如下: <BR><BR>ISA防火墙: <BR><BR>Internal Interface: <BR><BR>IP:10.2.1.1/24 <BR><BR>DG:None <BR><BR>External1 Interface: <BR><BR>IP:61.139.0.1/24 <BR><BR>DG:61.139.0.8 <BR><BR>External2 Interface: <BR><BR>IP:218.8.0.1/24 <BR><BR>DG:218.8.0.8 <BR><BR>  <BR><BR>IP地址61.139.0.8、218.8.0.8和61.153.0.8分别为一台服务器(Istanbul)的三个网络接口,其中61.139.0.8和218.8.0.8与ISA防火墙的对应接口连接;Istanbul上安装了Ftp服务器,绑定在这三个IP地址上,此服务器的TCP/IP设置如下: <BR><BR>Istanbul <BR><BR>External Interface: <BR><BR>IP:61.153.0.8/24 <BR><BR>DG:None <BR><BR>External1 Interface: <BR><BR>IP:61.139.0.8/24 <BR><BR>DG:None <BR><BR>External2 Interface: <BR><BR>IP:218.8.0.8/24 <BR><BR>DG:None <BR><BR>  <BR><BR>在这篇文章中,我们按照以下步骤进行试验: <BR><BR>分析默认配置下的路由访问; <BR><BR>配置同时使用多条路由; <BR><BR>分析默认配置下的路由访问 <BR><BR>我们首先看看当前的ISA防火墙的路由表: <BR><BR>C:\Documents and Settings\Administrator>route print <BR><BR>IPv4 Route Table <BR>=========================================================================== <BR>Interface List <BR>0x1 ........................... MS TCP Loopback interface <BR>0x2 ...00 03 ff f3 ff ff ...... Intel 21140-Based PCI Fast Ethernet Adapter (Generic) #2 - Packet Scheduler Miniport <BR>0x3 ...02 bf 0a 02 01 fe ...... Intel 21140-Based PCI Fast Ethernet Adapter (Generic) - Packet Scheduler Miniport <BR>0x10005 ...00 03 ff f2 ff ff ...... Intel 21140-Based PCI Fast Ethernet Adapter (Generic) #3 - Packet Scheduler Miniport <BR>=========================================================================== <BR>=========================================================================== <BR>Active Routes: Network Destination Netmask Gateway Interface Metric <BR>0.0.0.0 <BR>0.0.0.0 <BR>61.139.0.8 <BR>61.139.0.1 <BR>20 <BR><BR>0.0.0.0 <BR>0.0.0.0 <BR>218.8.0.8 <BR>218.8.0.1 <BR>20 <BR><BR>10.2.1.0 <BR>255.255.255.0 <BR>10.2.1.1 <BR>10.2.1.1 <BR>20 <BR><BR>10.2.1.1 <BR>255.255.255.255 <BR>127.0.0.1 <BR>127.0.0.1 <BR>20 <BR><BR>10.255.255.255 <BR>255.255.255.255 <BR>10.2.1.1 <BR>10.2.1.1 <BR>20 <BR><BR>61.139.0.0 <BR>255.255.255.0 <BR>61.139.0.1 <BR>61.139.0.1 <BR>20 <BR><BR>61.139.0.1 <BR>255.255.255.255 <BR>127.0.0.1 <BR>127.0.0.1 <BR>20 <BR><BR>61.255.255.255 <BR>255.255.255.255 <BR>61.139.0.1 <BR>61.139.0.1 <BR>20 <BR><BR>127.0.0.0 <BR>255.0.0.0 <BR>127.0.0.1 <BR>127.0.0.1 <BR>1 <BR><BR>218.8.0.0 <BR>255.255.255.0 <BR>218.8.0.1 <BR>218.8.0.1 <BR>20 <BR><BR>218.8.0.1 <BR>255.255.255.255 <BR>127.0.0.1 <BR>127.0.0.1 <BR>20 <BR><BR>218.8.0.255 <BR>255.255.255.255 <BR>218.8.0.1 <BR>218.8.0.1 <BR>20 <BR><BR>224.0.0.0 <BR>240.0.0.0 <BR>10.2.1.1 <BR>10.2.1.1 <BR>20 <BR><BR>224.0.0.0 <BR>240.0.0.0 <BR>61.139.0.1 <BR>61.139.0.1 <BR>20 <BR><BR>224.0.0.0 <BR>240.0.0.0 <BR>218.8.0.1 <BR>218.8.0.1 <BR>20 <BR><BR>255.255.255.255 <BR>255.255.255.255 <BR>10.2.1.1 <BR>10.2.1.1 <BR>1 <BR><BR>255.255.255.255 <BR>255.255.255.255 <BR>61.139.0.1 <BR>61.139.0.1 <BR>1 <BR><BR><BR><BR>Default Gateway: 61.139.0.8 <BR>=========================================================================== <BR>Persistent Routes: <BR>None <BR><BR><BR>从上图可以看出,默认路由是通过61.139.0.8这个网关。为什么不是218.8.0.8呢?这个是通过系统网络适配器优先级来定义的,你可以通过网络连接的高级菜单的高级设置中进行调整,如下图所示: <BR><BR><IMG onmouseover="changeImageDimensions(this, 'over')" onmouseout="changeImageDimensions(this, 'out')" src="http://www.isacn.org/pic/routeusage/routeusage00.jpg" width=570 onload=setImageDimensions(this) border=0> <BR><BR>不过,这不是我们现在所关心的,我们分别使用Istanbul的三个IP地址来访问运行在Istanbul上的Ftp服务, <BR><BR>首先在ISA防火墙运行ftp 61.139.0.8,使用匿名用户登录, <BR><IMG onmouseover="changeImageDimensions(this, 'over')" onmouseout="changeImageDimensions(this, 'out')" src="http://www.isacn.org/pic/routeusage/routeusage01.jpg" onload=setImageDimensions(this) border=0> <BR><BR>我们在Istanbul上的FTP管理控制台上,可以清楚的看到客户的IP地址是61.139.0.1,因为ISA防火墙的路由表中有对应的到达61.139.0.0/24子网的路由,ISA防火墙根据路由表的定义来访问,使用了61.139.0.1这个接口来进行访问。 <BR><IMG onmouseover="changeImageDimensions(this, 'over')" onmouseout="changeImageDimensions(this, 'out')" src="http://www.isacn.org/pic/routeusage/routeusage02.jpg" onload=setImageDimensions(this) border=0></SPAN></P>
<P><SPAN class=postbody><SPAN class=postbody>再运行ftp 218.8.0.8,结果如下图所示, <BR><IMG onmouseover="changeImageDimensions(this, 'over')" onmouseout="changeImageDimensions(this, 'out')" src="http://www.isacn.org/pic/routeusage/routeusage03.jpg" onload=setImageDimensions(this) border=0> <BR><BR>FTP管理控制台上显示的客户端IP地址为218.8.0.1,和上面的道理是一样的,ISA防火墙使用和目的IP同个子网的接口218.8.0.8来进行访问, <BR><IMG onmouseover="changeImageDimensions(this, 'over')" onmouseout="changeImageDimensions(this, 'out')" src="http://www.isacn.org/pic/routeusage/routeusage04.jpg" width=570 onload=setImageDimensions(this) border=0> <BR><BR>最后,我们来ftp 61.153.0.8, <BR><IMG onmouseover="changeImageDimensions(this, 'over')" onmouseout="changeImageDimensions(this, 'out')" src="http://www.isacn.org/pic/routeusage/routeusage05.jpg" width=570 onload=setImageDimensions(this) border=0> <BR><BR>注意看,此时的客户端IP地址为61.139.0.1,Why?因为ISA防火墙路由表中没有对应的路由项,所以通过默认路由 61.139.0.8进行访问,使用的本地接口是对应的子网接口61.139.0.1,所以FTP服务器记录下的地址是61.139.0.1。 <BR><IMG onmouseover="changeImageDimensions(this, 'over')" onmouseout="changeImageDimensions(this, 'out')" src="http://www.isacn.org/pic/routeusage/routeusage06.jpg" width=570 onload=setImageDimensions(this) border=0> <BR><BR>配置同时使用多条路由 <BR><BR>那么,如果你想让通往61.153.0.0/24子网的路由都通过218.8.0.1这个接口,该如何进行呢?Windows早就考虑到了这点,内置了一个route命令,你可以使用它来添加路由。 <BR><BR>注:关于route命令更为详细的信息,请参见Windows的帮助。 <BR><BR>现在我们运行route命令来添加到达61.153.0.0/24网络的路由,使用218.8.0.8这个网关,执行命令 <BR><BR>route add 61.153.0.0 mask 255.255.255.0 218.8.0.8 metric 1 <BR><BR>执行后如下图所示, <BR><IMG onmouseover="changeImageDimensions(this, 'over')" onmouseout="changeImageDimensions(this, 'out')" src="http://www.isacn.org/pic/routeusage/routeusage07.jpg" width=570 onload=setImageDimensions(this) border=0> <BR><BR>我们再次运行route print命令看看ISA防火墙的路由表: <BR><BR>C:\Documents and Settings\Administrator>route print <BR><BR>IPv4 Route Table <BR>=========================================================================== <BR>Interface List <BR>0x1 ........................... MS TCP Loopback interface <BR>0x2 ...00 03 ff f3 ff ff ...... Intel 21140-Based PCI Fast Ethernet Adapter (Generic) #2 - Packet Scheduler Miniport <BR>0x3 ...02 bf 0a 02 01 fe ...... Intel 21140-Based PCI Fast Ethernet Adapter (Generic) - Packet Scheduler Miniport <BR>0x10005 ...00 03 ff f2 ff ff ...... Intel 21140-Based PCI Fast Ethernet Adapter (Generic) #3 - Packet Scheduler Miniport <BR>=========================================================================== <BR>=========================================================================== <BR>Active Routes: Network Destination Netmask Gateway Interface Metric <BR>0.0.0.0 <BR>0.0.0.0 <BR>61.139.0.8 <BR>61.139.0.1 <BR>20 <BR><BR>0.0.0.0 <BR>0.0.0.0 <BR>218.8.0.8 <BR>218.8.0.1 <BR>20 <BR><BR>10.2.1.0 <BR>255.255.255.0 <BR>10.2.1.1 <BR>10.2.1.1 <BR>20 <BR><BR>10.2.1.1 <BR>255.255.255.255 <BR>127.0.0.1 <BR>127.0.0.1 <BR>20 <BR><BR>10.255.255.255 <BR>255.255.255.255 <BR>10.2.1.1 <BR>10.2.1.1 <BR>20 <BR><BR>61.139.0.0 <BR>255.255.255.0 <BR>61.139.0.1 <BR>61.139.0.1 <BR>20 <BR><BR>61.139.0.1 <BR>255.255.255.255 <BR>127.0.0.1 <BR>127.0.0.1 <BR>20 <BR><BR>61.153.0.0 <BR>255.255.255.0 <BR>218.8.0.8 <BR>218.8.0.1 <BR>1 <BR><BR>61.255.255.255 <BR>255.255.255.255 <BR>61.139.0.1 <BR>61.139.0.1 <BR>20 <BR><BR>127.0.0.0 <BR>255.0.0.0 <BR>127.0.0.1 <BR>127.0.0.1 <BR>1 <BR><BR>218.8.0.0 <BR>255.255.255.0 <BR>218.8.0.1 <BR>218.8.0.1 <BR>20 <BR><BR>218.8.0.1 <BR>255.255.255.255 <BR>127.0.0.1 <BR>127.0.0.1 <BR>20 <BR><BR>218.8.0.255 <BR>255.255.255.255 <BR>218.8.0.1 <BR>218.8.0.1 <BR>20 <BR><BR>224.0.0.0 <BR>240.0.0.0 <BR>10.2.1.1 <BR>10.2.1.1 <BR>20 <BR><BR>224.0.0.0 <BR>240.0.0.0 <BR>61.139.0.1 <BR>61.139.0.1 <BR>20 <BR><BR>224.0.0.0 <BR>240.0.0.0 <BR>218.8.0.1 <BR>218.8.0.1 <BR>20 <BR><BR>255.255.255.255 <BR>255.255.255.255 <BR>10.2.1.1 <BR>10.2.1.1 <BR>1 <BR><BR>255.255.255.255 <BR>255.255.255.255 <BR>61.139.0.1 <BR>61.139.0.1 <BR>1 <BR><BR>255.255.255.255 <BR>255.255.255.255 <BR>218.8.0.1 <BR>218.8.0.1 <BR>1 <BR><BR><BR><BR>Default Gateway: 61.139.0.8 <BR>=========================================================================== <BR>Persistent Routes: <BR>None <BR>  <BR><BR>和上面的路由表相比,只是多了一个通向61.153.0.0/24子网的路由,现在我们再ftp 61.153.0.8试试, <BR><BR><IMG onmouseover="changeImageDimensions(this, 'over')" onmouseout="changeImageDimensions(this, 'out')" src="http://www.isacn.org/pic/routeusage/routeusage08.jpg" width=570 onload=setImageDimensions(this) border=0> <BR><BR>注意看,在FTP管理控制台上显示的客户端IP地址已经为218.8.0.1了。 <BR><IMG onmouseover="changeImageDimensions(this, 'over')" onmouseout="changeImageDimensions(this, 'out')" src="http://www.isacn.org/pic/routeusage/routeusage09.jpg" onload=setImageDimensions(this) border=0> <BR><BR>同样的道理,你可以为其他子网添加对应的路由,这样你就可以在保持原来的默认网关不变的情况下同时使用多条路由了。 <BR><BR>本文来自: <BR><A href="http://www.isacn.org/info/info.php?sessid=&infoid=227&page=1" target=_blank>[url]http://www.isacn.org/info/info.php?sessid=&infoid=227&page=1[/url]</A></SPAN><SPAN class=postbody><BR></SPAN></SPAN></P>

页: [1]
© 1999-2008 EvilOctal Security Team