|
智囊团成员
 
E.S.T智囊团成员 - 帖子
- 1244
- 精华
- 8
- 积分
- 6154
- 阅读权限
- 150
- 性别
- 男
- 在线时间
- 593 小时
- 注册时间
- 2005-3-18
- 最后登录
- 2008-6-6
|
楼主
大 中
小 发表于 2006-2-4 09:54 只看该作者
[转载]在DMZ网络中部署Internet IP地址
信息来源:http://www.isacn.org/info/info.php?sessid=&infoid=193&page=1
内容概要:如何使用Internet的IP地址来访问位于DMZ网络中的服务器呢?我在How to :使用公共IP地址来访问DMZ中的服务器一文中提及除了在ISA防火墙的外部接口上绑定多个IP然后做转发外,还可以使用直接在DMZ部署Internet的IP地址,然后在ISP的上游路由器上做路由指向的方式。在这篇文章中,我们就来探讨如何实现这一方案。
如何使用Internet的IP地址来访问位于DMZ网络中的服务器呢?我在How to :使用公共IP地址来访问DMZ中的服务器一文中提及除了在ISA防火墙的外部接口上绑定多个IP然后做转发外,还可以使用直接在DMZ部署Internet的IP地址,然后在ISP的上游路由器上做路由指向的方式。在这篇文章中,我们就来探讨如何实现这一方案。
其实,这已经跳出了ISA防火墙的范畴,更多的是路由/子网的知识。只要网络结构良好的进行规划,部署ISA防火墙是非常容易的。
在国外,IP地址是很容易获得的;而且,你可以一次性为你的网络申请一个完整C类网络的IP地址。但是在国内,一般客户想从ISP获得一个C类网络的IP地址无异是天方夜谭,一般都是几个IP地址。在这个试验中,我们从ISP处获得了五个Internet IP地址,地址范围是从61.139.0.8到61.139.0.12,子网掩码是255.255.255.0。我想在DMZ网络中部署Internet的IP地址,所以我就必须先对获得的Internet IP地址进行子网划分,然后给DMZ网络分配一个子网,最后在ISP的路由器上对我的DMZ子网进行路由指向。
在此过程中,子网划分就显得特别的重要。并且在IP地址的分配过程中,ISA防火墙连接Internet和DMZ的网络适配器各需要一个IP地址,并且子网广播地址和子网网络地址将各耗去一个。所以你可以在DMZ网络中配置的Internet IP地址为你获得的Internet IP地址数减去四。
现在,我们首先需要对获得的Internet IP地址进行子网划分:
将IP地址转换为二进制:
61.139.0.8 00111101 10001011 00000000 00001000
61.139.0.9 00111101 10001011 00000000 00001001
61.139.0.10 00111101 10001011 00000000 00001010
61.139.0.11 00111101 10001011 00000000 00001011
61.139.0.12 00111101 10001011 00000000 00001100
注意看,前面四个IP地址(61.139.0.8~61.139.0.11)都是位于61.139.0.8/30子网中,所以,我们可以在DMZ网络中部署此子网,然后在ISA连接外部网络(Internet)上的网络适配器上配置61.139.0.12/24这个IP地址。
但是在61.139.0.8/30这个子网中,61.139.0.8/30是子网网络地址,61.139.0.11/30是子网广播地址,都不能给网络中的主机进行使用。然后我们在ISA防火墙连接DMZ的接口上配置61.139.0.9/252这个IP地址,那么就只剩下61.139.0.10/30这个IP地址可以配置给DMZ网络中的服务器使用了。
试验用的网络拓朴结构如下图所示:
各计算机的TCP/IP配置情况如下,此次试验不涉及DNS解析,各计算机的DNS服务器均设置为空:
External1:
- IP:61.139.0.1/24;
- DG:61.139.0.1;
ISA 2004 Firewall:
External接口:
- IP:61.139.0.12/24
- DG:61.139.0.1;
DMZ接口:
- IP:61.139.0.9/30;
- DG:None;
Interna接口:
- IP:192.168.0.1/24;
- DG:None;
Ftp1:
- IP:61.139.0.10/30;
- DG:61.139.0.9;
Client1:
- IP:192.168.0.8/24;
- DG:192.168.0.1;
在这个试验中,我们按照以下步骤进行:
- 使用三向外围模板配置ISA防火墙;
- 修改访问规则;
- 测试各个网络间的连通性一;
- 在外部主机上配置到DMZ网络的路由;
- 测试各个网络间的连通性二;
1、使用三向外围模板配置ISA防火墙;
打开ISA防火墙管理控制台,点击配置下的网络,然后在右边的任务面板的模版标签中,点击3向外围网络,
在弹出的欢迎使用网络模版向导对话框,点击下一步;
在导出ISA服务器的配置页,点击下一步;
在内部网络IP地址页,由于我们在安装时已经进行了配置,所以直接点击下一步;如果没有配置,你可以通过自行添加;
在外向网络IP地址页,点击添加适配器;
在弹出的选择网卡对话框,勾选DMZ,然后点击确定;
然后在外围网络IP地址页,点击下一步;
在选择一个防火墙策略页,选择允许无限制的访问,点击下一步;
最后在正在完成网络模版页,点击完成。
现在,你可以在网络规则中看到,内部到外围(DMZ)、外部都是NAT方式,外围到外部是路由方式。关于配置DMZ网络更多的信息,请参见How to :在ISA Server 2004中配置DMZ网络一文。
-
2、修改访问规则
此时,防火墙策略如下图所示,
为了更好的进行演示,我们需要进行修改。双击无限制的Internet访问,将其源网络和目的网络均修改为所有网络(和本地主机),然后删除第二条规则VPN客户端到内部网络的访问,修改后的规则如下图所示:
点击应用以保存修改和更新防火墙策略。
3、测试各个网络间的连通性一
现在我们来测试一下各网络间的连通性,首先在内部网络的Client1上进行测试:
/* 在Client1上进行测试*/
C:\Documents and Settings\Administrator>ipconfig/all
Windows IP Configuration
Host Name . . . . . . . . . . . . : mine
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Loopback:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Loopback Adapter
Physical Address. . . . . . . . . : 02-00-4C-4F-4F-50
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.8
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
/* Ping自己的网关(ISA防火墙的内部接口)*/
C:\Documents and Settings\Administrator>ping 192.168.0.1 -n 2
Pinging 192.168.0.1 with 32 bytes of data:
Reply from 192.168.0.1: bytes=32 time=4ms TTL=128
Reply from 192.168.0.1: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 4ms, Average = 2ms
/* Ping ISA防火墙的外部接口*/
C:\Documents and Settings\Administrator>ping 61.139.0.12 -n 2
Pinging 61.139.0.12 with 32 bytes of data:
Reply from 61.139.0.12: bytes=32 time<1ms TTL=128
Reply from 61.139.0.12: bytes=32 time=10ms TTL=128
Ping statistics for 61.139.0.12:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 10ms, Average = 5ms
/* Ping ISA防火墙的DMZ网络接口*/
C:\Documents and Settings\Administrator>ping 61.139.0.9 -n 2
Pinging 61.139.0.9 with 32 bytes of data:
Reply from 61.139.0.9: bytes=32 time=2ms TTL=128
Reply from 61.139.0.9: bytes=32 time<1ms TTL=128
Ping statistics for 61.139.0.9:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 2ms, Average = 1ms
/* Ping DMZ网络中的主机Ftp1*/
C:\Documents and Settings\Administrator>ping 61.139.0.10 -n 2
Pinging 61.139.0.10 with 32 bytes of data:
Reply from 61.139.0.10: bytes=32 time=1ms TTL=127
Reply from 61.139.0.10: bytes=32 time=2ms TTL=127
Ping statistics for 61.139.0.10:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 2ms, Average = 1ms
/* Ping 外部网络中的主机External1*/
C:\Documents and Settings\Administrator>ping 61.139.0.1 -n 2
Pinging 61.139.0.1 with 32 bytes of data:
Reply from 61.139.0.1: bytes=32 time=2ms TTL=127
Reply from 61.139.0.1: bytes=32 time=2ms TTL=127
Ping statistics for 61.139.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 2ms, Average = 2ms
测试都是通过的。
-
现在我们在ISA防火墙上进行测试:
/* 在ISA防火墙上进行测试*/
C:\Documents and Settings\Administrator>ipconfig/all
Windows IP Configuration
Host Name . . . . . . . . . . . . : Florence
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter DMZ:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel 21140-Based PCI Fast Ethernet Adapter (Generic) #2
Physical Address. . . . . . . . . : 00-03-FF-7E-BC-3B
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 61.139.0.9
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . :
Ethernet adapter Internal:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel 21140-Based PCI Fast Ethernet Adapter (Generic)
Physical Address. . . . . . . . . : 00-03-FF-EE-45-8D
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Ethernet adapter External:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel 21140-Based PCI Fast Ethernet Adapter (Generic) #3
Physical Address. . . . . . . . . : 00-03-FF-FC-FF-FF
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 61.139.0.12
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 61.139.0.1
/* Ping 位于内部网络中的Client1*/
C:\Documents and Settings\Administrator>ping 192.168.0.8
Pinging 192.168.0.8 with 32 bytes of data:
Reply from 192.168.0.8: bytes=32 time<1ms TTL=128
Reply from 192.168.0.8: bytes=32 time<1ms TTL=128
Ping statistics for 192.168.0.8:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
/* Ping 位于DMZ网络中的Ftp1*/
C:\Documents and Settings\Administrator>ping 61.139.0.10
Pinging 61.139.0.10 with 32 bytes of data:
Reply from 61.139.0.10: bytes=32 time=2ms TTL=128
Reply from 61.139.0.10: bytes=32 time=2ms TTL=128
Ping statistics for 61.139.0.10:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 2ms, Average = 2ms
/* Ping 位于外部网络中的External1*/
C:\Documents and Settings\Administrator>ping 61.139.0.1
Pinging 61.139.0.1 with 32 bytes of data:
Reply from 61.139.0.1: bytes=32 time=20ms TTL=128
Reply from 61.139.0.1: bytes=32 time=1ms TTL=128
Ping statistics for 61.139.0.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 20ms, Average = 10ms
测试也都是通过的。
-
现在我们在位于DMZ网络中的Ftp1上进行测试:
/* 在ISA防火墙上进行测试*/
C:\Documents and Settings\Administrator>ipconfig
Windows IP Configuration
Ethernet adapter DMZ:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 61.139.0.10
Subnet Mask . . . . . . . . . . . : 255.255.255.252
Default Gateway . . . . . . . . . : 61.139.0.9
/* Ping ISA防火墙的DMZ接口*/
C:\Documents and Settings\Administrator>ping 61.139.0.9 -n 2
Pinging 61.139.0.9 with 32 bytes of data:
Reply from 61.139.0.9: bytes=32 time=3ms TTL=128
Ping statistics for 61.139.0.9:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 3ms, Maximum = 3ms, Average = 3ms
Control-C
^C
/* Ping ISA防火墙的外部网络接口*/
C:\Documents and Settings\Administrator>ping 61.139.0.12 -n 2
Pinging 61.139.0.12 with 32 bytes of data:
Reply from 61.139.0.12: bytes=32 time=2ms TTL=128
Ping statistics for 61.139.0.12:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 2ms, Average = 2ms
Control-C
^C
/* Ping 位于Internet的主机External1*/
C:\Documents and Settings\Administrator>ping 61.139.0.1 -n 2
Pinging 61.139.0.1 with 32 bytes of data:
Request timed out.
Ping statistics for 61.139.0.1:
Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
Control-C
^C
测试没有通过,Why?
最后,我们在Internet的主机External1上进行测试:
/* 在External上进行测试*/
C:\Documents and Settings\Administrator>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : Sydney
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel 21140-Based PCI Fast Ethernet Adapt
er (Generic)
Physical Address. . . . . . . . . : 00-03-FF-FF-36-DB
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 61.139.0.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 61.139.0.1
/* Ping ISA防火墙的外部网络接口*/
C:\Documents and Settings\Administrator>ping 61.139.0.12 -n 2
Pinging 61.139.0.12 with 32 bytes of data:
Reply from 61.139.0.12: bytes=32 time=4ms TTL=128
Ping statistics for 61.139.0.12:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 4ms, Maximum = 4ms, Average = 4ms
Control-C
^C
/* Ping ISA防火墙的DMZ网络接口*/
C:\Documents and Settings\Administrator>ping 61.139.0.9 -n 2
Pinging 61.139.0.9 with 32 bytes of data:
Request timed out.
Ping statistics for 61.139.0.9:
Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
Control-C
^C
/* Ping 位于DMZ网络的主机Ftp1*/
C:\Documents and Settings\Administrator>ping 61.139.0.10 -n 2
Pinging 61.139.0.10 with 32 bytes of data:
Request timed out.
Ping statistics for 61.139.0.10:
Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
Control-C
^C
也没有通过,Why?
-
答案是在External1上没有到DMZ网络的路由。
查看一下External1上的路由表:
C:\Documents and Settings\Administrator>route print
IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 03 ff ff 36 db ...... Intel 21140-Based PCI Fast Ethernet Adapte
(Generic)
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 61.139.0.1 61.139.0.1 20
61.139.0.0 255.255.255.0 61.139.0.1 61.139.0.1 20
61.139.0.1 255.255.255.255 127.0.0.1 127.0.0.1 20
61.255.255.255 255.255.255.255 61.139.0.1 61.139.0.1 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 61.139.0.1 61.139.0.1 20
255.255.255.255 255.255.255.255 61.139.0.1 61.139.0.1 1
Default Gateway: 61.139.0.1
===========================================================================
Persistent Routes:
None
注意看,61.139.0.0网络是通过61.139.0.1这个接口访问的,External1会通过61.139.0.1对61.139.0.0/24网络的数据包进行广播,那么位于DMZ网络中的61.139.0.9、61.139.0.10自然不能获得External发送的数据包。
4、在外部主机上配置到DMZ网络的路由
现在我们在External1上配置到DMZ网络的路由:
C:\Documents and Settings\Administrator>route add 61.139.0.8 mask 255.255.255.252 61.139.0.12
C:\Documents and Settings\Administrator>route print
IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 03 ff ff 36 db ...... Intel 21140-Based PCI Fast Ethernet Adapter
(Generic)
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 61.139.0.1 61.139.0.1 20
61.139.0.0 255.255.255.0 61.139.0.1 61.139.0.1 20
61.139.0.1 255.255.255.255 127.0.0.1 127.0.0.1 20
61.139.0.8 255.255.255.252 61.139.0.12 61.139.0.1 1
61.255.255.255 255.255.255.255 61.139.0.1 61.139.0.1 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 61.139.0.1 61.139.0.1 20
255.255.255.255 255.255.255.255 61.139.0.1 61.139.0.1 1
Default Gateway: 61.139.0.1
===========================================================================
Persistent Routes:
None
-
5、测试各个网络间的连通性二
现在,我们再在External1上进行测试:
/* Ping ISA防火墙的DMZ网络接口*/
C:\Documents and Settings\Administrator>ping 61.139.0.9 -n 2
Pinging 61.139.0.9 with 32 bytes of data:
Reply from 61.139.0.9: bytes=32 time=2ms TTL=128
Ping statistics for 61.139.0.9:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 2ms, Average = 2ms
Control-C
^C
/* Ping 位于DMZ网络的主机Ftp1*/
C:\Documents and Settings\Administrator>ping 61.139.0.10 -n 2
Pinging 61.139.0.10 with 32 bytes of data:
Reply from 61.139.0.10: bytes=32 time=3ms TTL=127
Reply from 61.139.0.10: bytes=32 time=1ms TTL=127
Ping statistics for 61.139.0.10:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 3ms, Average = 2ms
/* 访问主机Ftp1上的Ftp服务*/
C:\Documents and Settings\Administrator>ftp 61.139.0.10
Connected to 61.139.0.10.
220 Serv-U FTP Server v6.0 for WinSock ready...
User (61.139.0.10:(none)): anonymous
331 User name okay, please send complete E-mail address as password.
Password:
230 User logged in, proceed.
ftp>
此时,在Ftp1上的ftp服务的管理控制台,你可以看到:
此次试验就成功完成了。
从以上试验可以看出,在DMZ网络中部署Internet IP地址,除了了三个IP地址的损耗外,还需要在ISP的路由器上进行路由配置。所以,一般情况下,不推荐你在DMZ网络中直接部署Internet的IP地址,推荐你采用ISA防火墙绑定多个外部IP,然后使用不同的地址进行DMZ网络中服务的发布,具体配置可以参见How to :使用公共IP地址来访问DMZ中的服务器一文。
人情如冰六月寒,花做一份艳,为谁笑人间?
如果任何人发现我转载的有图像的文章中图像失效或者文章有问题,请及时短消息通知我。先谢谢。::))
coup de foudre
|
