N in, Figure 260 – H3C Technologies H3C WX3000E Series Wireless Switches User Manual
Page 304
283
Figure 260 ALG-enabled FTP application in passive mode
The communication process includes the following steps:
1.
Establishing a control connection.
The host sends a TCP connection request to the server. If a TCP connection is established, the server
and the host enter the user authentication stage.
2.
Authenticating the user.
The host sends to the server an authentication request, which contains the FTP commands (user and
password) and the contents.
When the request passes through the ALG-enabled device, the commands in the payload of the
packet are resolved and used to check whether the protocol state transition is correctly proceeding.
If not, the request will be dropped. In this way, ALG protects the server against clients that send
packets with state errors or log in to the server with unauthorized user accounts.
An authentication request with the correct state is forwarded by the ALG-enabled device to the
server, which authenticates the host according to the information in the packet.
3.
Establishing a data connection.
If the host passes the authentication, a data connection is established between the host and the
server. If the host is accessing the server in passive mode, the server sends to the host a PASV
response by using its private network address and port number (IP1, Port1). When the response
arrives at the ALG-enabled device, the device resolves the packet and translates the server's
private network address and port number into the server's public network address and port
number (IP2, Port2). Then, the device uses the public network address and port number to establish
a data connection with the host.
4.
Exchanging data.
The host and the FTP server exchange data through the established data connection.
Inside network
Outside network
FTP server
Host
Device
FTP-ALG enabled
NAT
FTP_CMD(“PASV”)
FTP_CMD(“PASV”)
FTP_EnterPassive(“IP1, Port1”)
ALG
IP1, Port1-------
>
IP2, Port2
FTP_EnterPassive(“IP2, Port2”)
FTP_Connet(IP2, Port2)
FTP_Connet(IP1, Port1)
- H3C WX5500E Series Access Controllers H3C WX3500E Series Access Controllers H3C WX2500E Series Access Controllers H3C WX6000 Series Access Controllers H3C WX5000 Series Access Controllers H3C LSUM3WCMD0 Access Controller Module H3C LSUM1WCME0 Access Controller Module H3C LSRM1WCM2A1 Access Controller Module