H3C Technologies H3C SecPath F1000-E User Manual

Page 53

•

GPRS Tunneling Protocol (GTP)

The following describes the FTP operation on an ALG-enabled device. As shown in

Figure 33

, the host in

the outside network accesses the FTP server in the inside network in passive mode through the

ALG-enabled device.

Figure 33 Network diagram for ALG-enabled FTP application in PASV mode

The communication process includes the following stages:

Establishing a control connection
The host sends a TCP connection request to the server. If a TCP connection is established, the server
and the host enter the user authentication stage.

Authenticating the user
The host sends to the server an authentication request, which contains the FTP commands (user and
password) and the contents.
When the request passes through the ALG-enabled device, the commands in the payload of the
packet will be resolved and used to check whether the state machine transition is going on

correctly. If not, the request will be dropped. In this way, ALG protects the server against clients

that send packets with state machine errors or log into the server with illegal user accounts.
An authentication request with a correct state is forwarded by the ALG-enabled device to the
server, which authenticates the host according to the information in the packet.

Establishing a data connection
If the host passes the authentication, a data connection is established between it and the server. If
the host is accessing the server in passive mode, the data connection process is different. In

passive mode, the server sends to the host a PASV response using its private network address and

port number (IP1, Port1). When the response arrives at the ALG-enabled device, the device

resolves the packet and translates the server’s private network address and port number into the
server’s public network address and port number (IP2, Port2) respectively. Then, the device uses

the public network address and port number to establish a data connection with the host.

Exchanging data

Inside network

Outside network

FTP server

Host

Device

FTP-ALG enabled

NAT

FTP_CMD(“PASV”)

FTP_EnterPassive(“IP1, Port1”)

ALG

IP1, Port1-------

IP2, Port2

FTP_EnterPassive(“IP2, Port2”)

FTP_Connet(IP2, Port2)

FTP_Connet(IP1, Port1)

This manual is related to the following products:

H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI