Got it
Huawei Enterprise Support Community
Community Forums Routing & Switching
HCIE Routing & Switching ...

HCIE Routing & Switching Lab Exam Discussion - FTP

Latest reply: Jan 27, 2022 14:40:14 402 18 10 0 1
View the author 1#

Hello everyone,

Today, I'm going to introduce the discussion about FTP in the new HCIE lab.


Topic

1. Describe the working principle of FTP.

2. When FTP and NAT are combined on the network, what should I pay attention to when FTP is deployed on a firewall? (Please refer to the FTP ASPF function description in the firewall product documentation.)

 

Question 1

Describe the working principle of FTP

The FTP protocol has two working modes: passive mode and active mode. The FTP protocol uses two channels: the control channel and the data channel.

Working Principle of Passive Mode

Control channel establishment

The client randomly generates source port N to access port 21 of the FTP server. After the three-way TCP handshake is complete, the server notifies the client (X.X.X.X; P1; P2), where X.X.X.X is the IP address of the server, and P1 and P2 are two random positive integers generated by the server.

Data channel establishment

The client uses N+1 as the source port to access port P1*256+P2 of the server to complete the three-way TCP handshake of the data channel and establish the data channel.

In this mode, both channels are initiated by the client.

Working Principle of Active Mode

Control channel establishment

The client randomly generates source port N to access port 21 of the FTP server. After the three-way TCP handshake is complete, the client notifies the server (X.X.X.X; P1; P2), where X.X.X.X is the IP address of the client, and P1 and P2 are two random positive integers generated by the client.

Data channel establishment

The FTP server uses port 20 of the source port to access port N+1 (N+1 = P1*256 + P2) of the client to complete the three-way TCP handshake of the data channel and establish the data channel.

 

Question 2

After FTP and NAT are combined, application-layer packet filtering (ASPF) and application-layer proxy gateway (ALG) must be enabled on the firewall to access FTP services.

In the active and passive modes, if the firewall security policy permits only the traffic of the control channel, FTP service access cannot be implemented normally because the negotiated port number of the FTP data channel is random and cannot be accurately predicted. To allow the firewall to dynamically permit the traffic of the data channel, you need to enable ASPF to analyze the application layer information of the FTP control channel to predict the packet behavior of the data channel in advance. A server map table is created based on the IP address and port number in the application layer information. After the packets generated by the data channel reach the firewall, the firewall matches the server map entry and is not restricted by security policies. The firewall dynamically permits the packets and generates session entries.


In the NAT scenario, after the ALG function is configured, the firewall in active mode analyzes the application-layer information in the PORT command, translates the private IP address and port carried in the PORT command into a public IP address and port, and then forwards the packets to the server. And create a server map table. The server initiates a data connection to the translated public network address and public network port. After the message reaches the FW, it hits the Server-map entry, and automatically translates the destination address and port to the real private network address, thereby releasing the data of the data channel.


In passive mode, the firewall analyzes the application-layer information in the PASV Command OK command, translates the private IP address and port carried in the command into a public IP address and port, and forwards the converted IP address and port to the client, and creates a server map table.

The client initiates a data connection to the translated public network address and public network port. After the message reaches the FW, it hits the Server-map entry, and automatically translates the destination address and port to the real private network address, thereby releasing the data of the data channel.


That is all I want to share with you!


Like (10) Dislike (0) Favorite(1) Share Report
Previous: Deep analysis FTP
Next: HCIE Routing & Switching Lab Exam Discussion - Packet loss
(1) (0)
2#
DDSN
Admin Created Dec 25, 2021 02:48:15

@Unicef @Haseeb_Haris @wissal @zaheernew @sachandio @Vesper_EvenStar @Diego.Silva @Sara_Obaid @Vlada85 @Caroline_Herrera @Laiheang @AL_93 @Kevin_Thomas @Chanbora @user_4326135 @adrian_alucard @Saqib123 @Herediano @IndianKid @Sokrin @hemin88 @simchamnan @Zemo_Mccracken @user_4237671 @andersoncf1 @BAZ @kunthea @Rumana @Anno7 @Precious @Abdussamed @umaryaqub @MahMush @taha_29four @nochhie @chantha @Malik3000 @smileymind @Navin_kay @user_4358465 @Majdi.Chebil @AndresMoreno @shakeela @phuta @Ayeshaali @user_4001805 @VinceD @lucian2003
View more
  • x
  • convention:

andersoncf1
andersoncf1 Created Jan 27, 2022 11:56:14 (0) (0)
 
(0) (0)
3#
IndianKid
Moderator Author Created Dec 25, 2021 04:14:45

very well explanation about FTP lab, Thanks for sharing
View more
  • x
  • convention:

DDSN
DDSN Created Dec 27, 2021 09:22:31 (0) (0)
Thank you!  
(0) (0)
4#
Saqib123
Created Dec 25, 2021 06:43:34

Thanks for sharing
View more
  • x
  • convention:

DDSN
DDSN Created Dec 27, 2021 09:22:38 (0) (0)
 
(0) (0)
5#
Anno7
Created Dec 26, 2021 19:26:29

great
View more
  • x
  • convention:

DDSN
DDSN Created Dec 27, 2021 09:22:48 (0) (0)
 
(0) (0)
6#
hemin88
Moderator Author Created Dec 28, 2021 18:49:01

Thanks for all what you share with us, really helpful.
View more
  • x
  • convention:

DDSN
DDSN Created Jan 4, 2022 00:45:52 (0) (0)
Thank you!  
(0) (0)
7#
Herediano
Created Jan 3, 2022 18:42:44

Excellent, thank you for sharing!
View more
  • x
  • convention:

DDSN
DDSN Created Jan 4, 2022 00:45:58 (0) (0)
 
(0) (0)
8#
little_fish
Admin Created Jan 4, 2022 09:53:25

HCIE Routing & Switching Lab Exam Discussion - FTP-4578997-1
View more
  • x
  • convention:
(0) (0)
9#
Kevin_Thomas
Created Jan 15, 2022 10:29:31

Awesome post. As always, keep up the good work!
View more
  • x
  • convention:
(0) (0)
10#
IndianKid
Moderator Author Created Jan 15, 2022 10:53:56

great share about HCIE Routing & Switching Lab Exam Discussion - FTP, Thanks
View more
  • x
  • convention:
12
Back to list

Comment

Advanced
B Color Image Link Quote Code Smilies
You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits

Login
Huawei Website Support About Huawei Privacy User Agreement Terms of Use Cookies Cookie Settings
Huawei Enterprise Huawei Carrier Forum Training & Certification

Contact Us: e_online@huawei.com Copyright © 2022 Huawei Technologies Co., Ltd. All rights reserved.

APP

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.