Hello everyone,
Today, I'm going to introduce the discussion about FTP in the new HCIE lab.
Topic
1. Describe the working principle of FTP.
2. When FTP and NAT are combined on the network, what should I pay attention to when FTP is deployed on a firewall? (Please refer to the FTP ASPF function description in the firewall product documentation.)
Question 1
Describe the working principle of FTP
The FTP protocol has two working modes: passive mode and active mode. The FTP protocol uses two channels: the control channel and the data channel.
Working Principle of Passive Mode
Control channel establishment
The client randomly generates source port N to access port 21 of the FTP server. After the three-way TCP handshake is complete, the server notifies the client (X.X.X.X; P1; P2), where X.X.X.X is the IP address of the server, and P1 and P2 are two random positive integers generated by the server.
Data channel establishment
The client uses N+1 as the source port to access port P1*256+P2 of the server to complete the three-way TCP handshake of the data channel and establish the data channel.
In this mode, both channels are initiated by the client.
Working Principle of Active Mode
Control channel establishment
The client randomly generates source port N to access port 21 of the FTP server. After the three-way TCP handshake is complete, the client notifies the server (X.X.X.X; P1; P2), where X.X.X.X is the IP address of the client, and P1 and P2 are two random positive integers generated by the client.
Data channel establishment
The FTP server uses port 20 of the source port to access port N+1 (N+1 = P1*256 + P2) of the client to complete the three-way TCP handshake of the data channel and establish the data channel.
Question 2
After FTP and NAT are combined, application-layer packet filtering (ASPF) and application-layer proxy gateway (ALG) must be enabled on the firewall to access FTP services.
In the active and passive modes, if the firewall security policy permits only the traffic of the control channel, FTP service access cannot be implemented normally because the negotiated port number of the FTP data channel is random and cannot be accurately predicted. To allow the firewall to dynamically permit the traffic of the data channel, you need to enable ASPF to analyze the application layer information of the FTP control channel to predict the packet behavior of the data channel in advance. A server map table is created based on the IP address and port number in the application layer information. After the packets generated by the data channel reach the firewall, the firewall matches the server map entry and is not restricted by security policies. The firewall dynamically permits the packets and generates session entries.
In the NAT scenario, after the ALG function is configured, the firewall in active mode analyzes the application-layer information in the PORT command, translates the private IP address and port carried in the PORT command into a public IP address and port, and then forwards the packets to the server. And create a server map table. The server initiates a data connection to the translated public network address and public network port. After the message reaches the FW, it hits the Server-map entry, and automatically translates the destination address and port to the real private network address, thereby releasing the data of the data channel.
In passive mode, the firewall analyzes the application-layer information in the PASV Command OK command, translates the private IP address and port carried in the command into a public IP address and port, and forwards the converted IP address and port to the client, and creates a server map table.
The client initiates a data connection to the translated public network address and public network port. After the message reaches the FW, it hits the Server-map entry, and automatically translates the destination address and port to the real private network address, thereby releasing the data of the data channel.
That is all I want to share with you!
