ASPF FTP application inspection configuration example
Network requirements
Configure an ASPF policy on Router A to inspect the FTP traffic flows passing through Router A. Only return packets for FTP connections initiated by users on the internal network are permitted to pass through Router A and get into the internal network. All other types of packets from the external network to the internal network are blocked.
Figure 168: Network diagram
Configuration procedure
# Configure ACL 3111 to deny all IP packets.
<RouterA> system-view [RouterA] acl advanced 3111 [RouterA-acl-ipv4-adv-3111] rule deny ip [RouterA-acl-ipv4-adv-3111] quit
# Create ASPF policy 1 for FTP inspection.
[RouterA] aspf-policy 1 [RouterA-aspf-policy-1] detect ftp [RouterA-aspf-policy-1] quit
# Apply ACL 3111 to deny all incoming IP packets on GigabitEthernet 1/0/1.
[RouterA] interface gigabitethernet 1/0/1 [RouterA-GigabitEthernet1/0/1] packet-filter 3111 inbound
# Apply ASPF policy 1 to the outgoing traffic on GigabitEthernet 1/0/1..
[RouterA-GigabitEthernet1/0/1] aspf apply policy 1 outbound
Verifying the configuration
# Verify that an ASPF session has been established for the FTP connection between the host and the FTP server.
<RouterA> display aspf session ipv4 Initiator: Source IP/port: 192.168.1.2/1877 Destination IP/port: 2.2.2.11/21 VPN instance/VLAN ID/Inline ID: -/-/- Protocol: TCP(6) Inbound interface: GigabitEthernet1/0/1 Total sessions found: 1
# Verify that only the return packets of FTP connections can enter the internal network. (Details not shown.)