ASPF FTP application inspection configuration example

Network requirements

Configure an ASPF policy on Router A to inspect the FTP traffic flows passing through Router A. Only return packets for FTP connections initiated by users on the internal network are permitted to pass through Router A and get into the internal network. All other types of packets from the external network to the internal network are blocked.

Figure 168: Network diagram

Configuration procedure

# Configure ACL 3111 to deny all IP packets.

<RouterA> system-view
[RouterA] acl advanced 3111
[RouterA-acl-ipv4-adv-3111] rule deny ip
[RouterA-acl-ipv4-adv-3111] quit

# Create ASPF policy 1 for FTP inspection.

[RouterA] aspf-policy 1
[RouterA-aspf-policy-1] detect ftp
[RouterA-aspf-policy-1] quit

# Apply ACL 3111 to deny all incoming IP packets on GigabitEthernet 1/0/1.

[RouterA] interface gigabitethernet 1/0/1
[RouterA-GigabitEthernet1/0/1] packet-filter 3111 inbound

# Apply ASPF policy 1 to the outgoing traffic on GigabitEthernet 1/0/1..

[RouterA-GigabitEthernet1/0/1] aspf apply policy 1 outbound

Verifying the configuration

# Verify that an ASPF session has been established for the FTP connection between the host and the FTP server.

<RouterA> display aspf session ipv4
Initiator:
  Source      IP/port: 192.168.1.2/1877
  Destination IP/port: 2.2.2.11/21 
  VPN instance/VLAN ID/Inline ID: -/-/-
  Protocol: TCP(6)
Inbound interface: GigabitEthernet1/0/1
Total sessions found: 1

# Verify that only the return packets of FTP connections can enter the internal network. (Details not shown.)