Hardware
MSR954(JH296A/JH297A/JH299A)
MSR1002-4/1003-8S
MSR2003
MSR2004-24/2004-48
MSR3012/3024/3044/3064
MSR4060/4080
Network requirements
Configure an ASPF policy on Router A to inspect FTP traffic that passes through Router A to
implement the following filtering:
•
Permits only return packets for the FTP connections initiated by users on the internal network to
pass through Router A.
•
Blocks all other types of packets from the external network to the internal network.
Figure 140 Network diagram
Configuration procedure
# Configure ACL 3500 to permit IP packets.
<Router> system-view
[Router] acl advanced 3500
[Router-acl-ipv4-adv-3500] rule permit ip
[Router-acl-ipv4-adv-3500] quit
# Add GigabitEthernet 2/0/2 to security zone Trust.
[Router] security-zone name trust
[Router-security-zone-Trust] import interface gigabitethernet 2/0/2
[Router-security-zone-Trust] quit
# Add GigabitEthernet 2/0/1 to security zone Untrust.
[Router] security-zone name untrust
[Router-security-zone-Untrust] import interface gigabitethernet 2/0/1
[Router-security-zone-Untrust] quit
# Create ASPF policy 1 for FTP inspection.
[Router] aspf policy 1
[Router-aspf-policy-1] detect ftp
[Router-aspf-policy-1] quit
# Create a zone pair and enter its view.
[Router] zone-pair security source trust destination untrust
# Apply the ACL to filter to permit outgoing packets in the zone pair.
Configuration example compatibility
No
Yes
Yes
Yes
Yes
Yes
449