3Com 3C13636 Configuration Manual page 1092

3Com Router 3000 Ethernet Family
Configuration Guide
internal network is an internal interface while the one connecting with Internet is an
external interface.
When ASPF is applied to the outbound direction of an external interface on the router, a
temporary channel can be opened on the firewall for the returned packets of internal
network users who access the Internet.
II. Fundamentals of application protocol layer detection
Client A
Protected network
Figure 6-1 Fundamentals of application protocol layer detection
As shown in the above figure, generally a static ACL is needed on the router to allow a
host of the internal network to access the external network and to prohibit a host of the
external network to access internal network. However, a static ACL will filter out the
returned packets after the user initiates a connection, so the connection cannot be
established. When a router is configured with application layer protocol detection,
ASPF is able to detect every session on application layer and create a status table and
a temporary access control list (TACL). The status table is created once the first packet
is detected and is used in maintaining the status of a session at a certain time detecting
the session status transition is correct. The entry of a TACL is created together with a
status entry and will be deleted after a session terminates. It seems like the permit entry
in an extended ACL to match all the returned packets in a session. This functions like
that a temporary channel is created at the external interface of the firewall for some
returned packets.
Take FTP detection for example to illustrate the process of a multi-channel application
layer protocol detection.
FTP FTP
Client Client
Figure 6-2 FTP detection process
Client A initilizes a session
Returned packets of E0
Client A session pass
port: 1333 port: 1333
FTP command and response FTP command and response
Control channel connection Control channel connection
Port command Port command
Data control connection Data control connection
port: 1600 port: 1600
3Com Corporation
Chapter 6 Firewall Configuration
Packets of other sessions blocked
WAN
S0
port: 21 port: 21
port: 20 port: 20
6-4
Server
FTP FTP
Server Server