HP A6600 Configuration Manual page 369

The following describes the operation of an ALG-enabled router, taking FTP as an example. As shown in
Figure 124, the host in the outside network accesses the FTP server in the inside network in passive
mode through the ALG-enabled router.
Figure 124 Network diagram for ALG-enabled FTP application in passive mode
The communication process includes the following stages:
Establishing a control connection
1.
The host sends a TCP connection request to the server. If a TCP connection is established, the server and
the host enter the user authentication stage.
Authenticating the user
2.
The host sends to the server an authentication request, which contains the FTP commands (user and
password) and the contents.
When the request passes through the ALG-enabled router, the commands in the payload of the packet
are resolved and used to check whether the state machine transition is taking place correctly. If not, the
request is dropped. In this way, ALG protects the server against clients that send packets with state
machine errors or log into the server with illegal user accounts.
An authentication request with a correct state is forwarded by the ALG-enabled router to the server,
which authenticates the host according to the information in the packet.
Establishing a data connection
3.
If the host passes the authentication, a data connection is established between it and the server. If the
host is accessing the server in passive mode, the data connection process is different. In passive mode,
the server sends the host a PASV response that uses its private network address and port number (IP1,
Port1). When the response arrives at the ALG-enabled router, the router resolves the packet and
translates the server's private network address and port number into the server's public network address
and port number (IP2, Port2), respectively. Then, the router uses the public network address and port
number to establish a data connection with the host.
357