336
• PAM
While application layer protocols use the standard port numbers for communication, PAM
allows you to define a set of new port numbers for different applications, and provides
mechanisms to maintain and use the configuration information of user-defined ports.
PAM supports two types of port mapping mechanisms: general port mapping and host port
mapping.
{ General port mapping—A mapping of a user-defined port number to an application layer
protocol. If port 8080 is mapped to HTTP, for example, all TCP packets to port 8080 are
regarded as HTTP packets.
{ Host port mapping—A mapping of a user-defined port number to an application layer
protocol for packets to/from specific hosts. For example, you can establish a host port
mapping so that all TCP packets using 8080 as the destination port and 10.110.0.0/16 as
the destination network segment are regarded as HTTP packets. The hosts can be
specified by means of a basic ACL.
• Single-channel protocol and multi-channel protocol
{ Single-channel protocol—A single-channel protocol establishes only one channel to
exchange both control messages and data for a user. SMTP and HTTP are examples of
single-channel protocols.
{ Multi-channel protocol—A multi-channel protocol establishes more than one channel for a
user and transfers control messages and user data through different channels. FTP and
RTSP are examples of multi-channel protocols.
• Internal interface and external interface
On an edge device configured with ASPF to protect servers on the internal network, interfaces
connected with the internal network are internal interfaces and the interface connected with the
Internet is the external interface.
When an ASPF is applied on the outbound direction of the external interface of a device, a
temporary channel can be opened on the firewall for return packets to internal network users
accessing the Internet.
Application layer protocol inspection
As shown in Figure 112 , ACLs on the edge device deny incoming packets to the internal network. The
ASPF application layer protocol inspection allows return packets from the external network to the
internal network.
Figure 112 Application layer protocol inspection
After the application layer protocol inspection is enabled on the router, the ASPF inspects each
application layer session and creates a status entry and a temporary access control list (TACL) for
the session. For a multi-channel protocol, a TACL will also be created for data channels.
• Status entry—Created when ASPF detects the session's first packet sent to the Internet, and
is used to maintain the status of the session at different points of time and to determine whether
state transitions of the session are correct.
WAN
Client A
Client B
Client A initiates a session
Return packets of
the session are
permitted to pass
Packets of other sessions are blocked
Protected network
Router
Server
To Next Page
Loading...
Need help?
General
