There is an additional complication: FTP represents these addresses and port numbers
in ASCII. As a result, when addresses and ports are rewritten, the TCP sequence number
might be changed, and thereafter the NAT service needs to maintain this delta in SEQ
and ACK numbers by performing sequence NAT on all subsequent packets.
Support for stateful firewall and NAT services requires that you configure the FTP ALG
on TCP port 21 to enable the FTP control protocol. The ALG performs the following tasks:
•
Automatically allocates data ports and firewall permissions for dynamic data
connection
•
Creates flows for the dynamically negotiated data connection
•
Monitors the control connection in both active and passive modes
•
Rewrites the control packets with the appropriate NAT address and port information
On ACX500, for passive FTP to work properly without FTP application layer gateway
(ALG) enabled (by not specifying the application junos-ftp statement at the [edit services
nat rule rule-name term term-name from] hierarchy level), you must enable the address
pooling paired (APP) functionality enabled (by including the address-pooling statement
at the [edit services nat rule rule-name term term-name then translated] hierarchy level).
Such a configuration causes the data and control FTP sessions to receive the same NAT
address.
The following is an example for configuring FTP ALG:
1. Creating NAT interface.
[edit]
services {
service-set set-ftp {
nat-rules nat-ftp;
interface-service {
service-interface ms-0/2/0;
}
}
2. Configuring NAT pool.
[edit]
services {
nat {
pool p-napt {
address 30.30.30.0/24;
port {
range low 9000 high 9010;
}
}
}
3. Defining NAT rules for FTP ALG.
[edit]
services {
Copyright © 2017, Juniper Networks, Inc.1014
ACX Series Universal Access Router Configuration Guide
To Next Page
Loading...
Need help?
General
