You are here: Cookbook > IPv6 > Realizing FTP Service in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG

Realizing FTP Service in IPv6-only or IPv4/IPv6 Hybrid Networks Using ALG

This example introduces how to configure ALG to realize the FTP service in IPv6-only or IPv4/IPv6 hybrid networks, including the following three scenarios:

  • Scenario 1: IPv6-only network. In the topology below, an enterprise sets up a Hillstone security device as the export gateway to connect internal network with the Internet. Both internal and external network IP addresses are deployed with IPv6 addresses. With the ALG function configured, the internal FTP client can access the FTP server in the extranet.

  • Scenario 2: IPv4 network to IPv6 network. In the topology below, an enterprise sets up a Hillstone security device as the export gateway to connect internal network with the Internet. The internal network is deployed with IPv4 addresses and the external network is deployed with IPv6 addresses. With the ALG function configured, the internal FTP client can access the FTP server in the extranet.

  • Scenario 3: IPv6 network to IPv4 network. In the topology below, an enterprise sets up a Hillstone security device as the export gateway to connect internal network with the Internet. The internal network is deployed with IPv6 addresses and the external network is deployed with IPv4 addresses. With the ALG function configured, the internal FTP client can access the FTP server in the extranet.

Before You Start

Before starting the configuration, you need to ensure that the configuration of the FTP server and the FTP client has been completed. This example only describes the relevant configuration on the device.

Configuration Steps of Scenario 1

Step 1: Configure the interface and zone.

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ipv6 enable

hostname(config-if-eth0/1)# ip address 2002::1/64

hostname(config-if-eth0/1)# exit

hostname(config)# interface ethernet0/2

hostname(config-if-eth0/2)# zone untrust

hostname(config-if-eth0/2)# ipv6 enable

hostname(config-if-eth0/2)# ipv6 address 2003::1/64

hostname(config-if-eth0/2)# exit

Step 2: Configure the policy.

hostname(config)# rule id 1 from ipv6-any to ipv6-any service ftp permit

Rule id 1 is created

hostname(config-policy)# rule id 1

hostname(config-policy-rule)# src-zone trust

hostname(config-policy-rule)# dst-zone untrust

hostname(config-policy-rule)# exit

Step 3: Enable the ALG function of FTP.

hostname(config)# alg ftp

Note: The ALG function of FTP is enabled by default.

Step 4: Verify result.

Download session in FTP active mode:

session: id 44, proto 6, flag 0, flag1 20000, flag2 0, flag3 0, created 39340, life 1787, policy 1,app 4(FTP) flag 0x1, auth_user_id 0, reverse_auth_user_id 0

flow0(32(ethernet0/2)/40308b10): [2003::2]:64348->[2001::2]:21

flow1(31(ethernet0/1)/308b10): [2001::2]:21->[2003::2]:64348

session: id 2, proto 6, flag 8000000, flag1 20000, flag2 0, flag3 0, created 39408, life 1800, policy 1,app 70(FTP-DATA) flag 0x0, auth_user_id 0, reverse_auth_user_id 0

flow0(31(ethernet0/1)/208810): [2001::2]:20->[2003::2]:64363

flow1(32(ethernet0/2)/40208810): [2003::2]:64363->[2001::2]:20

 

Download session in FTP passive mode:

session: id 61, proto 6, flag 10000, flag1 20000, flag2 0, flag3 0, created 39683, life 1775, policy 1,app 4(FTP) flag 0x0, auth_user_id 0, reverse_auth_user_id 0

flow0(32(ethernet0/2)/40308b10): [2003::2]:64362->[2001::2]:21

flow1(31(ethernet0/1)/308b10): [2001::2]:21->[2003::2]:64362

session: id 22, proto 6, flag 8000000, flag1 20000, flag2 0, flag3 0, created 39684, life 1776, policy 1,app 70(FTP-DATA) flag 0x0, auth_user_id 0, reverse_auth_user_id 0

flow0(32(ethernet0/2)/40208810): [2003::2]:64398->[2001::2]:56008

flow1(31(ethernet0/1)/208810): [2001::2]:56008->[2003::2]:64398

Configuration Steps of Scenario 2

Step 1: Configure the interface and zone.

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ip address 192.168.2.1/24

hostname(config-if-eth0/1)# exit

hostname(config)# interface ethernet0/2

hostname(config-if-eth0/2)# zone untrust

hostname(config-if-eth0/2)# ipv6 enable

hostname(config-if-eth0/2)# ipv6 address 2001::1/64

hostname(config-if-eth0/2)# exit

Step 2: Configure the policy.

hostname(config)# rule id 1 from any to any service ftp permit

Rule id 1 is created

hostname(config-policy)# rule id 1

hostname(config-policy-rule)# src-zone trust

hostname(config-policy-rule)# dst-zone untrust

hostname(config-policy-rule)# exit

Step 3: Configure the NAT rule.

hostname(config)# nat

hostname(config-nat)# snatrule id 1 from any to 192.168.2.10 service any trans-to 2001::10 mode dynamicport

rule ID=1

hostname(config-nat)# dnatrule id 1 from any to 192.168.2.10 service any trans-to ip 2001::2

rule ID=1

hostname(config-nat)# exit

Step 4: Enable the ALG function of FTP.

hostname(config)# alg ftp

Note: The ALG function of FTP is enabled by default.

Step 5: Verify result.

Download session in FTP active mode:

session: id 64, proto 6, flag e, flag1 20007, flag2 0, flag3 0, created 133143, life 1797, policy 2,app 4(FTP) flag 0x1, auth_user_id 0, reverse_auth_user_id 0

flow0(32(ethernet0/2)/40300b10): 192.168.2.2:58259->192.168.2.10:21

flow1(31(ethernet0/1)/308b10): [2001::2]:21->[2001::10]:1025

session: id 14, proto 6, flag 8000016, flag1 2000b, flag2 0, flag3 0, created 133147, life 297, policy 2,app 70(FTP-DATA) flag 0x0, auth_user_id 0, reverse_auth_user_id 0

flow0(31(ethernet0/1)/208810): [2001::2]:20->[2001::10]:58261

flow1(32(ethernet0/2)/40200810): 192.168.2.2:58261->192.168.2.10:20

 

Download session in FTP passive mode:

session: id 20, proto 6, flag e, flag1 20007, flag2 0, flag3 0, created 133393, life 1797, policy 2,app 4(FTP) flag 0x1, auth_user_id 0, reverse_auth_user_id 0

flow0(32(ethernet0/2)/40300b10): 192.168.2.2:58272->192.168.2.10:21

flow1(31(ethernet0/1)/308b10): [2001::2]:21->[2001::10]:1030

session: id 2, proto 6, flag 800000e, flag1 20007, flag2 0, flag3 0, created 133397, life 1797, policy 2,app 70(FTP-DATA) flag 0x0, auth_user_id 0, reverse_auth_user_id 0

flow0(32(ethernet0/2)/40200810): 192.168.2.2:58273->192.168.2.10:61665

flow1(31(ethernet0/1)/208810): [2001::2]:61665->[2001::10]:61665

Configuration Steps of Scenario 3

Step 1: Configure the interface and zone.

hostname(config)# interface ethernet0/1

hostname(config-if-eth0/1)# zone trust

hostname(config-if-eth0/1)# ipv6 enable

hostname(config-if-eth0/1)# ipv6 address 2003::1/64

hostname(config-if-eth0/1)# exit

hostname(config)# interface ethernet0/2

hostname(config-if-eth0/2)# zone untrust

hostname(config-if-eth0/2)# ip address 192.168.1.1/24

hostname(config-if-eth0/2)# exit

Step 2: Configure the policy.

hostname(config)# rule id 1 from ipv6-any to ipv6-any service ftp permit

Rule id 1 is created

hostname(config-policy)# rule id 1

hostname(config-policy-rule)# src-zone trust

hostname(config-policy-rule)# dst-zone untrust

hostname(config-policy-rule)# exit

Step 3: Configure the NAT rule.

hostname(config)# nat

hostname(config-nat)# snatrule id 1 from ipv6-any to 2003::10 service any trans-to 192.168.1.10 mode dynamicport

rule ID=1

hostname(config-nat)# dnatrule id 1 from ipv6-any to 2003::10 service any trans-to ip 192.168.1.2

rule ID=1

hostname(config-nat)# exit

Step 4: Enable the ALG function of FTP.

hostname(config)# alg ftp

Note: The ALG function of FTP is enabled by default.

Step 5: Verify result.

Download session in FTP active mode:

session: id 6, proto 6, flag e, flag1 2000b, flag2 0, flag3 0, created 40792, life 1799, policy 1,app 4(FTP) flag 0x1, auth_user_id 0, reverse_auth_user_id 0

flow0(32(ethernet0/2)/40308b10): [2003::2]:64537->[2003::10]:21

flow1(31(ethernet0/1)/300b10): 192.168.1.2:21->192.168.1.10:1034

session: id 5, proto 6, flag 8000016, flag1 20007, flag2 0, flag3 0, created 40798, life 1799, policy 1,app 70(FTP-DATA) flag 0x0, auth_user_id 0, reverse_auth_user_id 0

flow0(31(ethernet0/1)/200810): 192.168.1.2:20->192.168.1.10:64538

flow1(32(ethernet0/2)/40208810): [2003::2]:64538->[2003::10]:20

 

Download session in FTP passive mode:

session: id 21, proto 6, flag e, flag1 2000b, flag2 0, flag3 0, created 40093, life 1799, policy 1,app 4(FTP) flag 0x1, auth_user_id 0, reverse_auth_user_id 0

flow0(32(ethernet0/2)/40308b10): [2003::2]:64435->[2003::10]:21

flow1(31(ethernet0/1)/300b10): 192.168.1.2:21->192.168.1.10:1026

session: id 14, proto 6, flag 800000e, flag1 2000b, flag2 0, flag3 0, created 40099, life 300, policy 1,app 70(FTP-DATA) flag 0x0, auth_user_id 0, reverse_auth_user_id 0

flow0(32(ethernet0/2)/40208810): [2003::2]:64436->[2003::10]:56075

flow1(31(ethernet0/1)/200810): 192.168.1.2:56075->192.168.1.10:56075