|
Reflexive access lists do not work
with some applications that use port numbers that change during a
session. For example, if the port numbers for a return packet are
different from the originating packet, the return packet will be
denied, even if the packet is actually part of the same session. FTP
is an example of an application with changing port numbers. When you
initiate an FTP session, that conversation typically uses TCP port
21 to send control information, including the three-way handshake
and username/password negotiation.
However, when the connection is established, data is actually
sent on a different port, typically TCP port 20. If an outside FTP
server sends the reply to the first packet on port 20, the reflexive
access list will not let it through because it has not seen an inside
host use that port. From the reflexive access list's point of view, the
stream on port 20 is a new and uninvited conversation. However, if
the FTP client operates in passive mode, it can be the first host to
send a packet on the data port. Thus, you must configure your FTP
clients for passive FTP so that they will originate the data port
transfer, which in turn will create the appropriate reflexive access
list entry.
|
|