D-Link NetDefendOS User Manual page 477

Note
Clients registering with the proxy on the DMZ will have the IP address of the
DMZ interface as the contact address.
• An Allow rule/policy for outbound traffic from the proxy behind the DMZ interface to the
remote clients on the Internet.
• An Allow rule/policy for inbound SIP traffic from the SIP proxy behind the DMZ interface
to the IP address of the NetDefend Firewall. This will have core (in other words,
NetDefendOS itself ) as the destination interface.
The reason for this is because of the NAT rule/policy above. When an incoming call is
received, NetDefendOS automatically locates the local receiver, performs address
translation and forwards SIP messages to the receiver. This is done based on the SIP
ALG's internal state.
• An Allow rule/policy for inbound traffic from, for example the Internet, to the proxy
behind the DMZ.
4. If Record-Route is not enabled at the proxy, direct exchange of SIP messages must also be
allowed between clients, bypassing the proxy. The following additional rules/policies are
therefore needed when Record-Route is disabled:
• A NAT rule/policy for outbound traffic from the clients on the internal network to the
external clients and proxies on, for example, the Internet. The SIP ALG will take care of all
address translation needed by the NAT rule. The translation will occur both at the IP level
and the application level.
• An Allow rule/policy for inbound SIP traffic from, for example the Internet, to the IP
address of the DMZ interface. The reason for this is because local clients will be NATed
using the IP address of the DMZ interface when they register with the proxy located on
the DMZ.
This rule/policy has core as the destination interface (in other words, NetDefendOS
itself ). When an incoming call is received, NetDefendOS uses the registration information
of the local receiver to automatically locate this receiver, perform address translation
and forward SIP messages to the receiver. This will be done based on the internal state
of the SIP ALG.
The IP rules/policies needed with Record-Route enabled are:
Action
OutboundToProxy NAT
OutboundFromProxy Allow
InboundFromProxy Allow
InboundToProxy Allow
With Record-Route disabled, the following IP rules/policies must be added to those above:
Action
OutboundBypassProxy NAT
InboundBypassProxy Allow
Src Interface Src Network
lan lannet
dmz ip_proxy
dmz ip_proxy
wan all-nets
Src Interface Src Network
lan lannet
wan all-nets
477
Chapter 6: Security Mechanisms
Dest Interface Dest Network
dmz ip_proxy
wan all-nets
core dmz_ip
dmz ip_proxy
Dest Interface Dest Network
wan all-nets
core ipdmz