Nortel Secure 4134 Configuration page 34

34 Firewall and NAT Fundamentals
When a phone attempts to make a call to a phone that is not registered on
the same call server, the local call server must relay that request to the
next-hop call server. The forwarded request from the local call server to the
next-hop call server is trunk traffic.
SIP trunking can introduce further complications with firewalling and NAT.
Specifically, the SIP signaling information is exchanged between the SIP
servers, while the media session traffic flows between the two phones.
As a result, the SIP ALG must translate multiple private addresses within
one packet to the same public address. For example, when the SIP ALG
encounters the INVITE message, the SIP header contains the IP address of
the call server and the SDP session description contains the IP address of
the phone. However, NAT rules generally control only one-to-one address
and port translations
To workaround these issues, the SIP ALG can implement a form of Proxy
NAT.
With Proxy NAT, the SIP ALG performs multiple translations within a single
packet. It performs a Static NAT translation for the SIP header, and a NAPT
translation for the SIP message body (SDP) This results in a single firewall
connection between the two call servers on port 5060, for all SIP signaling,
and multiple RTP connections for media traffic between the phones
In this scenario, there can be only one MCS server behind the Firewall/NAT,
supported by a single proxy NAT command.
Figure 5
SIP trunk side configuration
Copyright © 2007, Nortel Networks
.
Nortel Secure Router 4134
Security — Configuration and Management
NN47263-600 01.02 Standard
10.0 3 August 2007