D-Link NetDefend DFL-210 User Manual page 234

6.2.8. The SIP ALG
Action
Allow
(or NAT)
Allow
The advantage of using Record-Route is clear since now the destination network for outgoing traffic
and the source network for incoming traffic have to include all IP addresses that are possible.
Scenario 2
Protecting proxy and local clients - Proxy on the same network as clients
In this scenario the goal is to protect the local clients as well as the SIP proxy. The proxy is located
on the same, local network as the clients, with SIP signalling and media data flowing across two
interfaces. This scenario is illustrated below.
This scenario can be implemented in two ways:
• Using NAT to hide the network topology.
• Without NAT so the network topology is exposed.
Solution A - Using NAT
Here, the proxy and the local clients are hidden behind the IP address of the NetDefend Firewall.
The setup steps are as follows:
1. Define a single SIP ALG object using the options described above.
2. Define a Service object which is associated with the SIP ALG object. The service should have:
• Destination Port set to 5060 (the default SIP signalling port)
• Type set to TCP/UDP
Src Interface
lan
wan
The Service object for IP rules
In this section, tables which list IP rules like those above, will omit the Service object
associated with the rule. The same, custom Service object is used for all SIP scenarios.
Src Network Dest Interface
lannet
<All possible IPs>
(or core)
234
Chapter 6. Security Mechanisms
Dest Network
wan <All possible IPs>
lan lannet
(or ipwan)