D-Link DFL-260E User Manual page 276

6.2.8. The SIP ALG
This scenario can be implemented in two ways:
• Using NAT to hide the network topology.
• Without NAT so the network topology is exposed.
Solution A - Using NAT
Here, the proxy and the local clients are hidden behind the IP address of the NetDefend Firewall.
The setup steps are as follows:
1. Define a single SIP ALG object using the options described above.
2. Define a Service object which is associated with the SIP ALG object. The service should have:
• Destination Port set to 5060 (the default SIP signalling port)
• Type set to TCP/UDP
3. Define three rules in the IP rule set:
• A NAT rule for outbound traffic from the local proxy and the clients on the internal network
to the remote clients on, for example, the Internet. The SIP ALG will take care of all
address translation needed by the NAT rule. This translation will occur both on the IP level
and the application level. Neither the clients or the proxies need to be aware that the local
clients are being NATed.
If Record-Route is enabled on the SIP proxy, the source network of the NAT rule can
include only the SIP proxy, and not the local clients.
• A SAT rule for redirecting inbound SIP traffic to the private IP address of the NATed local
proxy. This rule will have core as the destination interface (in other words NetDefendOS
itself) since inbound traffic will be sent to the private IP address of the SIP proxy.
• An Allow rule which matches the same type of traffic as the SAT rule defined in the
previous step.
OutboundFrom
ProxyUsers
InboundTo
ProxyAndClients
InboundTo
ProxyAndClients
Action Src Interface
NAT lan
SAT wan
SETDEST
ip_proxy
Allow wan
276
Chapter 6. Security Mechanisms
Src Network Dest Interface
lannet wan
(ip_proxy)
all-nets core
all-nets core
Dest Network
all-nets
wan_ip
wan_ip