D-Link DFL-1660 User Manual page 307
Network security firewall
Hide thumbs
Also See for DFL-1660:
- User manual (483 pages) ,
- Installation manual (45 pages) ,
- Reference manual (948 pages)
Table of Contents
Advertisement
6.2.8. The SIP ALG
•
An Allow rule for outbound traffic from the proxy behind the DMZ interface to the remote
clients on the Internet.
•
An Allow rule for inbound SIP traffic from the SIP proxy behind the DMZ interface to the
IP address of the NetDefend Firewall. This rule will have core (in other words,
NetDefendOS itself) as the destination interface.
The reason for this is because of the NAT rule above. When an incoming call is received,
NetDefendOS automatically locates the local receiver, performs address translation and
forwards SIP messages to the receiver. This is done based on the SIP ALG's internal state.
•
An Allow rule for inbound traffic from, for example the Internet, to the proxy behind the
DMZ.
4.
If Record-Route is not enabled at the proxy, direct exchange of SIP messages must also be
allowed between clients, bypassing the proxy. The following additional rules are therefore
needed when Record-Route is disabled:
•
A NAT rule for outbound traffic from the clients on the internal network to the external
clients and proxies on, for example, the Internet. The SIP ALG will take care of all address
translation needed by the NAT rule. The translation will occur both at the IP level and the
application level.
•
An Allow rule for inbound SIP traffic from, for example the Internet, to the IP address of
the DMZ interface. The reason for this is because local clients will be NATed using the IP
address of the DMZ interface when they register with the proxy located on the DMZ.
This rule has core as the destination interface (in other words, NetDefendOS itself). When
an incoming call is received, NetDefendOS uses the registration information of the local
receiver to automatically locate this receiver, perform address translation and forward SIP
messages to the receiver. This will be done based on the internal state of the SIP ALG.
The IP rules needed with Record-Route enabled are:
OutboundToProxy
OutboundFromProxy
InboundFromProxy
InboundToProxy
With Record-Route disabled, the following IP rules must be added to those above:
OutboundBypassProxy
InboundBypassProxy
Solution B - Without NAT
The setup steps are as follows:
1.
Define a single SIP ALG object using the options described above.
2.
Define a Service object which is associated with the SIP ALG object. The service should have:
DMZ interface as the contact address.
Action
Src Interface
NAT
lan
Allow
dmz
Allow
dmz
Allow
wan
Action
Src Interface
NAT
lan
Allow
wan
307
Chapter 6. Security Mechanisms
Src Network
Dest Interface
lannet
dmz
ip_proxy
wan
ip_proxy
core
all-nets
dmz
Src Network
Dest Interface
lannet
wan
all-nets
core
Dest Network
ip_proxy
all-nets
dmz_ip
ip_proxy
Dest Network
all-nets
ipdmz
- Quick Links:
- The Cli
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
