D-Link NetDefendOS User Manual page 469

should not be used. The NetDefendOS SIP ALG will take care of all NAT traversal issues in
a SIP scenario.
The setup steps for this scenario are as follows:
1. Define a SIP ALG object using the options described above.
2. Define a Service object and associate it with the SIP ALG object. The service should have:
• Destination Port set to 5060 (the default SIP signaling port).
• Type set to TCP/UDP.
3. Define two rules/policies in the IP rule set:
• A NAT rule for outbound traffic from clients on the internal network to the SIP Proxy
Server located externally. The SIP ALG will take care of all address translation needed by
the NAT rule. This translation will occur both on the IP level and the application level.
Neither the clients or the proxies need to be aware that the local users are being NATed.
• An Allow rule for inbound SIP traffic from the SIP proxy to the IP of the NetDefend
Firewall. This rule will use core (in other words, NetDefendOS itself ) as the destination
interface. The reason for this is due to the NAT rule above. When an incoming call is
received, NetDefendOS will automatically locate the local receiver, perform address
translation and forward SIP messages to the receiver. This will be executed based on the
ALGs internal state.
A SAT rule for translating incoming SIP messages is not needed since the ALG will
automatically redirect incoming SIP requests to the correct internal user. When a SIP client
behind a NATing NetDefend Firewall registers with an external SIP proxy, NetDefendOS
sends its own IP address as contact information to the SIP proxy. NetDefendOS registers the
client's local contact information and uses this to redirect incoming requests to the user. The
ALG takes care of the address translations needed.
4. Ensure the clients are correctly configured. The SIP Proxy Server plays a key role in locating
the current location of the other client for the session. The proxy's IP address is not specified
directly in the ALG. Instead its location is either entered directly into the client software used
by the client or in some cases the client will have a way of retrieving the proxy's IP address
automatically such as through DHCP.
The IP rules/policies with the Record-Route option enabled would be as shown below, the
changes that apply when NAT is used are shown in parentheses "(..)".
Action Src Interface
Allow lan
(or NAT)
Allow wan
Without the Record-Route option enabled the IP rules/policies would be as shown below, the
changes that apply when NAT is used are again shown in parentheses "(..)".
Action Src Interface
Allow lan
(or NAT)
Allow wan
Src Network Dest Interface
lannet wan
ip_proxy lan
(or core)
Src Network Dest Interface
lannet wan
<All possible IPs> lan
(or core)
469
Chapter 6: Security Mechanisms
Dest Network
ip_proxy
lannet
(or wan_ip)
Dest Network
<All possible IPs>
lannet
(or ipwan)