6.2.8. The SIP ALG
Proxy&Clients
InboundTo
Proxy&Clients
If Record-Route is enabled then the networks in the above rules can be further restricted by using
"(ip_proxy)" as indicated.
Scenario 3
Protecting proxy and local clients - Proxy on the DMZ interface
This scenario is similar to the previous but the major difference is the location of the local SIP proxy
server. The server is placed on a separate interface and network to the local clients. This setup adds
an extra layer of security since the initial SIP traffic is never exchanged directly between a remote
endpoint and the local, protected clients.
The complexity is increased in this scenario since SIP messages flow across three interfaces: the
receiving interface from the call initiator, the DMZ interface towards the proxy and the destination
interface towards the call terminator. This the initial messages exchanges that take place when a call
is setup in this scenario are illustrated below:
Action
Src Interface
Allow
wan
305
Chapter 6. Security Mechanisms
Src Network
Dest Interface
(ip_proxy)
all-nets
lan
Dest Network
lannet
(ip_proxy)