•
Without NAT so the network topology is exposed.
Solution A - Using NAT
Here, the proxy and the local clients are hidden behind the IP address of the NetDefend Firewall.
The setup steps are as follows:
1.
Define a single SIP ALG object using the options described above.
2.
Define a
Service
object and associate it with the SIP ALG object. The service should have:
•
Destination Port set to
5060
(the default SIP signaling port)
•
Type set to
TCP/UDP
3.
Define three rules/policies in the IP rule set:
•
A
NAT
rule for outbound traffic from the local proxy and the clients on the internal
network to the remote clients on, for example, the Internet. The SIP ALG will take care of
all address translation needed by the
NAT
rule. This translation will occur both on the IP
level and the application level. Neither the clients or the proxies need to be aware that
the local clients are being NATed.
If
Record-Route
is enabled on the SIP proxy, the
source
network of the
NAT
rule can
include only the SIP proxy, and not the local clients.
•
A
SAT
rule for redirecting inbound SIP traffic to the private IPv4 address of the NATed
local proxy. This rule will have core as the destination interface (in other words,
NetDefendOS itself ) since inbound traffic will be sent to the private IPv4 address of the
SIP proxy.
•
An
Allow
rule which matches the same type of traffic as the
SAT
rule defined in the
previous step.
SIP Traffic Type
Action
Src Interface
Src Network
Dest Interface
Dest Network
OutboundFrom
ProxyUsers
NAT
lan
lannet
(ip_proxy)
wan
all-nets
InboundTo
ProxyAndClients
SAT
SETDEST
ip_proxy
wan
all-nets
core
wan_ip
InboundTo
ProxyAndClients
Allow
wan
all-nets
core
wan_ip
If
Record-Route
is enabled then the
Source Network
for outbound traffic from proxy users can be
further restricted in the above by using "
ip_proxy
" as indicated.
When an incoming call is received, the SIP ALG will follow the
SAT
rule and forward the SIP
request to the proxy server. The proxy will in turn, forward the request to its final destination
which is the client.
If
Record-Route
is disabled at the proxy server, and depending on the state of the SIP session, the
SIP ALG may forward inbound SIP messages directly to the client, bypassing the SIP proxy. This
will happen automatically without further configuration.
Solution B - Without NAT
Without NAT, the outbound
NAT
rule is replaced by an
Allow
rule. The inbound
SAT
and
Allow
rules/policies are replaced by a single
Allow
rule.
Chapter 6: Security Mechanisms
474
Summary of Contents for NetDefendOS
Page 30: ...Figure 1 3 Packet Flow Schematic Part III Chapter 1 NetDefendOS Overview 30 ...
Page 32: ...Chapter 1 NetDefendOS Overview 32 ...
Page 144: ...Chapter 2 Management and Maintenance 144 ...
Page 284: ...Chapter 3 Fundamentals 284 ...
Page 392: ...Chapter 4 Routing 392 ...
Page 419: ... Host 2001 DB8 1 MAC 00 90 12 13 14 15 5 Click OK Chapter 5 DHCP Services 419 ...
Page 420: ...Chapter 5 DHCP Services 420 ...
Page 573: ...Chapter 6 Security Mechanisms 573 ...
Page 607: ...Chapter 7 Address Translation 607 ...
Page 666: ...Chapter 8 User Authentication 666 ...
Page 775: ...Chapter 9 VPN 775 ...
Page 819: ...Chapter 10 Traffic Management 819 ...
Page 842: ...Chapter 11 High Availability 842 ...
Page 866: ...Default Enabled Chapter 13 Advanced Settings 866 ...
Page 879: ...Chapter 13 Advanced Settings 879 ...