Firewall
Configuring Application Level Gateway
Cisco ISA500 Series Integrated Security Appliances Administration Guide 289
6
•Maximum Connections: Limit the number for TCP and UDP connections.
Enter a value in the range 1000 to 60000. The default value is 60000.
•TCP Timeo ut: Enter the timeout value in seconds for TCP session. Inactive
TCP sessions are removed from the session table after this duration. The
valid range is 5 to 3600 seconds. The default value is 1200 seconds.
•UDP Timeout: Enter the timeout value in seconds for UDP session. Inactive
UDP sessions are removed from the session table after this duration. The
valid range is 5 to 3600 seconds. The default value is 180 seconds.
STEP 3 Click Save to apply your settings.
Configuring Application Level GatewayThe security appliance can function as an Application Level Gateway (ALG) to
allow certain NAT incompatible applications (such as SIP or H.323) to operate
properly through the security appliance.
If Voice-over-IP (VoIP) is used in your organization, you should enable H.323 ALG
or SIP ALG to open the ports necessary to allow the VoIP through your voice
device. The ALGs are created to work in a NAT environment to maintain the
security for privately addressed conferencing equipment protected by your voice
device.
You can use both H.323 ALG and SIP ALG at the same time, if necessary. To
determine which ALG to use, consult the documentation for your VoIP devices or
applications.
STEP 1 Click Firewall > Application Level Gateway.
The Application Level Gateway window opens.
STEP 2 Enter the following information:
•SIP Support: SIP ALG can rewrite the information within the SIP messages
(SIP headers and SDP body) to make signaling and audio traffic between the
client behind NAT and the SIP endpoint possible. Check this box to enable
SIP ALG support, or uncheck this box to disable this feature.
NOTE: Enable SIP ALG when voice devices such as UC500, UC300, or SIP
phones are connected to the network behind the security appliance.