ZyXEL Communications 2WG 25.1 ALG Introduction, 25.1.1 ALG and NAT, 25.1.2 ALG and the Firewall

25

ALG Screen

This chapter covers how to use the ZyWALL’s ALG feature to allow certain applications to pass through the ZyWALL.

25.1 ALG Introduction

An Application Layer Gateway (ALG) manages a specific protocol (such as SIP, H.323 or FTP) at the application layer. The ZyWALL can function as an ALG to allow certain NAT unfriendly applications (such as SIP) to operate properly through the ZyWALL.

Some applications cannot operate through NAT (are NAT un-friendly) because they embed IP addresses and port numbers in their packets’ data payload. The ZyWALL examines and uses IP address and port number information embedded in the data stream. When a device behind the ZyWALL uses an application for which the ZyWALL has ALG service enabled, the ZyWALL translates the device’s private IP address inside the data stream to a public IP address. It also records session port numbers and dynamically creates implicit NAT port forwarding and firewall rules for the application’s traffic to come in from the WAN to the LAN.

25.1.1 ALG and NAT

The ZyWALL dynamically creates an implicit NAT session for the application’s traffic from the WAN to the LAN.

The ALG on the ZyWALL supports all NAT mapping types, including One to One, Many to One, Many to Many Overload and Many One to One.

25.1.2 ALG and the Firewall

The ZyWALL uses the dynamic port that the session uses for data transfer in creating an implicit temporary firewall rule for the session’s traffic. The firewall rule only allows the session’s traffic to go through in the direction that the ZyWALL determines from its inspection of the data payload of the application’s packets. The firewall rule is automatically deleted after the application’s traffic has gone through.