18

ALG

This chapter covers how to use the ZyWALL’s ALG feature to allow certain applications to pass through the ZyWALL. See Section 5.4.20 on page 122 for related information on these screens.

18.1 ALG Introduction

The ZyWALL can function as an Application Layer Gateway (ALG) to allow certain NAT unfriendly applications (such as SIP) to operate properly through the ZyWALL’s NAT.

Some applications cannot operate through NAT (are NAT un-friendly) because they embed IP addresses and port numbers in their packets’ data payload. The ZyWALL examines and uses IP address and port number information embedded in the VoIP traffic’s data stream. When a device behind the ZyWALL uses an application for which the ZyWALL has VoIP pass through enabled, the ZyWALL translates the device’s private IP address inside the data stream to a public IP address. It also records session port numbers and allows the related sessions to go through the firewall so the application’s traffic can come in from the WAN to the LAN.

The ZyWALL only needs to use the ALG feature for traffic that goes through the ZyWALL’s NAT. The firewall allows related sessions. The firewall allows or blocks peer to peer traffic based on the firewall rules.

You do not need to use STUN (Simple Traversal of User Datagram Protocol (UDP) through Network Address Translators) for VoIP devices behind the ZyWALL when you enable the

SIP ALG.

18.1.1 Application Layer Gateway (ALG) and NAT

The ZyWALL dynamically creates an implicit NAT session for the application’s traffic from the WAN to the LAN. The ALG on the ZyWALL supports all of the ZyWALL’s NAT mapping types.

18.1.2 ALG and Trunks

If you send your ALG-managed traffic through an interface trunk and all of the interfaces are set to active, you can configure routing policies to specify which interface the ALG-managed traffic uses.

 

265

ZyWALL USG 1000 User’s Guide