Ftp alg в роутере что это

Application Level Gateway (ALG) — шлюз прикладного уровня, компонент маршрутизатора NAT.

Как работает ALG

ALG обрабатывает динамические политики брандмауэра, необходимыe определенным протоколам, таким как FTP. Многие подобные протоколы были разработаны без учета безопасности или других средств контроля доступа, что может вызвать проблемы при внедрении брандмауэров.

Например, FTP использует несколько сеансов для облегчения передачи файлов — первичный командный канал и вторичные каналы данных для списков каталогов и передачи файлов. Часто эти каналы данных идут в направлении, противоположном исходному командному каналу.

Поскольку эти каналы данных могут подключаться к любому порту, практически невозможно создать статическую политику брандмауэра, которая бы разрешала эти каналы данных и при этом обеспечивала адекватную защиту.

FTP ALG автоматически решает эту проблему путем мониторинга командного канала FTP, поиска команд порта FTP, которые указывают, какие порты источника и назначения запрашиваются. ALG динамически открывает определенную комбинацию IP-портов источника и назначения в политике брандмауэра, которая позволяет установить сессию. Как только сессия завершена, шлюз немедленно закрывается.

FTP ALG также обрабатывает особый случай, когда FTP-сессия проходит через интерфейс NAT. В этом случае конечные точки не всегда понимают, что их адреса переводятся в середине потока. Команды порта FTP используют IP-адреса, которые настроены на интерфейсах конечных узлов, что в случае узла, находящегося за брандмауэром NAT, обычно недостижимо из интернета. ALG решает эту проблему на прикладном уровне, заменяя внутренний IP на адрес интерфейса NAT.

Принцип работы ALG схож с прокси-сервером, шлюз обеспечивает возможность использования протокола клиентами.

Примеры протоколов, для которых требуется ALG

  • PASV передает IP-адрес и номер порта клиента в команде PORT с помощью ALG.
  • У протокола PPTP нет понятия «номер порта», что создает проблемы с преобразованием адреса во внешний мир. ALG позволяет создать больше одного PPTP-соединения.
  • Протокол H.323. Шлюз прикладного уровня состоит из набора протоколов H.225.0 и H.245 для обеспечения сеанса аудиовизуальной связи в любой сети.
  • Также ALG работает в протоколах передачи файлов в некоторых мессенджерах, участвует в создании игровых серверов и помогает организовывать файлообменные сети.
Источник

«ALG» here stands for «Application-layer Gateway». That is, firewall modules which cope with some peculiarities of those protocols.

  • On a stateful firewall, the «state» is usually tied to just addresses and port numbers. That is, you send a packet from port X to server’s port Y, and the firewall automatically allows the reverse back in. However, some protocols use additional connections – for example, FTP in ‘active’ mode makes the server connect back to you on a separate port. So the firewall needs an ALG module that snoops on FTP commands and automatically adds the necessary rules. (This includes automagic port forwarding when NAT is in use.)

  • Firewalls with NAT enabled translate IP addresses and TCP/UDP ports within the corresponding headers. But some protocols also send the client’s or server’s address inside packets themselves – for example, yes, the same FTP does this (in active mode the client sends its own address, in passive mode the server does). An ALG tries to do the appropriate rewriting of those FTP commands.

Usually, what happens if the appropriate ALG is not present is that certain connections simply hang in the middle. For example, you can log in to the FTP server, but it timeouts while trying to get the file list.

(Yes, most of those stop working when encryption is enabled since the ALG can no longer look inside. You could say ALGs are tools for disguising problems.)

As for which you can disable: that really depends on which protocols you use, and whether your particular router’s ALG is of acceptable quality. (There have been some models which would utterly break connections instead of ‘fixing’ them…) For example, disabling H.323 support (an old VoIP protocol) should be fine.

Источник

From Wikipedia, the free encyclopedia

An application-level gateway (ALG, also known as application layer gateway, application gateway, application proxy, or application-level proxy) is a security component that augments a firewall or NAT employed in a computer network.[1][2] It allows customized NAT traversal filters to be plugged into the gateway to support address and port translation for certain application layer «control/data» protocols such as FTP, BitTorrent, SIP, RTSP, file transfer in IM applications. In order for these protocols to work through NAT or a firewall, either the application has to know about an address/port number combination that allows incoming packets, or the NAT has to monitor the control traffic and open up port mappings (firewall pinholes) dynamically as required. Legitimate application data can thus be passed through the security checks of the firewall or NAT that would have otherwise restricted the traffic for not meeting its limited filter criteria.

Functions[edit]

An ALG may offer the following functions:

  • allowing client applications to use dynamic ephemeral TCP/UDP ports to communicate with the known ports used by the server applications, even though a firewall configuration may allow only a limited number of known ports. In the absence of an ALG, either the ports would get blocked or the network administrator would need to explicitly open up a large number of ports in the firewall — rendering the network vulnerable to attacks on those ports.
  • converting the network layer address information found inside an application payload between the addresses acceptable by the hosts on either side of the firewall/NAT. This aspect introduces the term ‘gateway’ for an ALG.
  • recognizing application-specific commands and offering granular security controls over them
  • synchronizing between multiple streams/sessions of data between two hosts exchanging data. For example, an FTP application may use separate connections for passing control commands and for exchanging data between the client and a remote server. During large file transfers, the control connection may remain idle. An ALG can prevent the control connection getting timed out by network devices before the lengthy file transfer completes.[3]

Deep packet inspection of all the packets handled by ALGs over a given network makes this functionality possible. An ALG understands the protocol used by the specific applications that it supports.

For instance, for Session Initiation Protocol (SIP) Back-to-Back User agent (B2BUA), an ALG can allow firewall traversal with SIP. If the firewall has its SIP traffic terminated on an ALG then the responsibility for permitting SIP sessions passes to the ALG instead of the firewall. An ALG can solve another major SIP headache: NAT traversal. Basically a NAT with a built-in ALG can rewrite information within the SIP messages and can hold address bindings until the session terminates. A SIP ALG will also handle SDP in the body of SIP messages (which is used ubiquitously in VoIP to set up media endpoints), since SDP also contains literal IP addresses and ports that must be translated.

It is common for SIP ALG on some equipment to interfere with other technologies that try to solve the same problem, and various providers recommend turning it off.[4][5][6]

An ALG is very similar to a proxy server, as it sits between the client and real server, facilitating the exchange. There seems to be an industry convention that an ALG does its job without the application being configured to use it, by intercepting the messages. A proxy, on the other hand, usually needs to be configured in the client application. The client is then explicitly aware of the proxy and connects to it, rather than the real server.

Microsoft Windows[edit]

The Application Layer Gateway service in Microsoft Windows provides support for third-party plugins that allow network protocols to pass through the Windows Firewall and work behind it and Internet Connection Sharing.[citation needed] ALG plugins can open ports and change data that is embedded in packets, such as ports and IP addresses. Windows Server 2003 also includes an ALG FTP plugin. The ALG FTP plugin is designed to support active FTP sessions through the NAT engine in Windows. To do this, the ALG FTP plugin redirects all traffic that passes through the NAT and that is destined for port 21 (FTP control port) to a private listening port in the 3000–5000 range on the Microsoft loopback adapter. The ALG FTP plugin then monitors/updates traffic on the FTP control channel so that the FTP plugin can plumb port mappings through the NAT for the FTP data channels.

Linux[edit]

The Linux kernel’s Netfilter framework, which implements NAT in Linux, has features and modules for several NAT ALGs:

  • Amanda protocol
  • FTP
  • IRC
  • SIP
  • TFTP
  • IPsec
  • H.323
  • PPTP
  • L2TP

See also[edit]

  • Session border controller

References[edit]

  1. ^ RFC 2663, section 2.9 — ALG: official definition
  2. ^ «What is Application Gateway?». 26 June 2001.
  3. ^ The File Transfer Protocol (FTP) and Your Firewall / Network Address Translation (NAT) Router / Load-Balancing Router.
  4. ^ «Why is SIP ALG an Issue?».
  5. ^ «What is SIP ALG and should it be on or off?».
  6. ^ «SIP ALG and why it should be disabled on most routers | VoiceHost — UK VoIP Provider».

External links[edit]

  • DNS Application Level Gateway (DNS_ALG)
Источник
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.

  • #1

Hello, I have set up my router (WR940N) and connected one of the LAN ports to the WAN ports of my ISP router because my ISP’s router has a phone port and I need it to make the phone functional. Although it does work, receive and send calls, it randomly hangs up after like 3-5 minutes. I’ve red somewhere that it could be my firewall and it in fact was my firewall. I have SPI firewall, PPTP PASSTHROUGH, L2TP PASSTHROUGH, IPSEC PASSTHROUGH, TFTP ALG, H323 ALG, RTSP ALG, SIP ALG put to »enabled». It seem that only FTP ALG makes it hang up randomly after a couple of minute. Why is it? What is FTP ALG and is it bad if I disabled it? Also I cannot see my NAT type. Whether it’s open or strict.

Thank you.

The Paladin


  • #2

The File Transfer Protocol (FTP) is a widely and commonly used method of exchanging files over IP networks. In addition to the main control connection, data connections are also made for any data transfer between the client and the server; and the host, port, and direction are negotiated through the control channel. For active mode FTP, the firewall service scans the client-to-server application data for the PORT command, which provides the IP address and port number to which the server connects. For passive-mode FTP, the firewall service scans the client-to-server application data for the PASV command and then scans the server-to-client responses for the 227 response, which contains the IP address and port number to which the client connects. FTP represents the addresses and port numbers in ASCII. As a result, when addresses and ports are rewritten, the TCP sequence number might be changed, and thereafter the NAT service needs to maintain this delta in SEQ and ACK numbers by performing sequence NAT on all subsequent packets.
The FTP ALG supports the following:
Automatically allocates data ports and firewall permissions for dynamic data connection
Monitors the control connection in both active and passive modes
Rewrites the control packets with the appropriate NAT address and port information
Network Address Translation, Protocol Translation (NAT-PT)
Transport Layer Security (TLS) as the security mechanism

do you need it, probably not, but more to the point of your question most routers need to have SIP ALG disabled for your voice over IP to work properly.

  • #3

[quotemsg=19006484,0,2340645]The File Transfer Protocol (FTP) is a widely and commonly used method of exchanging files over IP networks. In addition to the main control connection, data connections are also made for any data transfer between the client and the server; and the host, port, and direction are negotiated through the control channel. For active mode FTP, the firewall service scans the client-to-server application data for the PORT command, which provides the IP address and port number to which the server connects. For passive-mode FTP, the firewall service scans the client-to-server application data for the PASV command and then scans the server-to-client responses for the 227 response, which contains the IP address and port number to which the client connects. FTP represents the addresses and port numbers in ASCII. As a result, when addresses and ports are rewritten, the TCP sequence number might be changed, and thereafter the NAT service needs to maintain this delta in SEQ and ACK numbers by performing sequence NAT on all subsequent packets.
The FTP ALG supports the following:
Automatically allocates data ports and firewall permissions for dynamic data connection
Monitors the control connection in both active and passive modes
Rewrites the control packets with the appropriate NAT address and port information
Network Address Translation, Protocol Translation (NAT-PT)
Transport Layer Security (TLS) as the security mechanism

do you need it, probably not, but more to the point of your question most routers need to have SIP ALG disabled for your voice over IP to work properly.[/quotemsg]

Thank you very much and it’s been a day now but the phone seem to work fine and does not hang up anymore since I disabled FTP ALG and still have SIP ALG enabled. If I ever get into the same problem I will disabled it and test.

Similar threads

  • Advertising
  • Cookies Policies
  • Privacy
  • Term & Conditions

Источник

Using Application-Level Gateways with NAT

Last Updated: November 29, 2012

This module describes the basic tasks to configure an application-level gateway (ALG) with Network Address Translation (NAT). This module also provides information about the protocols that use ALG for IP header translation.

NAT performs translation services on any TCP/UDP traffic that does not carry source and destination IP addresses in the application data stream. The protocols that do not carry the source and destination IP addresses include HTTP, TFTP, telnet, archie, finger, Network Time Protocol (NTP), Network File System (NFS), and remote copy (rcp).

Specific protocols that embed IP address information within the payload require support of an ALG. NAT requires a variety of ALGs to handle application data stream (Layer 7) protocol-specific services such as translating embedded IP addresses and port numbers in the packet payload and extracting new connection/session information from control channels.

NAT supports virtual routing and forwarding (VRF) for protocols that have a supported ALG.

The Support for IPsec ESP Through NAT feature provides the ability to support multiple concurrent IPsec Encapsulating Security Payload (ESP) tunnels or connections through a NAT device configured in Overload or Port Address Translation (PAT) mode.

  • Finding Feature Information
  • Prerequisites for Using Application-Level Gateways with NAT
  • Information About Configuring Application-Level Gateways with NAT
  • How to Configure Application-Level Gateways with NAT
  • Configuration Examples for Using Application-Level Gateways with NAT
  • Additional References for Using Application-Level Gateways with NAT
  • Feature Information for Using Application-Level Gateways with NAT

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for Using Application-Level Gateways with NAT

  • Before performing the tasks in this module, you should be familiar with the concepts described in the «Configuring NAT for IP Address Conservation» module.
  • You should have already configured all access lists required for use with the tasks in this module.
  • You should verify that Session Initiation Protocol (SIP) and H.323 are not disabled. SIP and H.323 are enabled by default.

Information About Configuring Application-Level Gateways with NAT

  • Application-Level Gateways
  • IPsec
  • SPI Matching
  • NAT Support for Application-Level Gateways

Application-Level Gateways

An application-level gateway (ALG), also known as an application-layer gateway, is an application that translates the IP address information inside the payload of an application packet. An ALG is used to interpret the application-layer protocol and perform firewall and Network Address Translation (NAT) actions. These actions can be one or more of the following depending on your configuration of the firewall and NAT:

  • Allow client applications to use dynamic TCP or UDP ports to communicate with the server application.
  • Recognize application-specific commands and offer granular security control over them.
  • Synchronize multiple streams or sessions of data between two hosts that are exchanging data.
  • Translate the network-layer address information that is available in the application payload.

The firewall opens a pinhole, and NAT performs translation service on any TCP or UDP traffic that does not carry the source and destination IP addresses in the application-layer data stream. Specific protocols or applications that embed IP address information require the support of an ALG.

IPsec

IPsec is a set of extensions to the IP family in a framework of open standards for ensuring secure private communications over the Internet. Based on standards developed by the IETF, IPsec ensures confidentiality, integrity, and authenticity of data communications across the public network and provides cryptographic security services.

Secure tunnels between two peers, such as two routers, are provided and decisions are made as to which packets are considered sensitive and should be sent through these secure tunnels and which parameters should be used to protect these sensitive packets by specifying the characteristics of these tunnels. When the IPsec peer receives a sensitive packet, the peer sets up the appropriate secure tunnel and sends the packet through the tunnel to the remote peer.

IPsec using Encapsulating Security Payload (ESP) can pass through a router running NAT without any specific support from it as long as Network Address Port Translation (NAPT) or address overloading is not configured.

There are a number of factors to consider when attempting an IPsec VPN connection that traverses a NAPT device that represents multiple private internal IP addresses as a single public external IP address. These factors include capabilities of the VPN server and client, capabilities of the NAPT device, and whether more than one simultaneous connection is attempted across the NAPT device.

There are two possible methods for configuring IPsec on a device with NAPT:

  • Encapsulate IPsec in a Layer 4 protocol such as TCP or UDP. In this case, IPsec is sneaking through NAT. The NAT device is unaware of the encapsulation.
  • Add IPsec-specific support to NAPT. IPsec works with NAT in this case as opposed to sneaking through NAT. The NAT Support for IPsec ESP—Phase II feature provides support for Internet Key Exchange (IKE) and ESP without encapsulation in tunnel mode through a device configured with NAPT.

We recommend that TCP and UDP be used when conducting IPsec sessions that traverse a NAPT device. However, not all VPN servers or clients support TCP or UDP.

  • Benefits of Configuring NAT IPsec

Benefits of Configuring NAT IPsec

  • NAT enables customers to deploy private IP addresses within their network and perform translation to public IP addresses when connecting to the Internet or interconnecting with another corporate network.
  • ESP entries in the translation table are normally delayed from being transmitted until a reply is received from the destination. With predictable security parameter indexes (SPIs) and SPI matching, the delay can be eliminated because the SPI entries are matched. Some third-party concentrators require both the source and incoming ports to use port 500. Use of the preserve-port keyword with the ip nat service command preserves the ports rather than changing them, which is required with regular NAT.

SPI Matching

SPI matching is used to establish VPN connections between multiple pairs of destinations. NAT entries will immediately be placed in the translation table for endpoints matching the configured access list.

NAT Support for Application-Level Gateways

The following section provides information on NAT support for ALGs.

The features described in the following subsections are enabled by default unless otherwise noted; no configuration is necessary:

  • NAT Support of Skinny Client Control Protocol
  • NAT SCCP Video Support
  • NAT vTCP ALG Support
  • NAT NetBIOS ALG Support
  • NAT RCMD ALG Support
  • NAT RTSP ALG Support
  • NAT Support for SIP—Voice and Multimedia over IP Networks
  • NAT ALG—SIP REFER Method
  • NAT ALG—SIP Trunking Support
  • NAT SIP Extended Methods
  • ALG—SCCP Version 17 Support
  • Basic H.323 ALG Support
  • NAT Support of H.323 v2 RAS
  • ALG—H.323 v6 Support
  • NAT NetMeeting Directory (LDAP)
  • NAT DNS ALG Support
  • NAT ICMP ALG Support
  • NAT TFTP ALG Support
  • NAT FTP ALG Support

NAT Support of Skinny Client Control Protocol

Cisco IP phones use the Skinny Client Control Protocol (SCCP) to connect with and register to Cisco Unified CallManager.

To deploy NAT between the IP phone and the Cisco Unified CallManager in a scalable environment, NAT must detect SCCP and understand the information that is passed within these messages. Messages that flow back and forth include the IP address and the port information to identify other IP phone users with whom calls can be placed.

The SCCP client to the Cisco Unified CallManager communication typically flows from inside to outside. The Domain Name System (DNS) is used to resolve the Cisco Unified CallManager IP address connection when the Cisco Unified CallManager is configured on the inside (behind the NAT device), or when static NAT is configured to reach the Cisco Unified CallManager on the inside.

When an IP phone attempts to connect to the Cisco Unified CallManager and matches the configured NAT rules, NAT translates the original source IP address and replaces it with one from the configured pool. This new IP address is reflected in the Cisco Unified CallManager and is visible to other IP phone users.

NAT SCCP Video Support

NAT provides SCCP video message translation support.

NAT vTCP ALG Support

NAT provides virtual TCP (vTCP) support to handle TCP segmentation and reassembling for ALG. When a Layer 7 protocol uses TCP for transportation, the payload can be segmented due to various reasons, such as Maximum Segment Size (MSS), application design, and TCP window size. Proper recognition of these TCP segments is required to perform parsing. Therefore, a generic framework called vTCP is used by various ALGs to perform TCP segmentation.

Some applications such as SIP and NAT require the entire payload to rewrite embedded data. In addition, ALGs are not developed to consider data splitting between the packets, which is required for the firewall. Therefore, vTCP is also required for the firewall without any changes to current ALGs. NAT and the firewall ALG configuration activate the vTCP configuration.

vTCP does not support data channel traffic. To protect system resources, vTCP does not support reassembled messages larger than 8 KB.

  • NAT ALG—vTCP for SIP
NAT ALG—vTCP for SIP

Cisco IOS XE Release 3.2S supports the NAT ALG—vTCP for SIP feature. With the introduction of vTCP support for SIP, individual TCP segments will be chained together to form a complete SIP message and passed to the SIP parser. vTCP also supports acknowledgement (ACK) and reliable transmission of buffered data. ACK is a SIP method that is used to acknowledge that the received message is valid and accepted.

The NAT ALG—vTCP for SIP feature does not support:

  • Data channel traffic.
  • Reassembled Layer 7 messages that are larger than 8 KB.
  • TCP segments that are larger than 8 KB.
  • vTCP SIP trunk calls.

NAT NetBIOS ALG Support

NAT application awareness includes support for Network Basic Input Output System (NetBIOS) applications. A NetBIOS ALG translates IP addresses and port numbers embedded in NetBIOS packets when a NAT mapping is processed. The NAT NetBIOS ALG Support feature introduced the show platform hardware qfp [active | standby] feature alg statistics netbios command to display NetBIOS-specific information for a device and the match protocol netbios command to configure network-based application recognition (NBAR) to match the NetBIOS traffic.

NAT RCMD ALG Support

NAT application awareness includes support for remote command (RCMD) execution service applications, remote login (rlogin), remote shell (rsh) protocol, and remote execution (rexec). An RCMD ALG translates IP addresses and port numbers embedded in RCMD application packets when a NAT mapping is processed. The NAT RCMD ALG Support feature introduced the show platform software trace message process qfp active command to display RCMD-specific information for a device.

NAT RTSP ALG Support

NAT application awareness includes support for Real-Time Streaming Protocol (RTSP) applications. An RTSP ALG translates IP addresses and port numbers embedded in RTSP packets when a NAT mapping is processed.

NAT Support for SIP—Voice and Multimedia over IP Networks

SIP is a protocol developed by the IETF Multiparty Multimedia Session Control (MMUSIC) Working Group. The Cisco Session Initiation Protocol (SIP) functionality equips Cisco devices to signal the setup of voice and multimedia calls over IP networks. SIP provides an alternative to H.323 within VoIP internetworking software.

Session Description Protocol (SDP) is a protocol that describes multimedia sessions. SDP may be used in SIP message bodies to describe multimedia sessions used for creating and controlling multimedia sessions with two or more participants.

The NAT Support for SIP feature allows SIP embedded messages passing through a device that is configured with NAT to be translated and encoded back to the packet. An ALG is used with NAT to translate SIP messages.


Note

By default, support for SIP is enabled on port 5060. Therefore, NAT-enabled devices interpret all packets on this port as SIP call messages. If other applications in the system use port 5060 to send packets, the NAT service may corrupt the packet as it attempts to interpret the packet as a SIP call message.

  • NAT ALG—SIP Multiple Media Line Support
NAT ALG—SIP Multiple Media Line Support

The NAT ALG—SIP Multiple Media Line Support feature supports a maximum of five media lines in SDP. These media lines can be a combination of audio, video, and data.

SDP describes multimedia sessions. The description includes the media type, the transport port to which the media stream is sent, the transport protocol, and the media format. All media descriptions start with the media line attribute «m=» and terminate at the end of the session description. There can be multiple media lines depending on the services supported by SIP peers.

The NAT ALG—SIP Multiple Media Line Support feature uses the transport port information in the media description to create a door for NAT. Doors are transient structures that allow incoming traffic that matches a specific criterion. A door is created when there is not enough information to create a complete NAT session entry. A door contains information about the source IP address and destination IP address and the destination port. However, it does not have information about the source port. When media data arrives, the source port information is known and the door is promoted to a real NAT session.

When a door receives information about the source IP address, destination IP address, source port, destination port, and protocol from the incoming packet, it will change itself from a door to a full NAT session. A door and a full NAT session are saved in different databases. When a door becomes a full NAT session, the door entry is removed from the door database and a new NAT entry is added to the NAT session database.

NAT ALG—SIP REFER Method

The NAT ALG—SIP REFER Method feature is used for call transfers. A REFER message is used to refer to a peer. The REFER method indicates that the recipient of a call, identified by a request Uniform Resource Identifier (URI), must contact a third party using the contact information provided in the request.

The NAT ALG—SIP REFER Method feature supports two types of call transfers, unattended (blind) transfer and attended (consultative) transfer.

NAT ALG—SIP Trunking Support

A SIP trunk is a direct connection of an IP PBX to a service provider over an IP network using SIP. There can be numerous concurrent calls in a SIP trunk. During the call setup process, all calls use the same control channel for call establishment. More than one call uses the same control channel for call setup. When the same control channel is used by more than one call, the stateful information stored in the control channel sessions becomes unreliable. SIP stateful information consists of media channel information such as the IP address and port number used by client/server endpoints to send media data. The media channel information is used to create a door for the data channel in NAT. Because multiple calls use the same control channel for call setup, there will be multiple sets of media data. The NAT ALG—SIP Trunking Support feature uses a local database to store all media-related information within a SIP trunk. Call IDs of each call are used to index this local database.

TCP segmentation in a SIP trunk can cause unexpected behavior that includes packet drops, TCP reset, and slow response.

NAT SIP Extended Methods

NAT supports extended methods for SIP.

ALG—SCCP Version 17 Support

The ALG—SCCP Version 17 Support feature enables the SCCP ALG to parse SCCP Version 17 packets. Cisco Unified Communications Manager 7.0 and the IP phones that use Cisco Unified Communications Manager 7.0 support only SCCP Version 17 messages. The format of SCCP changed from Version 17 to support IPv6. The SCCP ALG checks for the SCCP version in the prefix of a message before parsing it according to the version. The SCCP message version is extracted from the message header and if it is greater than Version 17, the message is parsed by using the Version 17 format and the IPv4 address and port information is extracted. The SCCP ALG supports the inspection and translation of IPv4 address information in SCCP messages.


Note

IPv6 address inspection and translation are not supported.

The IP address format of the following SCCP ALG-handled messages changed in Version 17:

  • StationOpenMultiMediaReceiveChannelAck
  • StationOpenReceiveChannelAckMessage
  • StationRegisterMessage
  • StationStartMediaTransmissionAckMessage
  • StationStartMultiMediaTransmissionAckMessage
  • StationStartMediaTransmissionMessage
  • StationStartMultiMediaTransmissionMessage

Basic H.323 ALG Support

H.323 is a recommendation published by the ITU-T defining a series of network elements and protocols for multimedia transmission through packet-based networks. H.323 defines a number of network elements used in multimedia transmission.

Although most H.323 implementations today utilize TCP as the transport mechanism for signaling, H.323 Version 2 enables basic UDP transport.

  • H.323 Terminal—This element is an endpoint in the network, providing two-way communication with another H.323 terminal or gateway.
  • H.323 Gateway—This element provides protocol conversion between H.323 terminals and other terminals that do not support H.323.
  • H.323 Gatekeeper—This element provides services like address translation, network access control, and bandwidth management and account for H.323 terminals and gateways.

The following core protocols are described by the H.323 specification:

  • H.225—This protocol describes call signaling methods used between any two H.323 entities to establish communication.
  • H.225 Registration, Admission, and Status (RAS)—This protocol is used by the H.323 endpoint and gateway for address resolution and admission control services.
  • H.245—This protocol is used for exchanging the capabilities of multimedia communication and for the opening and closing of logical channels for audio, video, and data.

In addition to the protocols listed, the H.323 specification describes the use of various IETF protocols like the Real Time Transport (RTP) protocol and audio (G.711, G.729, and so on) and video (H.261, H.263, and H.264) codecs.

NAT requires a variety of ALGs to handle Layer 7 protocol-specific services such as translating embedded IP addresses and port numbers in the packet payload and extracting new connection/session information from control channels. The H.323 ALG performs these specific services for H.323 messages.

NAT Support of H.323 v2 RAS

NAT supports all H.225 and H.245 message types, including those sent in the Remote Access Service (RAS) protocol. RAS provides a number of messages that are used by software clients and VoIP devices to register their location, request assistance in call setup, and control bandwidth. RAS messages are directed toward an H.323 gatekeeper.

Some RAS messages include IP addressing information in the payload, typically meant to register a user with the gatekeeper or to learn about another user already registered. If these messages are not known to NAT, they cannot be translated to an IP address that is visible to the public.

Embedded IP addresses can be inspected for potential address translation.

ALG—H.323 v6 Support

ALG—H.323 v6 supports the parsing of H.323 v6 packets and the inspection and translation of IPv4 address information in H.323 messages. The basic H.323 ALG supports only the parsing of H.323 v4 messages. H.323 v6 extends the basic H.323 ALG support to recognize the new message format and to handle new fields that contain the IPv4 address information.

H.323 v6 consists of core protocols, H.225.0 v6, and H.245 v13 and uses an assigned gatekeeper for transmission.

ALG—H.323 v6 does not support:

  • Stream Control Transmission Protocol (SCTP)—This protocol provides similar services like TCP or UDP.
  • Configuring of the H225 port number.

NAT NetMeeting Directory (LDAP)

NAT provides ALG support for NetMeeting directory Lightweight Directory Access Protocol (LDAP) Version 2 and Version 3 messages.

Users can establish calls/connections among each other directly or through a NetMeeting directory. NetMeeting implements a series of LDAP messages for users to register themselves and perform lookups of other NetMeeting users against the directory. These messages include IP address information.

Before a NAT device can use a NetMeeting directory, NAT needs to understand the LDAP messages and perform standard NAT processing against the IP address information within these messages.

NAT DNS ALG Support

NAT application awareness includes support for the Domain Name System (DNS). An application-level gateway (ALG) translates IP addresses and port numbers embedded in the DNS payload when a NAT mapping is processed.

With CSCuc05660, for DNS payloads that are address-translated, the DNS time to live (TTL) value in CNAME entries is passed through. Before CSCuc05660 and before support for the ip nat service dns-reset-ttl command was added, the TTL value in the CNAME entries was reset by default.

NAT ICMP ALG Support

NAT application awareness includes translation support for the Internet Control Message Protocol (ICMP). An ALG translates data embedded in the ICMP payload when a NAT mapping is processed.

NAT TFTP ALG Support

NAT application awareness includes support for TFTP. A TFTP ALG creates a path for the TFTP data to traverse the NAT-enabled device.

NAT FTP ALG Support

NAT application awareness includes support for FTP. An FTP ALG performs translation for the IP addresses and TCP port information embedded in the payload of an FTP control session.

How to Configure Application-Level Gateways with NAT

  • Configuring IPsec ESP Through NAT
  • Enabling the Preserve Port
  • Disabling SPI Matching on the NAT Device or Changing the Default Port
  • Enabling SPI Matching on Endpoints
  • Specifying a Port for NAT Translation

Configuring IPsec ESP Through NAT

The IPsec ESP Through NAT feature provides the ability to support multiple concurrent IPsec Encapsulating Security Payload (ESP) tunnels or connections through a Network Address Translation (NAT) device configured in Overload or Port Address Translation (PAT) mode.


Note

IPsec can be configured for any type of NAT configuration, not just static NAT configurations.

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    ip nat inside source static esp local-ip interface type number

4.    exit

5.    show ip nat translations


DETAILED STEPS

  Command or Action Purpose
Step 1
enable

Example:

Device> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.

 
Step 2
configure terminal

Example:

Device# configure terminal

 

Enters global configuration mode.

 
Step 3
ip nat inside source static esp local-ip interface type number

Example:

Device(config)# ip nat inside source static esp 192.0.2.23 interface gigabitethernet 0/0/0

 

Establishes the IPsec Encapsulating Security Payload (ESP) (tunnel mode) support.

 
Step 4
exit

Example:

Device(config)# exit

 

Exits global configuration mode and enters privileged EXEC mode.

 
Step 5
show ip nat translations

Example:

Device# show ip nat translations

 

(Optional) Displays active NATs.

 
  • Restrictions

Restrictions

  • Network Address Translation (NAT) will translate only embedded IPv4 addresses.
  • The multicast gatekeeper discovery mechanism is not supported.

Enabling the Preserve Port

This task is used for IPsec traffic using port 500 for the source port and incoming port. Some third-party concentrators require both the source and incoming ports to use port 500. Use of the preserve-port keyword with the ip nat service command preserves the ports rather than changing one, which is required with regular Network Address Translation (NAT).


Note

This task is required by certain VPN concentrators, but will cause problems with other concentrators. Cisco VPN devices generally do not use this feature.

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    ip nat service list access-list-number IKE preserve-port

4.    end


DETAILED STEPS

  Command or Action Purpose
Step 1
enable

Example:

Device> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.

 
Step 2
configure terminal

Example:

Device# configure terminal

 

Enters global configuration mode.

 
Step 3
ip nat service list access-list-number IKE preserve-port

Example:

Device(config)# ip nat service list 10 IKE preserve-port

 

Preserves the UDP port in IKE packets.

 
Step 4
end

Example:

Device(config)# end

 

Exits global configuration mode and enters privileged EXEC mode.

 

Disabling SPI Matching on the NAT Device or Changing the Default Port

SPI matching is used to establish VPN connections between multiple pairs of destinations. NAT entries are immediately placed in the translation table for endpoints that match the configured access list.

The generation of SPIs that are predictable and symmetric is enabled. SPI matching should be used in conjunction with NAT devices when multiple Encapsulating Security Payload (ESP) connections across a NAT device are desired.

SPI matching is enabled by default for listening on port 2000. You can use this task to either change the default port or to disable SPI matching.

Before You Begin

Cisco software must be running on both the source device and the remote gateway, enabling parallel processing.


Note

Security parameter index (SPI) matching must be configured on the Network Address Translation (NAT) device and on both endpoint devices.


SUMMARY STEPS

1.    enable

2.    configure terminal

3.    ip nat service list access-list-number esp spi-match

4.    no ip nat service list access-list-number esp spi-match

5.    end


DETAILED STEPS

  Command or Action Purpose
Step 1
enable

Example:

Device> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.

 
Step 2
configure terminal

Example:

Device# configure terminal

 

Enters global configuration mode.

 
Step 3
ip nat service list access-list-number esp spi-match

Example:

Device(config)# ip nat service list 10 esp spi-match

 

Specifies a port other than the default port.

  • This example shows how to enter ESP traffic matching list 10 into the NAT table, based on the assumption that both devices are Cisco devices and are configured to provide matchable SPIs.

 
Step 4
no ip nat service list access-list-number esp spi-match

Example:

Device(config)# no ip nat service list 10 esp spi-match

 

Disables SPI matching.

 
Step 5
end

Example:

Device(config)# end

 

Exits global configuration mode and enters privileged EXEC mode.

 

Enabling SPI Matching on Endpoints

Before You Begin

Cisco software must be running on both the source device and the remote gateway, enabling parallel processing.


Note

Security parameter index (SPI) matching must be configured on the Network Address Translation (NAT) device and on both endpoint devices.


SUMMARY STEPS

1.    enable

2.    configure terminal

3.    crypto ipsec nat-transparency spi-matching

4.    end


DETAILED STEPS

  Command or Action Purpose
Step 1
enable

Example:

Device> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.

 
Step 2
configure terminal

Example:

Device# configure terminal

 

Enters global configuration mode.

 
Step 3
crypto ipsec nat-transparency spi-matching

Example:

Device(config)# crypto ipsec nat-transparency spi-matching

 

Enables SPI matching on both endpoints.

 
Step 4
end

Example:

Device(config)# end

 

Exits global configuration mode and enters privileged EXEC mode.

 

Specifying a Port for NAT Translation

The following task describes how to configure Skinny Client Control Protocol (SCCP) for a Cisco IP phone to Cisco Unified CallManager communication.

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    ip nat service skinny tcp port number

4.    end


DETAILED STEPS

  Command or Action Purpose
Step 1
enable

Example:

Device> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.

 
Step 2
configure terminal

Example:

Device# configure terminal

 

Enters global configuration mode.

 
Step 3
ip nat service skinny tcp port number

Example:

Device(config)# ip nat service skinny tcp port 20002

 

Configures the Skinny protocol on the specified TCP port.

 
Step 4
end

Example:

Device(config)# end

 

Exits global configuration mode and enters privileged EXEC mode.

 

Configuration Examples for Using Application-Level Gateways with NAT

  • Example: Configuring IPsec ESP Through NAT
  • Example: Enabling the Preserve Port
  • Example: Disabling SPI Matching on the NAT Device or Changing the Default Port
  • Example: Enabling SPI Matching on Endpoints
  • Example: Specifying a port for NAT Translation

Example: Configuring IPsec ESP Through NAT

The following example shows NAT configured on a device with a static route. NAT is configured as inside source static one-to-one translations. 

ip nat pool outside 192.0.2.1 192.0.2.14 netmask 255.255.255.0
ip nat outside source list 1 pool mypool
access-list 1 permit 192.0.2.3 0.0.0.255
ip nat inside source static esp 192.0.2.23 interface gigabitethernet 0/0/0
ip nat inside source static esp 192.0.2.21 interface gigabitethernet 0/0/1

Example: Enabling the Preserve Port

The following example shows how to configure TCP port 500 of the third-party concentrator: 

ip nat service list 10 IKE preserve-port

Example: Disabling SPI Matching on the NAT Device or Changing the Default Port

ip nat service list 10 esp spi-match
no ip nat service list 10 esp spimatch

Example: Enabling SPI Matching on Endpoints

crypto ipsec nat-transparency spi-matching

Example: Specifying a port for NAT Translation

ip nat service skinny tcp port 20002

Additional References for Using Application-Level Gateways with NAT

Related Documents

Related Topic

Document Title

Cisco IOS commands

Cisco IOS Master Commands List, All Releases

NAT commands: complete command syntax, command mode, defaults, usage guidelines, and examples

Cisco IOS IP Addressing Services Command Reference

Configuring NAT for IP Address Conservation

«Configuring NAT for IP Address Conservation» module

IP Addressing Services configuration tasks

Cisco IOS XE IP Addressing Services Configuration Guide

NAT and Firewall ALG support

NAT and Firewall ALG Support on Cisco ASR 1000 Series Routers matrix

SIP Call Flows

«SIP Call Flows» document

Standards and RFCs

Standard/RFC

Title

RFC 3515

The Session Initiation Protocol (SIP) Refer Method

Technical Assistance

Description

Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for Using Application-Level Gateways with NAT

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 1 Feature Information for Using Application-Level Gateways with NAT

Feature Name

Releases

Feature Information

ALG—H.323 v6 Support

Cisco IOS XE Release 3.6S

The ALG-H.323 v6 supports the parsing of H.323 v6 packets and the inspection and translation of IPv4 address information in H.323 messages.

ALG—SCCP Version 17 Support

Cisco IOS XE Release 3.5S

The ALG-SCCP Version 17 Support feature enables the SCCP ALG to parse SCCP Version 17 packets. Cisco Unified Communications Manager 7.0 and IP phones that use Cisco Unified Communications Manager 7.0 support only SCCP Version 17 messages. The SCCP Version 17 packets support IPv6 packets. The SCCP ALG supports the inspection and translation of IPv4 address information in SCCP messages.

NAT ALG—SIP REFER Method

Cisco IOS XE Release 3.2S

The NAT ALG—SIP REFER method feature supports two types of call transfers, unattended (blind) transfer and attended (consultative) transfer.

NAT ALG—SIP Trunking Support

Cisco IOS XE Release 3.2S

The NAT ALG—SIP Trunking Support feature uses a local database to store all media-related information within a SIP trunk. Call IDs of each call are used to index this local database.

NAT Basic H.323 ALG Support

Cisco IOS XE Release 2.1

NAT requires a variety of ALGs to handle Layer 7 protocol-specific services such as translating embedded IP addresses and port numbers in the packet payload and extracting new connection/session information from control channels. The NAT Basic H.323 ALG support feature provides these specific services for H.323 messages.

NAT DNS ALG Support

Cisco IOS XE Release 2.1

The NAT DNS ALG Support feature supports translation of DNS packets.

NAT FTP ALG Support

Cisco IOS XE Release 2.1

The NAT FTP ALG Support feature supports translation of FTP packets.

NAT H.323 RAS

Cisco IOS XE Release 2.4

NAT supports all H.225 and H.245 message types, including those sent in the Registration, Admission, and Status (RAS) protocol. RAS provides a number of messages that are used by software clients and VoIP devices to register their location, request assistance in call setup, and control bandwidth. The RAS messages are directed toward an H.323 gatekeeper.

NAT ICMP ALG Support

Cisco IOS XE Release 2.1

The NAT ICMP ALG Support feature supports translation of ICMP packets.

NAT NetBIOS ALG Support

Cisco IOS XE Release 3.1S

NAT provides Network Basic Input Output System (NetBIOS) message translation support.

The NAT NetBIOS ALG Support feature introduced the following command to display NetBIOS-specific information for a device: show platform hardware qfp [active | standby] feature alg statistics netbios.

NAT NetMeeting Directory (LDAP)

Cisco IOS XE Release 2.4

The NAT NetMeeting Directory (LDAP) feature provides ALG support for NetMeeting directory LDAP messages.

NAT RCMD ALG Support

Cisco IOS XE Release 3.1S

NAT provides remote command execution service (RCMD) message translation support.

The NAT RCMD ALG Support feature introduced the following command to display RCMD-specific information for a device: show platform software trace message process qfp active.

NAT RTSP ALG Support

Cisco IOS XE Release 3.1S

The NAT RTSP ALG Support feature provides RTSP message translation support.

NAT—SCCP for Video

Cisco IOS XE Release 2.4

The NAT—SCCP for Video feature provides SCCP video message translation support.

NAT—SIP ALG Enhancement for T.38 Fax Relay

Cisco IOS XE Release 2.4.1

The NAT—SIP ALG Enhancement for T.38 Fax Relay feature provides translation support for SIP ALG support of T.38 Fax Relay over IP.

NAT—SIP Extended Methods

Cisco IOS XE Release 2.4

The NAT—SIP Extended Methods feature supports extended methods for SIP.

NAT Support of IP Phone to Cisco CallManager

Cisco IOS XE Release 2.1

The NAT Support of IP Phone to Cisco CallManager feature adds NAT support for configuring Cisco SCCP for a Cisco IP phone- to-Cisco CallManager communication.

NAT Support for IPsec ESP— Phase II

Cisco IOS XE Release 2.1

The NAT Support for IPsec ESP—Phase II feature provides support for Internet Key Exchange (IKE) and ESP without encapsulation in tunnel mode through a device configured with NAPT.

NAT Support for SIP

Cisco IOS XE Release 2.1

Cisco IOS XE Release 3.2S

The NAT Support for SIP feature adds the ability to deploy NAT between VoIP solutions based on SIP.

NAT TFTP ALG Support

Cisco IOS XE Release 2.1

The NAT TFTP ALG Support feature supports translation of TFTP packets.

NAT VRF-Aware ALG Support

Cisco IOS XE Release 2.5

The NAT VRF-Aware ALG Support feature supports VPN routing and forwarding (VRF) for protocols that have a supported ALG.

NAT vTCP ALG Support

Cisco IOS XE Release 3.1S

Cisco IOS XE Release 3.2S

The NAT vTCP ALG Support feature provides vTCP support to handle TCP segmentation and reassembling for ALG.

Support for IPsec ESP Through NAT

Cisco IOS XE Release 2.1

The Support for IPsec ESP Through NAT feature provides the ability to support multiple, concurrent IPsec ESP tunnels or connections through a NAT device configured in Overload or PAT mode.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2012 Cisco Systems, Inc. All rights reserved.

Источник

  • Freedns afraid org настройка роутера
  • Freeboot xbox 360 подключить к роутеру через wifi
  • Fr1000 2 роутер мегафон настройка
  • Firewall в роутере что это такое
  • Eltex роутер зайти в настройки