Pptp alg что это в роутере

Toggle table of contents sidebar

ALG is a feature that allows several applications to work correctly when they pass through the NAT. When an application client sends a private IP address and port in its message, ALG allocates a public IP address and port and translates them in the message. Simply put, ALG does the same thing with application messages as NAT does with the regular IP header. This translation is necessary so that the application server can send a response to a correct public IP address and port.

NAT supports ALG for FTP, TFTP, PPTP, SIP, RTSP, and DNS.

9.13.1. FTP ALG¶

When using NAT44, the subscriber can use the passive FTP mode to work through the NAT with ALG disabled. Otherwise, if the subscriber uses the active FTP mode, ALG needs to be enabled. In this case, ALG translates the IP address and port in the PORT message.

When using NAT64, ALG must be enabled to allow subscribers to use FTP. In this case, ALG translates the IP address and port in the following messages:

  • EPRT. In addition to address and port translation, the command itself is changed to PORT.

  • EPSV. The command is changed to PASV.

  • 227 (response to PASV). The command is changed to 229 (response to EPSV).

Commands

<nat|nat64> inspection ftp enable [{control-port (1-65535)|vrf NAME}]

FTP ALG is disabled by default. This command enables it.

show <nat|nat64> counters [vrf NAME] alg ftp

Display FTP ALG counters information.

Counter

Description

FTP translations

Translation of internal ip:port to external ip:port and vice
versa

FTP packets dropped

The number of FTP packets that were dropped

FTP session entries

The number of the sessions established at the moment

FTP session creations

The number of the sessions established over a whole period
of the operation
clear <nat|nat64> counters [vrf NAME] alg ftp

Clear FTP ALG counters.

9.13.2. TFTP ALG¶

TFTP does not send IP addresses in its messages, but it is incompatible with Address-and-Port-Dependent Filtering behavior. If this mode is used, TFTP ALG must be enabled to allow users to use TFTP.

Commands

<nat|nat64> inspection tftp enable [{control-port (1-65535)|vrf NAME}]

TFTP ALG is disabled by default. This command enables it.

show <nat|nat64> counters [vrf NAME] alg tftp

Display TFTP ALG counters information.

Counter

Description

TFTP translations

Translation of internal ip:port to external ip:port and vice
versa

TFTP session entries

The number of the sessions established at the moment

TFTP session creations

The number of the sessions established over a whole period
of the operation
clear <nat|nat64> counters [vrf NAME] alg tftp

Clear TFTP ALG counters.

9.13.3. PPTP ALG¶

For both NAT44 and NAT64, PPTP ALG must be enabled to allow subscribers to use PPTP. PPTP ALG translates IP address and port in the following messages:

  • Outgoing-Call-Request

  • Outgoing-Call-Reply

  • Call-Clear-Request

  • Call-Disconnect-Notify

  • WAN-Error-Notify

  • Set-Link-Info

Commands

<nat|nat64> inspection pptp enable [{control-port (1-65535)|vrf NAME}]

PPTP ALG is disabled by default. This command enables it.

show <nat|nat64> counters [vrf NAME] alg pptp

Display counters for PPTP ALG.

Counter

Description

PPTP translations

Translation of internal ip:port to external ip:port and vice
versa

PPTP packets dropped

The number of PPTP packets that were dropped

PPTP outgoing call
requests

These requests are PPTP control messages sent by the PNS
(refers to the remote client) to the PAC (refers to the server)
to indicate that an outbound call from the PAC is to be
established. See RFC 2637#section-2.7

PPTP call clear requests

Control message indicates that a particular call is to be
disconnected. See RFC 2637#section-2.12 for reference

PPTP outgoing call
replies

Control messages from the PAC to the PNS in response to a
received Outgoing-Call-Request message.
See RFC 2637#section-2.8 for reference

PPTP call disconnect
notifies

Control message from the PAC to the PNS is issued whenever a
call is disconnected. See RFC 2637#section-2.13 for reference

PPTP session entries

The number of the sessions established at the moment

PPTP session creations

The number of the sessions established over a whole period
of the operation
clear <nat|nat64> counters [vrf NAME] alg pptp

Clear PPTP ALG counters.

9.13.4. SIP ALG¶

Warning

The vast majority of SIP clients support NAT-traversal techniques described in RFC 6314, so SIP ALG is not necessary for them. Furthermore, you SHOULD NOT enable SIP ALG unless you have a specific reason to do that because SIP ALG may interfere with NAT traversal techniques.

For both NAT44 and NAT64, SIP ALG translates IP address and port in the following messages:

  • REGISTER

  • INVITE

  • UPDATE

  • ACK

  • PRACK

  • BYE

Commands

<nat|nat64> inspection sip enable [{control-port (1-65535)|vrf NAME}]

SIP ALG is disabled by default. This command enables it.

show <nat|nat64> counters [vrf NAME] alg sip

Display SIP ALG counters information.

Counter

Description

SIP translations

Translation of internal ip:port to external ip:port and vice
versa

SIP packets dropped

The number of SIP packets that were dropped

SIP session entries

The number of the sessions established at the moment

SIP session creations

The number of the sessions established over a whole period
of the operation
clear <nat|nat64> counters [vrf NAME] alg sip

Clear SIP ALG counters.

9.13.5. RTSP ALG¶

Warning

The vast majority of RTSP clients support NAT-traversal techniques described in RFC 7604 and RFC 7825, so RTSP ALG is not necessary for them. Furthermore, you SHOULD NOT enable RTSP ALG unless you have a specific reason to do that because RTSP ALG may interfere with NAT traversal techniques.

For both NAT44 and NAT64, RTSP ALG translates the IP address and port in SETUP messages.

Commands

<nat|nat64> inspection rtsp enable [{control-port (1-65535)|vrf NAME}]

RTSP ALG is disabled by default. This command enables it.

show <nat|nat64> counters [vrf NAME] alg rtsp

Display RTSP ALG counters information.

Counter

Description

RTSP translations

Translation of internal ip:port to external ip:port and vice
versa

RTSP packets dropped

The number of RTSP packets that were dropped

RTSP setup messages

These messages are used to specify the transport mechanism
for the streamed media. See RFC 2326#section-10.4 for
reference

RTSP session entries

The number of the sessions established at the moment

RTSP session creations

The number of the sessions established over a whole period
of the operation
clear <nat|nat64> counters [vrf NAME] alg rtsp

Clear RTSP ALG counters.

9.13.6. DNS ALG¶

When using NAT44, DNS ALG is not necessary for the correct work of DNS protocol because it does not use private IP addresses in its messages. However, when you enable DNS ALG, it tracks DNS requests sent by subscribers and immediately deletes the session when the corresponding DNS response is received. This allows to significantly reduce the number of concurrent sessions in the NAT session table.

When using NAT64, DNS ALG is necessary to process DNS requests sent by subscribers through the NAT. It translates AAAA requests into A requests and A responses into AAAA responses.

Warning

The correct network architecture for NAT64 involves using a separate DNS64 network element that processes all DNS requests from subscribers. In this case, no DNS requests pass through the NAT, and DNS ALG is not necessary.

Commands

<nat|nat64> inspection dns enable [{control-port (1-65535)|vrf NAME}]

DNS ALG is disabled by default. This command enables it.

show <nat|nat64> counters [vrf NAME] alg dns

Display DNS ALG counters information.

Counter

Description

DNS translations

Translation of internal ip:port to external ip:port and vice
versa

DNS reply packets

Display the number of the reply packets

DNS oversized packets

DNS packets consider oversized when the TC flag (1 bit)
is set in the DNS header. This flag is set in the reply packet
if the server could not put all the necessary information in
the packet because of restrictions

DNS amplification
packets

Shows how many requests related to DNS amplification were
dropped

DNS invalid packets

This counter will increment when the security appliance
detects an invalid DNS packet. For example, a DNS packet with
no DNS header, the number of DNS resource records not matching
the counter in the header, etc.

DNS session entries

The number of the sessions established at the moment

DNS session creations

The number of the sessions established over a whole period
of the operation
clear <nat|nat64> counters [vrf NAME] alg dns

Clear DNS ALG counters.

9.13.7. Additional Considerations¶

Subscribers behind the NAT may experience issues with their VPN connections when using IPsec. It happens because IPsec uses ESP as an underlying protocol, and its payload is encrypted, so it is not possible to implement an ALG that would translate IP/TCP headers inside the ESP header.

To solve this problem, subscribers should enable NAT-traversal in their IPsec VPN clients. The vast majority of them support this functionality as described in RFC 3715 and RFC 3947.

Источник

PPTP использует не (только) TCP/UDP, но еще и протокол GRE. NAT, в общем простом случае, работает только для TCP/UDP, анализируя IP-адрес и номер порта, и устанавливая соответствие (маппинг) между ними, чего недостаточно для PPTP. ALG для PPTP — это дополнительный код, который отслеживает передачу данных на порт PPTP, понимает, что клиент начал устанавливать соединение, и создаёт NAT-запись для GRE-протокола для этого клиента.

Ответ написан


2
комментария

Источник

PPTP Port Address Translation

The PPTP Port Address Translation feature supports the Point-to-Point Tunneling Protocol (PPTP) application layer gateway
(ALG) for Port Address Translation (PAT) configuration. PAT configuration requires the PPTP ALG to parse PPTP packets.
The PPTP ALG is enabled by default when Network Address Translation (NAT) is configured.

This module provides information about how to configure the PPTP ALG for PAT.

Restrictions for PPTP Port Address Translation

  • The Point-to-Point Tunneling Protocol (PPTP) application layer gateway (ALG) does not support virtual TCP (vTCP) and TCP segments.

  • The PPTP ALG will not work in Carrier Grade Network Address Translation (NAT) mode, when the NAT client and server use
    the same call ID.

Information About PPTP Port Address Translation

PPTP ALG Support
Overview

The Point-to-Point
Tunneling Protocol (PPTP) is a network protocol that enables the secure
transfer of data from a remote client to an enterprise server by creating a VPN
across TCP/IP-based data networks. PPTP encapsulates PPP packets into IP
datagrams for transmission over the Internet or other public TCP/IP-based
networks.

PPTP establishes a
tunnel for each communicating PPTP network server (PNS)-PPTP Access
Concentrator (PAC) pair. After the tunnel is set up, PPP packets are exchanged
using enhanced generic routing encapsulation (GRE). A call ID present in the
GRE header indicates the session to which a particular PPP packet belongs.

Network Address
Translation (NAT) translates only the IP address and the port number of a PPTP
message. Static and dynamic NAT configurations work with PPTP without the
requirement of the PPTP application layer gateway (ALG). However, Port Address
Translation (PAT) configuration requires the PPTP ALG to parse the PPTP header
and facilitate the translation of call IDs in PPTP control packets. NAT then
parses the GRE header and translates call IDs for PPTP data sessions. The PPTP
ALG does not translate any embedded IP address in the PPTP payload. The PPTP
ALG is enabled by default when NAT is configured.

NAT recognizes PPTP
packets that arrive on the default TCP port, 1723, and invokes the PPTP ALG to
parse control packets. NAT translates the call ID parsed by the PPTP ALG by
assigning a global address or port number. Based on the client and server call
IDs, NAT creates two doors based on the request of the PPTP ALG. ( A door is
created when there is insufficient information to create a complete NAT-session
entry. A door contains information about the source IP address and the
destination IP address and port.) Two NAT sessions are created (one with the
server call ID and the other with the client call ID) for two-way data
communication between the client and server. NAT translates the GRE packet
header for data packets that complies with RFC 2673.

PPTP is a TCP-based
protocol. Therefore, when NAT recognizes a TCP packet as a PPTP packet, it
invokes the PPTP ALG parse-callback function. The PPTP ALG fetches the embedded
call ID from the PPTP header and creates a translation token for the header.
The PPTP ALG also creates data channels for related GRE tunnels. After ALG
parsing, NAT processes the tokens created by the ALG.

PPTP Default Timer

The default timer for PPTP is 24 hours. This means that a generic
routing encapsulation (GRE) session will live for 24 hours when deploying
static and dynamic NAT. Based on your PPTP configuration and scaling
requirement, you adjust the PPTP default timer.

Some PPTP clients and servers send keepalive messages to keep GRE
sessions alive. You can adjust the NAT session timer for PPTP sessions by using
the
ip
nat
translation
pptp-timeout
 command.

How to Configure PPTP Port Address Translation

Configuring PPTP ALG for Port Address Translation

The Point-to-Point Tunneling Protocol (PPTP) application layer gateway (ALG) is enabled by default when Network Address Translation
(NAT) is configured. Use the no ip nat service pptp command to disable the PPTP ALG. Use the ip nat service pptp command to reenable PPTP ALG translation of applications.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. interface type number
  4. ip nat inside
  5. exit
  6. interface type number
  7. ip nat outside
  8. exit
  9. ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}
  10. ip nat inside source list {access-list-number | access-list-name} pool name overload
  11. ip access-list standard access-list-name
  12. permit host-ip
  13. end

DETAILED STEPS

  Command or Action Purpose

Step 1

enable

Example:

Device> enable
Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

interface type number

Example:

Device(config)# interface gigabitethernet 0/0/1

Enables an interface and enters interface configuration mode.

Step 4

ip nat inside

Example:

Device(config-if)# ip nat inside

Connects the interface to the inside network, which is subject to NAT.

Step 5

exit

Example:

Device(config-if)# exit

Exits interface configuration mode and enters global configuration mode.

Step 6

interface type number

Example:

Device(config)# interface gigabitethernet 0/1/0

Enables an interface and enters interface configuration mode.

Step 7

ip nat outside

Example:

Device(config-if)# ip nat outside

Connects the interface to the outside network.

Step 8

exit

Example:

Device(config-if)# exit

Exits interface configuration mode and enters global configuration mode.

Step 9

ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}

Example:

Device(config)# ip nat pool pptp-pool 192.168.0.1 192.168.0.234 prefix-length 24

Defines a pool of IP addresses for NAT
translations.

Step 10

ip nat inside source list {access-list-number | access-list-name} pool name overload

Example:

Device(config)# ip nat inside source list pptp-acl pool pptp-pool overload
Enables NAT of the inside source
address.

  • When overloading is configured, the TCP or UDP port number of each inside host distinguishes between multiple conversations
    by using the same local IP address.

Step 11

ip access-list standard access-list-name

Example:

Device(config)# ip access-list standard pptp-acl

Defines a standard IP access list by name to enable packet filtering and enters standard access-list configuration mode.

Step 12

permit host-ip

Example:

Device(config-std-nacl)# permit 10.1.1.1

Sets conditions in named IP access lists that permit packets.

Step 13

end

Example:

Device(config-std-nacl)# end

Exits standard access-list configuration mode and enters privileged EXEC mode.

Configuration Examples for PPTP Port Address Translation

Example: Configuring PPTP ALG for Port Address Translation

Device# configure terminal
Device(config)# interface gigabitethernet 0/0/1
Device(config-if)# ip nat inside
Device(config-if)# exit
Device(config)# interface gigabitethernet 0/1/0
Device(config-if)# ip nat outside
Device(config-if)# exit
Device(config)# ip nat pool pptp-pool 192.168.0.1 192.168.0.234 prefix-length 24
Device(config)# ip nat inside source list pptp-acl pool pptp-pool overload
Device(config)# ip access-list standard pptp-acl
Device(config-std-nacl)# permit 10.1.1.1
Device(config-std-nacl)# end

Additional References for PPTP Port Address Translation

Related Documents

Related Topic Document Title

Cisco IOS commands


Cisco IOS Master Command List, All Releases

NAT commands


Cisco IOS IP Addressing Services Command Reference

Standards and RFCs

Standard/RFC Title

RFC 2637

Point-to-Point Tunneling Protocol (PPTP)

Technical Assistance

Description Link

The Cisco Support website provides extensive online resources,
including documentation and tools for troubleshooting and
resolving technical issues with Cisco products and technologies.

To receive security and technical information about your
products, you can subscribe to various services, such as the
Product Alert Tool (accessed from Field Notices), the Cisco
Technical Services Newsletter, and Really Simple Syndication
(RSS) Feeds.

Access to most tools on the Cisco Support website requires a
Cisco.com user ID and password.

http://www.cisco.com/support

Feature Information for PPTP Port Address Translation

Table 1. Feature Information for PPTP Port Address Translation

Feature Name

Releases

Feature Information

PPTP Port Address Translation Support

Cisco IOS XE Release 3.9S

The PPTP Port Address Translation Support feature introduces the Point-to-Point Tunneling Protocol (PPTP) application layer
gateway (ALG) for Port Address Translation (PAT) configuration. PAT configuration requires the PPTP ALG to parse PPTP packets.
The PPTP ALG is enabled by default when Network Address Translation (NAT) is configured.

The following commands were introduced or modified:
debug platform hardware qfp feature alg datapath pptp, ip nat service pptp, show platform hardware qfp feature alg statistics pptp.

Источник

Application Level Gateway (ALG) — шлюз прикладного уровня, компонент маршрутизатора NAT.

Как работает ALG

ALG обрабатывает динамические политики брандмауэра, необходимыe определенным протоколам, таким как FTP. Многие подобные протоколы были разработаны без учета безопасности или других средств контроля доступа, что может вызвать проблемы при внедрении брандмауэров.

Например, FTP использует несколько сеансов для облегчения передачи файлов — первичный командный канал и вторичные каналы данных для списков каталогов и передачи файлов. Часто эти каналы данных идут в направлении, противоположном исходному командному каналу.

Поскольку эти каналы данных могут подключаться к любому порту, практически невозможно создать статическую политику брандмауэра, которая бы разрешала эти каналы данных и при этом обеспечивала адекватную защиту.

FTP ALG автоматически решает эту проблему путем мониторинга командного канала FTP, поиска команд порта FTP, которые указывают, какие порты источника и назначения запрашиваются. ALG динамически открывает определенную комбинацию IP-портов источника и назначения в политике брандмауэра, которая позволяет установить сессию. Как только сессия завершена, шлюз немедленно закрывается.

FTP ALG также обрабатывает особый случай, когда FTP-сессия проходит через интерфейс NAT. В этом случае конечные точки не всегда понимают, что их адреса переводятся в середине потока. Команды порта FTP используют IP-адреса, которые настроены на интерфейсах конечных узлов, что в случае узла, находящегося за брандмауэром NAT, обычно недостижимо из интернета. ALG решает эту проблему на прикладном уровне, заменяя внутренний IP на адрес интерфейса NAT.

Принцип работы ALG схож с прокси-сервером, шлюз обеспечивает возможность использования протокола клиентами.

Примеры протоколов, для которых требуется ALG

  • PASV передает IP-адрес и номер порта клиента в команде PORT с помощью ALG.
  • У протокола PPTP нет понятия «номер порта», что создает проблемы с преобразованием адреса во внешний мир. ALG позволяет создать больше одного PPTP-соединения.
  • Протокол H.323. Шлюз прикладного уровня состоит из набора протоколов H.225.0 и H.245 для обеспечения сеанса аудиовизуальной связи в любой сети.
  • Также ALG работает в протоколах передачи файлов в некоторых мессенджерах, участвует в создании игровых серверов и помогает организовывать файлообменные сети.
Источник

TL-WR940N/TL-WR941ND 

Беспроводной маршрутизатор серии N со 

скоростью передачи данных до 300 Мбит/с 

Руководство пользователя 

— 63 — 

VPN  —  Функция  Пропуск  трафика  VPN  должна  быть  включена,  если  вы  хотите 
разрешить  создание  VPN-туннелей  согласно  протоколам  IPSec,  PPTP  или  L2TP  для 
прохождения межсетевого экрана маршрутизатора.

Пропуск  трафика  PPTP  —  Технология  Пропуск  трафика  PPTP  (Туннельный 
протокол  типа  точка-точка)  позволяет  создавать  специальные  туннели  в  IP-сети. 
Чтобы разрешить создание таких туннелей, выберите 

Включить.   

Пропуск трафика L2TP — Протокол L2TP — это метод создания сессий точка-точка 
через  Интернет  на  уровне  второго  слоя.  Чтобы  разрешить  прохождение 
L2TP-туннелей через маршрутизатор, выберите 

Включить. 

Пропуск трафика IPSec — Протокол IPSec — это набор протоколов для обеспечения 
защиты  данных,  передаваемых  по  сетям  на  базе  протокола  IP,  посредством 
применения  алгоритмов  шифрования.  Чтобы  разрешить  прохождение 
IPSec-туннелей черезмаршрутизатор, выберите 

Включить

ALG  —  Рекомендуется  включить  шлюз  уровня  приложения  (ALG),  т.к.  эта  функция 
разрешает  установку  настраиваемых  обходных  NAT-фильтров  в  шлюзе  с  целью 
поддержки  преобразования  адресов  и  портов  для  некоторых  протоколов  уровня 
приложения типа «контроль/данные», как например FTP, TFTP, H323 и т.д.

FTP ALG — Чтобы разрешить FTP-клиентам и серверам передавать данные через 

NAT, выберите 

Включить. 

TFTP  ALG  —  Чтобы  разрешить  TFTP-клиентам  и  серверам  передавать  данные 

через NAT, выберите 

Включить. 

H323  ALG  —  Чтобы  разрешить  клиентам  Microsoft  NetMeeting  обмениваться 

данными через NAT, выберите 

Включить. 

RTSP ALG — Чтобы позволить клиентам медиа-плеера связываться с некоторыми 

серверами потоковых медиа-данных через NAT, нажмите 

Включить. 

Нажмите кнопку 

Сохранить, чтобы сохранить настройки. 

4.9.2  Расширенные настройки защиты 

Выбрав 

Безопасность  –  Расширенные  настройки  защиты,  вы  сможете  защитить 

маршрутизатор от таких атак, как TCP-SYN Flood, UDP Flood и ICMP-Flood, как показано на 
Рис. 4-41.   

Источник

  • Power bank с wifi роутером
  • Pptp vpn как настроить на роутере
  • Please install winpcap and try again роутер скан
  • Pbs что такое wps на роутере
  • Pon не работает на роутере