1. Home
    2. /
  2. Manuals
    3. /
  3. Zyxel
    4. /
  4. ZyWALL-USG50
    5. /
  5. 68
Page 336 / 944 Scroll up to view Page 331 - 335
Chapter 19 ALG
ZyWALL USG 50 User’s Guide
336
19.1.2
What You Need to Know
Application Layer Gateway (ALG), NAT and Firewall
The ZyWALL can function as an Application Layer Gateway (ALG) to allow certain
NAT un-friendly applications (such as SIP) to operate properly through the
ZyWALL’s NAT and firewall. The ZyWALL dynamically creates an implicit NAT
session and firewall session for the application’s traffic from the WAN to the LAN.
The ALG on the ZyWALL supports all of the ZyWALL’s NAT mapping types.
FTP ALG
The FTP ALG allows TCP packets with a specified port destination to pass through.
If the FTP server is located on the LAN, you must also configure NAT (port
forwarding) and firewall rules if you want to allow access to the server from the
WAN.
H.323 ALG
The H.323 ALG supports peer-to-peer H.323 calls.
The H.323 ALG handles H.323 calls that go through NAT or that the ZyWALL
routes. You can also make other H.323 calls that do not go through NAT or
routing. Examples would be calls between LAN IP addresses that are on the
same subnet.
The H.323 ALG allows calls to go out through NAT. For example, you could make
a call from a private IP address on the LAN to a peer device on the WAN.
The H.323 ALG operates on TCP packets with a specified port destination.
The ZyWALL allows H.323 audio connections.
The ZyWALL can also apply bandwidth management to traffic that goes through
the H.323 ALG.
The following example shows H.323 signaling (1) and audio (2) sessions between
H.323 devices A and B.
Figure 201
H.323 ALG Example
SIP ALG
SIP phones can be in any zone (including LAN, DMZ, WAN), and the SIP server
and SIP clients can be in the same network or different networks.
Page 337 / 944
Chapter 19 ALG
ZyWALL USG 50 User’s Guide
337
There should be only one SIP server (total) on the ZyWALL’s private networks.
Any other SIP servers must be on the WAN. So for example you could have a
Back-to-Back User Agent such as the IPPBX x6004 or an asterisk PBX on the
DMZ or on the LAN but not on both.
Using the SIP ALG allows you to use bandwidth management on SIP traffic.
The SIP ALG handles SIP calls that go through NAT or that the ZyWALL routes.
You can also make other SIP calls that do not go through NAT or routing.
Examples would be calls between LAN IP addresses that are on the same
subnet.
The SIP ALG supports peer-to-peer SIP calls. The firewall (by default) allows
peer to peer calls from the LAN zone to go to the WAN zone and blocks peer to
peer calls from the WAN zone to the LAN zone.
The SIP ALG allows UDP packets with a specified port destination to pass
through.
The ZyWALL allows SIP audio connections.
You do not need to use TURN (Traversal Using Relay NAT) for VoIP devices
behind the ZyWALL when you enable the SIP ALG.
Configuring the SIP ALG to use custom port numbers for SIP traffic also
configures the application patrol (see
Chapter 28 on page 437
) to use the same
port numbers for SIP traffic. Likewise, configuring the application patrol to use
custom port numbers for SIP traffic also configures SIP ALG to use the same
port numbers for SIP traffic.
Peer-to-Peer Calls and the ZyWALL
The ZyWALL ALG can allow peer-to-peer VoIP calls for both H.323 and SIP. You
must configure the firewall and NAT (port forwarding) to allow incoming (peer-to-
peer) calls from the WAN to a private IP address on the LAN (or DMZ).
VoIP Calls from the WAN with Multiple Outgoing Calls
When you configure the firewall and NAT (port forwarding) to allow calls from the
WAN to a specific IP address on the LAN, you can also use policy routing to have
H.323 (or SIP) calls from other LAN or DMZ IP addresses go out through a
different WAN IP address. The policy routing lets the ZyWALL correctly forward the
return traffic for the calls initiated from the LAN IP addresses.
For example, you configure the firewall and NAT to allow LAN IP address
A
to
receive calls from the Internet through WAN IP address
1
. You also use a policy
route to have LAN IP address
A
make calls out through WAN IP address
1
.
Configure another policy route to have H.323 (or SIP) calls from LAN IP addresses
B
and
C
go out through WAN IP address
2
. Even though only LAN IP address
A
Page 338 / 944
Chapter 19 ALG
ZyWALL USG 50 User’s Guide
338
can receive incoming calls from the Internet, LAN IP addresses
B
and
C
can still
make calls out to the Internet.
Figure 202
VoIP Calls from the WAN with Multiple Outgoing Calls
VoIP with Multiple WAN IP Addresses
With multiple WAN IP addresses on the ZyWALL, you can configure different
firewall and NAT (port forwarding) rules to allow incoming calls from each WAN IP
address to go to a specific IP address on the LAN (or DMZ). Use policy routing to
have the H.323 (or SIP) calls from each of those LAN or DMZ IP addresses go out
through the same WAN IP address that calls come in on. The policy routing lets
the ZyWALL correctly forward the return traffic for the calls initiated from the LAN
IP addresses.
For example, you configure firewall and NAT rules to allow LAN IP address
A
to
receive calls through public WAN IP address
1
.
You configure different firewall and
port forwarding rules to allow LAN IP address
B
to receive calls through public
WAN IP address
2
. You configure corresponding policy routes to have calls from
LAN IP address
A
go out through WAN IP address
1
and calls from LAN IP address
B
go out through WAN IP address
2
.
Figure 203
VoIP with Multiple WAN IP Addresses
Finding Out More
See
Section 6.5.12 on page 100
for related information on these screens.
See
Section 7.9 on page 139
for a tutorial showing how to use the ALG for peer-
to-peer H.323 traffic.
See
Section 7.11 on page 146
for an example of making an IPPBX using SIP or
a SIP server in the DMZ zone accessible from the Internet (the WAN zone).
Page 339 / 944
Chapter 19 ALG
ZyWALL USG 50 User’s Guide
339
See
Section 19.3 on page 341
for ALG background/technical information.
19.1.3
Before You Begin
You must also configure the firewall and enable NAT in the ZyWALL to allow
sessions initiated from the WAN.
19.2
The ALG Screen
Click
Configuration > Network > ALG
to open the
ALG
screen. Use this screen
to turn ALGs off or on, configure the port numbers to which they apply, and
configure SIP ALG time outs.
Note: If the ZyWALL provides an ALG for a service, you must enable the ALG in order
to use the application patrol on that service’s traffic.
Figure 204
Configuration > Network > ALG
Page 340 / 944
Chapter 19 ALG
ZyWALL USG 50 User’s Guide
340
The following table describes the labels in this screen.
Table 96
Configuration > Network > ALG
LABEL
DESCRIPTION
Enable SIP ALG
Turn on the SIP ALG to detect SIP traffic and help build SIP sessions
through the ZyWALL’s NAT. Enabling the SIP ALG also allows you to
use the application patrol to detect SIP traffic and manage the SIP
traffic’s bandwidth (see
Chapter 28 on page 437
).
Enable SIP
Transformations
Select this to have the ZyWALL modify IP addresses and port numbers
embedded in the SIP data payload.
You do not need to use this if you have a SIP device or server that will
modify IP addresses and port numbers embedded in the SIP data
payload.
Enable Configure
SIP Inactivity
Timeout
Select this option to have the ZyWALL apply SIP media and signaling
inactivity time out limits.
SIP Media
Inactivity
Timeout
Use this field to set how many seconds (1~86400) the ZyWALL will
allow a SIP session to remain idle (without voice traffic) before
dropping it.
If no voice packets go through the SIP ALG before the timeout period
expires, the ZyWALL deletes the audio session. You cannot hear
anything and you will need to make a new call to continue your
conversation.
SIP Signaling
Inactivity
Timeout
Most SIP clients have an “expire” mechanism indicating the lifetime of
signaling sessions. The SIP user agent sends registration packets to
the SIP server periodically and keeps the session alive in the ZyWALL.
If the SIP client does not have this mechanism and makes no calls
during the ZyWALL SIP timeout, the ZyWALL deletes the signaling
session after the timeout period. Enter the SIP signaling session
timeout value (1~86400).
SIP Signaling
Port
If you are using a custom UDP port number (not 5060) for SIP traffic,
enter it here. Use the
Add
icon to add fields if you are also using SIP
on additional UDP port numbers.
Enable H.323
ALG
Turn on the H.323 ALG to detect H.323 traffic (used for audio
communications) and help build H.323 sessions through the ZyWALL’s
NAT. Enabling the H.323 ALG also allows you to use the application
patrol to detect H.323 traffic and manage the H.323 traffic’s
bandwidth (see
Chapter 28 on page 437
).
Enable H.323
Transformations
Select this to have the ZyWALL modify IP addresses and port numbers
embedded in the H.323 data payload.
You do not need to use this if you have a H.323 device or server that
will modify IP addresses and port numbers embedded in the H.323
data payload.
H.323 Signaling
Port
If you are using a custom TCP port number (not 1720) for H.323
traffic, enter it here.
Additional H.323
Signaling Port
for
Transformations
If you are also using H.323 on an additional TCP port number, enter it
here.

Rate

4.5 / 5 based on 2 votes.

Popular Zyxel Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top